The Federal Information Processing Standard (FIPS) 140-2 is a U.S. and Canadian government standard developed by the National Institute of Standards and Technology (NIST) that defines the security standards for cryptographic modules.
The FIPS 140-2 standard specifies and validates the cryptographic and operational requirements for the modules within security systems that protect sensitive information. These modules employ NIST-approved security functions such as cryptographic algorithms, key sizes, key management, and authentication techniques.
For a list of FIPS 140-2 compliant algorithms, see:
There are four levels of security in the FIPS 140-2 standard, and for each level there are different areas related to the design and implementation of a tool’s cryptographic design. The following are the levels of security:
Level-1: This defines the standards for basic security in a cryptographic module and enables FIPS-approved cipher suites.
Level-2: This defines the standards for tamper-evidence physical security and role-based authentication of cryptographic modules. Tamper-evidence physical security includes tamper-evident coatings, seals, or pick-resistant locks.
Level-3: This defines standards for tamper-resistance physical security and identity-based authentication. Hardware devices must have internal HSMs with tamper-resistant features such as a sealed epoxy cover, which, when removed, must render the device useless and make the keys inaccessible.
Level-4: This requires tamper detection circuits to detect any device penetration and erase the contents of the device in the event of tampering.
VMware has specifically obtained FIPS 140-2
validation of the OpenSSL FIPS Object Module v2.0.20-vmw
that is used in NSX Advanced Load Balancer components.
The OpenSSL FIPS Object Modulev2.0.20-vmw
is a general-purpose cryptographic module that provides FIPS-approved cryptographic functions and services to products and components of VMware. The module has been validated at the FIPS 140-2
security Level 1 and awarded Certificate #3550 by CMVP.
Security Levels 2–4 are specific to various levels of physical security, such as:
Tamper-evidence physical security: This includes tamper-evident coatings, seals, or pick-resistant locks.
Tamper-resistance physical security: This includes features such as sealed epoxy cover to protect the hardware device.
These security levels do not apply to software solutions, where hardware is used to run the software solution.
For more information, see FIPS documentation in VMware.
FIPS Compliance for NSX Advanced Load Balancer
The NSX Advanced Load Balancer supports FIPS mode for the entire system, such as,
The Control plane, consists of the Controller or Controller cluster.
The Data plane, consists of the Service Engines (SEs).
The NSX Advanced Load Balancer uses the FIPS canister 2.0.20-vmw
, which is compliant with FIPS 140-2
Level 1 cryptography.
Supported Environments
FIPS is supported when:
The Controller cluster is deployed in a VMware vSphere environment.
The SEs are deployed in a VMware vSphere environment, specifically with the following cloud connectors:
VMware vCenter and NSX-T Cloud.
No-Orchestrator cloud running on VMware vSphere.
FIPS is supported for a single-Controller and Controller cluster-based deployments.
Enabling FIPS Mode - Considerations
When activating FIPS mode for NSX Advanced Load Balancer, consider the following:
FIPS mode can be activated only on deployments where no Service Engines are present.
FIPS mode is activated on the entire system, either on the Controller or on all nodes in the case of a cluster. FIPS is also activated on all the SEs.
There is no option to selectively enable FIPS for specific components, only for Controller, SEs, or specific SE Groups.
Once the NSX Advanced Load Balancer system is in FIPS mode, you cannot deactivate the FIPS mode.
Enabling FIPS Mode for a Single Controller Deployment
The following are the steps to activate FIPS mode for a single Controller deployment:
Ensure that the Controller does not have any SEs deployed. It is recommended to deactivate all virtual services and delete any existing SEs.
Create the Controller cluster before activating FIPS.
Upload the controller.pkg file (the upgrade package) for the same Controller base version, to the Controller node. For instance, if the Controller being used is on version 20.1.5, upload the 20.1.5 controller.pkg to the Controller.
For step-by-step instructions on how to upload, see Flexible Upgrades for NSX Advanced Load Balancer in the VMware NSX Advanced Load Balancer Administration Guide.
Activate FIPS mode through the CLI:
[admin:avi-cntrl]: > system compliancemode fips_mode +----------------------+------------------------------------------+ | Field | Value | +----------------------+------------------------------------------+ | fips_mode | True | | common_criteria_mode | False | | force | False | | details[1] | 'Compliance mode transition started. Use 'show upgrade status' to check the stat | | | us.' | +----------------------+------------------------------------------+
The Controller reboots and returns online in FIPS mode.
