Product Documentation

Enabling FIPS Compliance Mode in NetScaler SD-WAN

Aug 09, 2017

The National Institute for Standards and Technology (NIST) develops Federal Information Processing Standards (FIPS) in areas for which no voluntary standards exist. FIPS address the following issues:

  • Compatibility between different systems.
  • Data and software portability.
  • Cost-effective computer security and privacy of sensitive information.

FIPS specifies the security requirements for a cryptographic module used in security systems. To apply these security standards to the processing done by a NetScaler SD-WAN appliance, configure FIPS mode.

In NetScaler SD-WAN 9.3, FIPS mode enforces users to configure FIPS compliant settings for their IPsec Tunnels and IPsec settings for Virtual Paths.

  • Displays the FIPS compliant IKE Mode.
  • Displays a FIPS Compliant IKE DH Group from which users can select the required parameters for configuring the appliance in FIPS compliant mode (2,5,14 – 21).
  • Displays the FIPS compliant IPsec Tunnel Type in IPsec settings for Virtual Paths

        a.    IKE Hash and (IKEv2) Integrity mode, IPsec auth mode.

        b.    Performs audit errors for FIPS based Lifetime Settings

To enable FIPS compliance by using the NetScaler SD-WAN GUI:

1.    Go to Configuration -> Virtual WAN -> Configuration Editor - > Global Settings, and select Enable FIPS Mode

Enabling FIPS mode enforces checks during configuration to ensure that all IPsec related configuration parameters adhere to the FIPS standards. You will be prompted through audit-errors and warnings to successfully configure IPsec to meet the standards.

localized image

2.  Go to Connections -> Site - > IPsec Tunnels.  With LAN or Intranet Tunnel selected, the screen distinguishes the FIPS-compliant groups in the IKE settings from those that are not compliant, so that you can easily configure FIPS compliance.

 

 

localized image

The screen also indicates whether the hash algorithm isFIPS compliant, as shown in the following figure.

localized image

FIPS compliance options for IPsec settings:

localized image

If the IPsec configuration does not comply with FIPS standards when it is enabled an audit error might be triggered. Following are the type of audit errors that get displayed in the GUI.

  • When FIPS mode is enabled and Non-FIPS compliant option is selected.
  • When FIPS mode is enabled and incorrect lifetime value is entered.
  • When FIPS mode is enabled and IPsec settings for virtual path default set is also enabled, and incorrect Tunnel mode is selected (ESP vs ESP_Auth / AH). 
  • When FIPS mode is enabled, IPsec settings for virtual path default set is also enabled, and incorrect lifetime value is entered.