ADC

FIPS compliance and validation FAQ

General overview

What are Federal Information Processing Standards (FIPS)?

FIPS is a standard and guideline for federal computer systems that are developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no acceptable industry standards or solutions for a particular government requirement. Although FIPS is developed for use by the federal government, many organizations and companies voluntarily use these standards.

This Federal Information Processing Standard (140-2) specifies the security requirements that must be satisfied by a cryptographic module, providing for increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include:

  • Specification
  • Ports and interfaces
  • Roles, services, and authentication
  • Finite state model
  • Physical security
  • Operational environment
  • Cryptographic key management
  • Electromagnetic interference/electromagnetic compatibility (EMI/EMC)
  • Self-tests
  • Design assurance
  • Mitigation of other attacks

For more information, see Compliance FAQs: Federal Information Processing Standards (FIPS).

What is the difference between compliant and validated?

A FIPS validated, or certified, solution is one that has undergone a thorough testing process by one of a handful of independent laboratories to ensure that all pieces of the product meet FIPS requirements.

A FIPS compliant solution is one where likely only a portion of the product has been fully verified. In the case of the first two generations of Citrix ADC appliances, Citrix uses a Hardware Security Module that is fully validated as a way to provide the additional security requirements of an ADC to meet FIPS level compliance. In the current generation of appliances, Citrix has directly taken on the effort of producing the specific components and having them validated directly, resulting in an ADC that is now fully validated to meet FIPS requirements.

Platforms

What are the FIPS options for Citrix ADC?

The following table lists the available options.

Citrix ADC Location FIPS Options Validated/Compliant
Public Cloud/On-Prem VPX FIPS Level 1 validated. Cert. #3732
Azure Public Cloud VPX with Azure Key Vault integration Level 2/Level 3 compliant
On-Prem MPX FIPS 8900/15000-50G FIPS) Level 2 validated. Cert #4043
On-Prem MPX/SDX 14000 FIPS (Level 3 compliant) Level 3 compliant
On-Prem MPX/SDX with External HSM (Thales and nCipher) Level 2/ Level 3 compliant
On-Prem MPX/SDX with External HSM (Thales and nCipher) Level 2/ Level 3 compliant

Which Citrix ADC appliances are FIPS validated?

The Citrix ADC MPX 8900 FIPS and MPX 15000-50G FIPS validated appliances (Cert #4043) have been tested by a third-party laboratory for the security requirements of FIPS 140-2 Level 2.

The Citrix ADC VPX FIPS appliance is validated for FIPS 140-2 Level 1 (Cert. #3732). The module is available as a software package that includes both the application software and the operating system. After purchasing the Citrix ADC VPX FIPS license, get the latest Citrix ADC VPX FIPS image from the Citrix website and deploy it to a host with appropriate hardware.

More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Center for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at Cryptographic Module Validation Program.

Why did Citrix develop its own cryptographic modules for FIPS validation?

Citrix decided to discontinue using third-party Hardware Security Modules in the FIPS ADC appliances to have deeper control over the overall architecture of the appliances. The benefits of this change come in the following areas:

  • Instead of only being able to offer FIPS ADC appliances in hardware form, the purpose-built firmware is now also packaged and licensed as a virtual appliance and this offers customers much more flexibility in how they deploy ADCs.
  • There is no longer a dependency on a third-party company to provide the add-on hardware or the firmware that it runs. This ensures better availability of components.
  • By architecting and developing all of the software in-house, Citrix is able to overcome performance limitations that existed due to the communication with the add-on hardware components. The result for customers is being able to deploy FIPS appliances that perform better.
  • The most significant benefit is that Citrix ADC customers are now able to deploy FIPS validated appliances as opposed to FIPS compliant appliances.

FIPS ciphers

What ciphers are supported by Citrix ADC MPX 8900/15000-50G FIPS and VPX FIPS platform?

For information on supported ciphers, see Cipher support on Citrix ADC VPX FIPS and MPX FIPS certified appliances.

What key sizes are supported on the VPX FIPS and MPX 8900/15000-50G FIPS platform?

Customers can use key sizes of 2048, 3072 and 4096, although only key sizes of 2048 and 3072 can be generated directly on the new FIPS platform appliances with ssl-keygen.

What happens if I try to add non-compliant ciphers to my virtual servers that are using a certificate to enable FIPS encryption?

The appliance shows an error because non-compliant ciphers are not supported.

Features and Functions

Does Citrix ADC FIPS include all the standard ADC functionality?

Yes, but with the following limitations:

Upgrades/downgrades and mixing FIPS and non-FIPS firmware

How do I upgrade to a FIPS validated version firmware from a non-FIPS version of the firmware?

FIPS validated firmware is a separate image. Software version upgrade from non-FIPS version to FIPS version is not supported. Also, the FIPS software version cannot be downgraded or upgraded to the non-FIPS software version.

There is no option to “convert” between a FIPS and non-FIPS validated appliance through license or firmware changes. Any appliance that was not purchased as FIPS validated will remain non-validated and must not be operated in a manner that would be compliant with FIPS.

How do I upgrade the firmware on my FIPS validated appliances?

The upgrade process is identical to that of the non-FIPS firmware appliances except that the FIPS-validated firmware is required (standard firmware cannot be used).

Can VPX FIPS be installed on a Citrix ADC SDX or Citrix ADC SDX FIPS platform?

