This section provides an overview of the implementation of Federal Information Processing Standard (FIPS) on the Orchestrator and Gateways, encompassing the three operational modes and the procedures necessary to activate FIPS mode.

Overview

The Federal Information Processing Standards of the United States are a set of publicly announced standards that the National Institute of Standards and Technology (NIST) has developed for use in computer systems of non-military United States government agencies and contractors.

FIPS 140-2 certification for cryptographic modules enables organizations to meet compliance requirements within the public sector, healthcare, and finance industries. It defines the critical security parameters that must be used for encryption in the products sold into the U.S. public sector. FIPS 140-2 is, therefore, required under multiple compliance programs, such as Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

FIPS certification ensures that software has been thoroughly reviewed and tested before being deployed and utilized within an agency or organization requiring data encryption. Industries storing and processing sensitive data that spans outside the public sector space, leading to FIPS-certified software being widely adopted within the payment card industry, healthcare, and other regulated industries.

System Components

FIPS-validated modules for the SD-WAN Orchestrator and Gateway include the following system components:
  • The cryptographic library in the system kernel.
  • OpenSSL general purpose cryptographic library that includes TLS implementation.
  • OpenSSH client and server applications.

FIPS Cryptographic Algorithms

Ciphers:

AES128-CTR, AES192-CTR, AES256-CTR

MACS:

HMAC-SHA2-256, HMAC-SHA2-512

Key Exchange:

EDCH-SHA2-NISTP521, ECDH-SHA2-NISTP384, ECDH-SHA2-NISTP256, Diffie-Hellman-Group-Exchange-SHA256

Application Security System

FIPS-mode operation also enables an application security system on the Orchestrator and Gateway. This includes an allowlist of core applications used by the SD-WAN appliances, and a denylist of processes that should never be allowed.

The application security system also prevents unauthorized access from within existing processes, such as file access, external executable processes, and so forth. Unauthorized access attempts are recorded in an audit log, which can be viewed using the “aa-logprof” CLI command.

FIPS Modes of Operation

Non-FIPS Mode

This is the default mode of operation. SD-WAN appliances are capable of using non-FIPS-approved ciphers such as Triple DES (3DES), and all software packages can be updated.

FIPS Compliant Mode

SD-WAN appliances are capable of only using FIPS-approved ciphers, and the software package can be updated to include a FIPS module that is patched for security vulnerability but not tested by NIST.

FIPS Strict Mode

SD-WAN appliances are capable of only using FIPS-approved ciphers, and only non-cryptographic software packages may be updated. For systems running in “Strict FIPS mode”, FIPS system components will not receive regular security updates. These modules will be updated when new validated FIPS modules are available.

Enabling FIPS Mode

The Orchestrator and Gateways are appliances that run as virtual machines. FIPS mode may be enabled for them during instantiation using a cloud-init file, or after instantiation using a CLI command.

Important: Enabling FIPS mode has an impact on system operations. Therefore, it should be enabled before the system is put into production when there are no active Edges or Gateways. This is because the enablement process will install FIPS-compliant software modules and reboot the system to transition into FIPS mode. This requires a cryptographic rekey to be performed after reboot, which is service impacting to any attached Edges or Gateways.

However, there is no impact to an Orchestrator already in FIPS mode if a user transitions it from “Strict” to “Compliant”.

Enabling FIPS via Cloud-Init File

For both the Orchestrator and Gateways, the mode of operation (FIPS mode versus non-FIPS mode) can be specified in cloud-init during the VM spin up process. If no flags are set, the system will default to non-FIPS mode.

The line “fips_mode: strict” should be added to the user-data portion of the cloud-init file as shown in the example below: 
#cloud-config
velocloud:
  fips_mode: strict

If no flags are set, the system will instantiate in the “default” mode of “FIPS disabled”.

Enabling FIPS via the Command Line

FIPS mode can also be enabled via CLI post-deployment (not recommended). Please note that SSH host keys will change. 
sudo /opt/vc/bin/vc_fips_enable  --mode=[strict|compliant] [--no-reboot] [--noninteractive]

Verifying FIPS Mode of Operation on SD-WAN Orchestrator and Gateway

Three CLI commands may be used to verify which mode of operation the SD-WAN Orchestrator and Gateway appliances are operating in. These are shown in the following example: 
$ cat /opt/vc/etc/fips/fips.json
{"fips_mode": "compliant", "prev_fips_mode": "none"}
 
$ cat /proc/sys/crypto/fips_enabled
1
 
$ dmesg |grep -i "fips mode"
[    0.000000] fips mode: enabled

Orchestrator Upgrade

If the Orchestrator fails to upgrade due to a FIPS error, first check if the fips.cnf file exists at /etc/mysql/conf.d.

If the file is missing, do the following:
  1. With sudo, create a file /etc/mysql/conf.d/fips.cnf with:

    [mysqld]

    ssl_fips_mode=1

  2. sudo chmod 644 /etc/mysql/conf.d/fips.cnf
  3. sudo systemctl restart mysql.service