cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
836
Views
5
Helpful
2
Replies
Highlighted
Explorer

FIPS question on Ironport WSA

What is it used for and what happens when it is enabled? What is the impact to users and is there anything else in the network that has to be done for it to not impact users? From what I have read so far, it is an encryption mode, but for what and how does it work for the Web Security?

2 REPLIES 2
Highlighted

I stumbled upon the same question. The FIPS mode seems to limit which cipher suites and which ssl protocol versions are used when connecting to remote webservers (https).

Detailed information is missing....

https://supportforums.cisco.com/discussion/12448041/configure-cipher-suites-and-ssltls-version-used-wsa-807

 

Regards, Thomas

Highlighted
Cisco Employee

FIPS is Federal Information Processing Standards that specify requirements for cryptographic modules that are used by all government agencies to protect sensitive but unclassified information. FIPS help ensure compliance with federal security and data privacy requirements. FIPS, developed by the National Institute for Standards and Technology (NIST), are to use when no voluntary standards exist to meet federal requirements.

FIPS mode requires that all enabled encryption services on the Web Security appliance use a FIPS-compliant certificate. This applies to the following encryption services:

 HTTPS Proxy

 Authentication

 Identity Provider for SaaS

 Appliance Management HTTPS Service

Note The Appliance Management HTTPS Service must be enabled before FIPS mode can be enabled. The other encryption services need not be enabled.

A FIPS-compliant certificate must meet these requirements:

Certificate

Algorithm

Bit Key Size

Signature Algorithm

Notes

X509

RSA

1024, 2048, 3072, or 4096

sha1WithRSAEncryption

Cisco recommends a bit key size of 1024 for best decryption performance and sufficient security. A larger bit size will increase security, but impact decryption performance.

 

DSA

1024

dsaWithSHA1

 

Content for Community-Ad