Enabling FIPS Mode for a Controller Cluster Deployment
Ensure that the Controller does not have any SEs deployed. It is recommended to deactivate all virtual services and delete any available SEs.
Create the Controller cluster before enabling FIPS.
Upload the controller.pkg file, (the upgrade package), for the same Controller base version, to the leader node. For instance, if the version of the Controller being used is 20.1.5, upload the 20.1.5 version of controller.pkg to the leader.
For step-by-step instructions on how to upload, see Flexible Upgrades for NSX Advanced Load Balancer in the VMware NSX Advanced Load Balancer Administration Guide.
Enable FIPS mode through the CLI:
> system compliancemode fips_mode +----------------------+-------------------------------------------+ | Field | Value | +----------------------+-------------------------------------------+ | fips_mode | True | | common_criteria_mode | False | | force | False | | details[1] | 'Compliance mode transition started. Use 'show upgrade status' to check the stat | | | us.' | +----------------------+-------------------------------------------+
The Controller nodes reboot and return online in FIPS mode.
Verifying FIPS Mode
You can verify if FIPS mode is successfully activated or not by using the following commands:
[admin:avi-cntrl]: > show version controller +-----------------+--------------------------------------+-------+------+ | Controller Name | Version | Patch | Fips | +-----------------+--------------------------------------+-------+------+ | 100.65.32.101 | 20.1.5(5000) 2021-04-15 09:36:00 UTC | - | True | +-----------------+--------------------------------------+-------+------+
[admin:admin-ctrl-write]: > show version serviceengine No results. [admin:avi-cntrl]: > show version serviceengine +--------------+--------------------------------------+-------+------+ | SE Name | Version | Patch | Fips | +--------------+--------------------------------------+-------+------+ | Avi-se-rencf | 20.1.5(5000) 2021-04-15 09:36:00 UTC | - | True | | Avi-se-nvlwj | 20.1.5(5000) 2021-04-15 09:36:00 UTC | - | True | +--------------+--------------------------------------+-------+------+
Disaster Recovery Considerations
- Restoring the Configuration to a new Controller Cluster:
-
Restoring the NSX Advanced Load Balancer configuration from a FIPS activated deployment can be performed only on a Controller which has FIPS mode activated. Ensure that the destination Controller or Controller cluster has FIPS enabled before performing a configuration import
- Adding a new Controller node to a Cluster:
-
A Controller cluster requires all the nodes to be FIPS activated. If a Controller node needs to be replaced with a new Controller node, ensure that the new node has FIPS enabled before adding it to the Controller cluster.
- Upgrading a Deployment with FIPS Mode Enabled:
-
Upgrade and Patch Upgrade in the FIPS mode follow the same process as the non-FIPS deployments. No special considerations are required for FIPS deployments.
- Deactivating FIPS Mode:
-
Once enabled, deactivating FIPS compliance mode is not supported.
Features Unavailable in the FIPS-Compliant Mode
On activating FIPS compliance in NSX Advanced Load Balancer, only cryptographic algorithms that are FIPS-compliant will be used. The following non-compliant modules will be unavailable, to adhere to the FIPS 140-2 standards:
RADIUS health monitor.
Note:RADIUS as an L4 application is supported.
In BGP, the setting of
md5_secret
for peers.TLS v1.3 and 0-RTT (the
enable_early_data
option under the SSL Profile).Hardware Security Modules (HSM devices) such as Safenet and CloudHSM.
1024 RSA Key
The set of elliptic curves (EC) which are not supported as per OpenSSL FIPS Object Module of VMware.
Async SSL (This is a feature under the SE Group that goes in tandem with the HSM configuration. This feature is not relevant when HSM is not allowed).
L7 Sideband
HTTP(S) Health Monitor with NTML authentication.
HTTP cookie persistence key rotation.
Use of
flushdb.sh
for Controller recovery scenarios is not supported. It is recommended to useclean_cluster.py
. Both these scripts must be used under NSX Advanced Load Balancer support team supervision.
The following features are available in FIPS-compliant mode.
Hardware Security Modules (HSM devices) such as Safenet and CloudHSM
Async SSL (This is a feature under the SE Group that goes in tandem with the HSM configuration. This feature is not relevant when HSM is not allowed.)