Considerations for Using the FIPS Feature
In organizations where FIPS is required, the following points should be noted:
-
OpenSSL 3.0.8 FIPS provider limits the available cryptography ciphers/algorithms only those that have been validated by laboratory to be FIPS compliant.
- Configuration backup should be taken before enabling or disabling FIPS.
- FIPS has the potential to break any service with secure connectivity, including services listed in the following table:
| Feature | Affected Process/Service | Impact |
|---|---|---|
| Lighthouse enrollment | OpenVPN | OpenVPN is not compliant with FIPS standards; this issue is a recognized problem specifically when OpenSSL 3.x is being used. When OpenVPN addresses this issue, it will also meet FIPS compliance standards. However, for compatibility with Lighthouse enrollment, this feature remains enabled although it is non-compliant. |
| IPsec | Strongswan | Must be operated in FIPS mode to be FIPS compliant. The other end of the tunnel does not have to be operating FIPS mode to connect. |
| Remote authentication | freeradius, tacacs, ldap | These are not FIPS compliant. |
| NTP | chrony | Authenticated NTP servers with MD5 will not connect. Use an algorithm that is FIPS compliant. |
| SNMP | ogtrapd, snmpd, snmptrapd | Authentication and Encryption should be used as the security policy as V1 and V2 have no encryption. SNMPv3 with MD5 encryption will fail. Use an algorithm that is FIPS compliant. It is recommended that authPriv security policy is used when in FIPS mode for SNMPv3. |
| LDAP | OpenSSL | LDAP has no encryption, therefore it does not use OpenSSL. For FIPS compliance it is recommended that it is not used. |
| OpenSSL | OpenSSL MD5 | When OpenSSL MD5 is not available, pam_tacplus uses its own implementation of MD5. When FIPS is enabled it does not use OpenSSL (but will continue to work). Therefore, it is recommended that it is not used in FIPS mode. |
| SMF | SMF | Use of the SMF feature will render the device non-compliant for FIPS. |
| SSH connections | SSH | For SSH connections, a FIPS compliant algorithm must specified as part of the command to connect. See the note below: |
| NetOps Modules | gre (Secure Provisioning)
nom-ipaccess-lhvpn (IP access) nom-ag-lhvpn (Access Gateway) |
Opengear NetOps Modules are not functional when FIPS mode is enabled. |
| Note: SSH requires the cipher to be manually specified when FIPS is enabled. e.g. ssh root@10.0.0.1 -c aes256-gcm@openssh.com | ||
| WireGuard | WireGuard is not FIPS compliant and should not be used in FIPS mode. | |
| Routing protocols | Routing protocols (eg. BGP), should not select an MD5 cipher. | |