Fibre Channel (SAN)

Reply
New Contributor
Posts: 4
Registered: ‎05-18-2015

fipscfg --enable -fips

Given:

1. I have a SAN switch / Fabric OS combination that is FIPS-validated.

2. I have correctly followed the entire procedure to prepare to enter FIPS mode.

3. I issue this command:

fipscfg --enable fips

 

I know this command "puts me into FIPS mode". But that's a pretty high-level description. What does it actually ***do***? Does it disable all of the commands that are used to prepare the switch for FIPS mode? Something else?

 

Thanks in advance!

 

Frequent Contributor
Posts: 95
Registered: ‎03-23-2015

Re: fipscfg --enable -fips

Hi @dtheese,

 

On page 645 of this PDF, there is an overview of FIPS confguration and the features of in FIPS mode and in non-FIPS mode. Hope that helps.

Dennis Smith
Manager Brocade Communities
@DennisMSmith
New Contributor
Posts: 4
Registered: ‎05-18-2015

Re: fipscfg --enable -fips

More specifically, what does fipscfg --enable -fips do that prevents me from re-enabling root, re-enabling boot prom access, etc.?

Frequent Contributor
Posts: 95
Registered: ‎03-23-2015

Re: fipscfg --enable -fips

[ Edited ]

I have asked some of our engineers to take a look at this, but while we wait for them to respond I would suggest opening a ticket with support. They may be able to give a more thorough answer. 

Dennis Smith
Manager Brocade Communities
@DennisMSmith
Frequent Contributor
Posts: 130
Registered: ‎02-05-2014

Re: fipscfg --enable -fips

I may be a bit ignorant here but wouldn't that be the questions you need to ask BEFORE you put a switch is such a restricted mode?

 

To be honest, in 20 years I've been working with Brocade environment this is actually the third time I see the need for FIPS and where it is actually enabled. I would like to hear some more about your reasoning why you need FIPS.

 

Your feedback is much appreciated.

 

 

Kind regards,
Erwin van Londen
Brocade Distinguished Architect
http://www.erwinvanlonden.net The Fibre Channel blog


New Contributor
Posts: 4
Registered: ‎05-18-2015

Re: fipscfg --enable -fips

We actually have not yet put our switch in FIPS mode. I am trying to learn as much as I can about it before we do.

 

As to the reason for our need for FIPS... It is contractually required of us by our customer. No FIPS, no deal!

 

Frequent Contributor
Posts: 130
Registered: ‎02-05-2014

Re: fipscfg --enable -fips

:-) Pretty compelling sales-argument.

 

To be honest thisis the first time I see this requirement but I assume this is for some NSA/FBI/CIA or whatever hush-hush organisation.

 

The methodoligy used is pretty simple. It removes basically all options that should not be allowed in a FIPS complaint switch. For example the bootprom access methodology is adjusted so it will not show you the option of pressing the ESC key. (fipscfg --disable bootprom). The firmwaredownload method is adjusted so that is will check for a signed FOS release otherwise it won't do anything plus it only connects to a ssl enabled system. (ssh/scp)

 

From a troubleshooting perspective this is the easiest switch to diagnose: If it doesn't work try rebooting. If that doesn't work: buy a new one. All support options are disabled and a supportshow/save is not an option on a FIPS enabled switch.

 

:-)

 

For more info: http://www.nist.gov/itl/fips.cfm

 

Kind regards,
Erwin van Londen
Brocade Distinguished Architect
http://www.erwinvanlonden.net The Fibre Channel blog


New Contributor
Posts: 4
Registered: ‎05-18-2015

Re: fipscfg --enable -fips

Yes indeed, there are a number of prerequisites to entering FIPS mode. Here are just a few as examples (taken straight from the Administrator's Manual for FOS 7.1.0):

 

sshutil delpubkeys

sshutil delprivkey

 

switch:FID128:admin> snmpconfig --set seclevel

Select SNMP GET Security Level

(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 = No Access): (0..3) [0]

 

Select SNMP SET Security Level

(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 = No Access): (0..3) [0] 3

 

fipsCfg --disable bootprom

 

userConfig --change root -e no

 

And then, of course, there's the all-important command that makes all of these changes irreversible:

 

fipsCfg --enable fips

 

Here's what my question really is: Once I issue that all-important no-going-back fipsCfg --enable fips command, what is preventing me from undoing any of the prerequisite configuration I had to do to make the switch FIPS-compliant?

 

As one concrete example, what prevents me from reinstating root access as shown immediately below?

 

userConfig --change root -e yes

 

Does fipsCfg --enable fips simply disable any command that would allow one to change any of the prerequisite settings that are required to enter FIPS mode? Or does it do more than that?

 

New Contributor
Posts: 4
Registered: ‎03-18-2015

Re: fipscfg --enable -fips

Keep in mind that if you disable root for FIPS mode, you can't ever re-enable it.

You can though, force enable FIPS while leaving root enabled.

 

bswitch2:adminuser> fipscfg --force fips
Root account is enabled.
FIPS mode has been set to : Enabled
Please reboot the system
bswitch2:adminuser>
bswitch1:adminuser> reboot
Warning: This command would cause the switch to reboot
and result in traffic disruption.
Are you sure you want to reboot the switch [y/n]?y

New Contributor
Posts: 4
Registered: ‎03-18-2015

Re: fipscfg --enable -fips

In addition, I have been able to disable FIPS mode on 6.4.3f3 and prior, but it does not appear to be such an easy task on 7.2.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.