Reply
Occasional Contributor I

Fips

Hello All:

I have a 6000/M3 currently running 3.4.2.3.

I'm being told to go FIPS. Looking at 3.3.2.19-FIPS.

Just wondering if anybody out there has any experience/thoughts about this "downgrade".

I'm just curious to know if anybody knows of anything that's going to break right out of the gate. Looked over the release notes, and I didn't really see anything to concerning.

My config is pretty simple right now....just some 124's/125's with WPA2/PSK....

Thank you!
Occasional Contributor I

Re: Fips

Are you trying to switch to FIPS for the encryption side of things? Because FIPS is more then just the Controller OS. Its the encryption chip on the controler, you can't use PSK to be FIPS complient.
Moderator

Re: Fips

If you can wait a few more weeks, 3.4.2.3-FIPS will become available so you can worry less about a downgrade. 3.4.2.3-FIPS is halfway through NIST right now - the APs are already approved and on the website, but the controllers got assigned a different reviewer so they are taking a little longer. It could be tomorrow, or it could be a few weeks.

Watch here for the latest and greatest:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
---
Jon Green, ACMX, CISSP
Security Guy
Moderator

Re: Fips




Well, technically, FIPS 140-2 is about a validated encryption system using approved algorithms. You can definitely run WPA2-PSK in FIPS mode, and you're getting a validated AES-CCM implementation. Now whether or not a particular agency allows WPA-PSK by policy is a separate discussion - most do not. The only WLAN opmode we're actually required to remove from the product for FIPS mode is WEP.

Not sure if the OP is actually subject to rules requiring FIPS or if they have other reasons to run it... but one other note is that if you're running FIPS software on commercial controller hardware, your implementation is not technically FIPS-validated. To follow the letter of the law, you need to run FIPS software on a -F1 model controller, and you need to run it in FIPS mode ("fips enable" from the CLI). On some controller models there are hardware differences between the commercial and FIPS model controllers, and on all of them the boot ROM is different. Oh, and you have to leave that pesky tamper-proof sticker covering the console port. :)

---
Jon Green, ACMX, CISSP
Security Guy
Occasional Contributor I

Thank you

Thanks for the info folks. Very helpful.