7: Networking
EMG™ Edge Management Gateway User Guide 133
Security
The EMG supports a security mode that complies with the FIPS 140-2 standard. FIPS (Federal
Information Processing Standard) 140-2 is a security standard developed by the United States
federal government that defines rules, regulations and standards for the use of encryption and
cryptographic services. The National Institute of Standards and Technology (NIST) maintains the
documents related to FIPS at: http://csrc.nist.gov/publications/PubsFIPS.html
.
The FIPS 140-2 standard is available at: https://csrc.nist.gov/csrc/media/publications/fips/140/2/
final/documents/fips1402.pdf.
FIPS 140-2 defines four security levels, Level 1 through Level 4. The EMG unit is FIPS certified at
Level 1. The console manager is FIPS certified at Level 1. FIPS 140-2 compliance requires a
defined cryptographic boundary around the cryptographic module on a device. In FIPS mode, the
console manager allows only FIPS-approved cryptographic algorithms to be used, and weak
algorithms (such as MD5 and DES) are disabled.
To enable FIPS mode, the Network -> Security -> FIPS Mode flag needs to be enabled and the
EMG unit rebooted. Each time a FIPS application is started, it will perform a power up self test to
verify the integrity of the EMG unit's cryptographic module. If there are any issues with the integrity
of the cryptographic module, the application will terminate and an error will be logged in the
system log.
When the EMG unit is running in FIPS mode, the services listed below are supported:
TLS/SSL (Web Server, WebSSH): Use only SHA2 and Higher for incoming TLS/SSL connections
will be enabled by default when booting into FIPS mode; this can be disabled if necessary to allow
TLS v1.0 and TLS v1.1 connections (for more information see FIPS Mode and TLS). SSL/secure
certificates imported for use with the web server must use a RSA public key with 2048, 3072 or
4096 bits with the SHA2 hashing algorithm.
The following cipher suites are supported in FIPS mode: .
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 / DHE-RSA-AES128-SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 / DHE-RSA-AES128-GCM-SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 / DHE-RSA-AES256-SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 / DHE-RSA-AES256-GCM-SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 / ECDHE-RSA-AES128-SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 / ECDHE-RSA-AES128-GCM-SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 / ECDHE-RSA-AES256-SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 / ECDHE-RSA-AES256-GCM-SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256AES128-SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256 / AES128-GCM-SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 / AES256-SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384 / AES256-GCM-SHA384
LDAP: SSL/secure certificates imported for use with LDAP authentication must use a RSA public
key with 2048, 3072 or 4096 bits with the SHA2 hashing algorithm. Encryption with StartTLS or
SSL encryption over port 636 (the default) or another port is required.
SSH (connections in and out of the console manager, including WebSSH): DSA keys cannot be
used, and Use only SHA2 and Higher for incoming SSH connections must be enabled. SSH
Keys imported for use with SSH authentication (e.g. public key cryptography or asymmetric
To Next Page
Loading...
Need help?
General
