Overview of FIPS with Riverbed Systems
This chapter introduces FIPS compliance on Riverbed appliances and describes the basic steps to make your appliance FIPS compliant.
What is FIPS?
Federal Information Processing Standards (FIPS) is a publicly announced set of validation standards developed by the United States National Institute of Standards and Technology (NIST) for use by government agencies and by government contractors.
FIPS 140-2 details the U.S. and Canadian Government requirements for cryptographic modules. Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module.
This standard specifies the security requirements satisfied by a cryptographic module used within a security system protecting sensitive but unclassified data.
Understanding FIPS on Riverbed systems
This section describes the Riverbed Cryptographic Security Module (RCSM), as well as the system features that are FIPS compliant and those that are not.
Riverbed Cryptographic Security Module
Riverbed Cryptographic Security Module (RCSM) v1.1 defines the cryptographic module that separates the cryptography that is FIPS compliant from the rest of the Riverbed system.
The RCSM is compatible with FIPS 140-2 Level -1 requirements. Unlike FIPS 140-2 Level 2 validation, which requires physical security mechanisms, Level 1 validates the software only.
You can achieve FIPS compliance on any Riverbed system that supports Riverbed software that contains the RCSM.
The RCSM appears as the validated cryptographic module on the NIST vendor page instead of a specific Riverbed appliance. The NIST vendor page is available at this URL:
Throughout this guide, FIPS mode and FIPS compliance refer to use of the RCSM.
The NIST vendor page lists the first qualified version of the software. Riverbed has maintained compliance through subsequent releases. These releases are still compliant because the underlining RCSM has not changed nor the use of it by the protocols in those releases not listed on the NIST page.
This guide is updated with new and relevant information for the features that impact FIPS as they have evolved.
FIPS cryptography compliance behavior for features
The following table provides details about the behavior of features while the Riverbed appliance is in FIPS mode.
Some of these features use FIPS-compliant cryptography. Some of the features are not FIPS compliant and generate a warning if they are enabled or if you try to configure them.
The system does not prevent you from using these features, but it does warn you that they are not FIPS compliant.
Feature | Compliant | Warning | Blocked |
Account passwords | Yes, when local user passwords and local authentication use SHA256-based or SHA512-based hash | Yes | Yes, when MD5 is used |
Automatic licensing | No | Yes | No |
Blockstore | Yes, when configured with AES_128, AES_192, or AES_256 | No | No |
Citrix | No | Yes | No |
Delta software upgrade | Yes | No | No |
File transfers | Yes | No | No |
HTTP Kerberos | No | Yes | No |
Image integrity checks for RiOS | Yes | No | No |
IPSec secure peering | No | Yes | No |
iSCSI with CHAPs | No | No | No |
Lotus Notes encryption | No | Yes | No |
MAPI-RPC encryption | No | Yes | Yes |
MAPI-OA encryption (RC4 or AES) | No | Yes | No |
Mobile Controller cluster communications in FIPS mode using SHA-1 based hash.
Clusters with a mix of Mobile Controllers running in FIPS and non-FIPS mode clusters are supported but not recommended. | Yes | No | No |
Network web proxy | No | Yes | No |
NTP with SHA authentication | Yes, when not configured to use MD5 | Yes | No |
RADIUS | No | Yes | No |
SCC Auto-Registration | No | Yes | No |
Secure peering | Yes | No | No |
Secure transport | No | No | No |
Secure vault | Yes | No | No |
SMBv1/CIFS signing | No | Yes | Yes |
SMBv2/SMBv3 signing with client using NTLM authentication | No | Yes | No |
SMBv2/SMBv3 signing with client using Kerberos authentication | Yes | No | No |
SMBv3 signing/encryption | No | Yes | Yes |
Snapshots | Yes, when a third party uses FIPS-approved ciphers. | No | No |
SNMP | Yes, when configured to not use MD5 or DES for user passwords | Yes | No |
SSH | Yes, when configured with FIPS ciphers | Yes | No |
SSL optimization | Yes | Yes | No |
SSL secure peering | Yes | Yes | No |
SSL Web UI | Yes, when using certificates generated with a size greater than 1024 | Yes | Yes |
TACACS+ | No | Yes | No |
Telnet | No | Yes | Yes |
Virtual services platform | No | No | No |
WCCP | No | Yes | No |
Web interface (Apache Web server) | Yes | No | No |
Windows AD authority | No | Yes | Yes |
Basic steps for configuring FIPS compliance
To achieve FIPS compliance on a Riverbed appliance, you must run a software version that includes the Riverbed Cryptographic Security Module (RCSM) v1.1, configure the system to run in FIPS operation mode, and adjust the configuration of any features that are not FIPS compliant.
You can enter FIPS operation mode after you install a FIPS license and restart the appliance. When you operate in FIPS mode, the system automatically uses FIPS-compliant versions where possible, but there are some features with encryption that you need to ensure are compliant.
With FIPS mode enabled, the system monitors configuration changes and provides warnings if you configure a feature to be noncompliant with FIPS. These warning messages appear when you try to change a configuration setting to an unsupported option. You can also view these warnings using the show fips status command.
This table describes the basic tasks necessary to configure your SteelHead to use FIPS-validated cryptographic modules.
Task | Reference |
1. Install the FIPS license. | |
2. Ensure passwords for user accounts use FIPS-compliant encryption. | For details, see
Account passwords. |
3. Enable FIPS mode. | For details, see
Enabling FIPS mode. |
4. Run the show fips status command to view compliance status and make any required configuration changes. | |
5. Reboot the appliance. | |