No, VPX FIPS image is not supported on the Citrix ADC SDX and Citrix ADC SDX FIPS platforms.

Can we upgrade or downgrade VPX to VPX FIPS or conversely?

No. VPX FIPS is a separate image and cannot be upgraded or downgraded to the VPX firmware. Also, we cannot upgrade or downgrade a VPX to a VPX FIPS firmware.

Firmware information and differences

Can the FIPS validated build be installed on an MPX platform other than MPX 8900 FIPS and MPX 15000-50G FIPS?

No. FIPS validated build is only qualified to run on the MPX 8900 FIPS and MPX 15000-50G FIPS platforms.

Can I deploy Citrix ADC FIPS appliances as high-availability pairs?

Yes. For FIPS validated MPX and VPX appliances, the HA configuration steps are the same as for non-FIPS appliances.

Before getting started with HA configuration, for MPX 8900 FIPS and MPX 15000-50G FIPS platforms, see Citrix ADC MPX FIPS certified appliances and for VPX FIPS, see Citrix ADC VPX FIPS certified appliances.

For the MPX/SDX 14000 FIPS platforms, see Configure FIPS on appliances in an HA setup).

Can I deploy a Citrix ADC FIPS cluster?

Yes. Configuration steps for Citrix ADC VPX FIPS, Citrix ADC MPX 8900 FIPS, and MPX 15000-50G FIPS are the same as for non-FIPS appliances. For more information, see Clustering.

Will the Citrix ADC MPX 14000 FIPS commands work on Citrix ADC MPX 8900/15000-50G FIPS appliances?

No. The Citrix ADC MPX 14000 FIPS-specific commands won’t work on the latest Citrix ADC MPX 8900/15000-50G appliances. For more information, see Citrix ADC MPX FIPS certified appliances.

Do VPX FIPS and MPX 8900/15000-50G FIPS platform support admin partitions? Are there any differences from non-FIPS appliances?

Yes, these FIPS platforms support admin partitions.

Which Citrix ADC appliances require specific firmware, and why?

The Citrix ADC VPX FIPS and Citrix ADC MPX 8900/15000-50G FIPS appliances use FIPS-validated firmware. These platforms meet specific design and build specifications to support the FIPS-validated firmware to achieve FIPS validated status. In the case of the MPX FIPS appliances listed here, they must run the FIPS-validated firmware to achieve the FIPS-validated status as they do not use a Hardware Security Module as previous appliances had used.

All other appliances, including the MPX/SDX 14000 FIPS family, use standard firmware.

Pooled licensing

Is pooled licensing supported on the Citrix ADC MPX 8900/15000-50G and VPX FIPS platform?

Yes. For Citrix ADC MPX FIPS, following the purchase of a zero-capacity FIPS hardware platform, the appliance bandwidth capacity can be configured.

For Citrix ADC VPX FIPS, the appliance would need a VPX FIPS instance license to be uploaded to Citrix ADM after which the instance capacity can be configured.

Can a common license pool be used for Citrix ADC FIPS and non-FIPS appliances?

Yes. A common bandwidth pool can be shared between FIPS and non-FIPS appliances.

For Citrix ADC MPX FIPS, a zero-capacity FIPS hardware platform is required.

For Citrix ADC VPX FIPS, the appliance needs a VPX FIPS instance license to be uploaded to Citrix ADM after which the instance capacity can be configured.

Contact your Citrix Sales team for detailed information around this topic.

Can an existing Citrix ADC FIPS appliance be transitioned from perpetual to pooled license?

Yes, Citrix ADC FIPS appliances can be migrated from perpetual to pooled licensing. For more information, refer to the following links:

VPX FIPS

Which hypervisors are supported for Citrix ADC FIPS VPX?

VPX FIPS is a software appliance with an overall security level of FIPS 140-2 Level 1. It runs as a virtual appliance, and was tested and found compliant on the following platforms with Intel CPU supporting RDRAN and RDSEED instruction sets:

Hypervisor: VMware ESXi, KVM, Microsoft Hyper-V, Citrix Hypervisor, Microsoft Azure, AWS, and GCP.

What are the prerequisites to run a Citrix ADC VPX FIPS appliance?

See Citrix ADC VPX FIPS certified appliances prerequisites.

How is Citrix ADC VPX FIPS packaged?

The FIPS module is available as a software package that includes both the application software and the operating system. After purchasing the Citrix ADC VPX FIPS license, get the latest Citrix ADC VPX FIPS image from the Citrix website.

Where can I find Citrix ADC FIPS documentation?

The following documents contain information regarding supported Citrix ADC FIPS appliances:

SDX FIPS 14000 platform

On a Citrix ADC SDX FIPS appliance, are all instances automatically FIPS compliant?

Currently, Citrix offers only the SDX 14000 FIPS family of appliances which are FIPS compliant by using a third-party Hardware Security Module. When creating an instance on these appliances, each one must be individually FIPS-enabled.

Are there advantages to operating an instance in non-FIPS mode on an SDX FIPS appliance?

Achieving FIPS encryption standards for specific traffic requires a more intensive encrypt/decrypt process to ensure that the keys are maintained at the correct level of security integrity. If an instance operates any of its virtual servers without using the FIPS encryption process specifically, the SSL transactions per second that are achievable is higher.

Performance

Why are instances/appliances configured to use FIPS mode not able to achieve the same TPS rates for SSL traffic as the non-FIPS counterparts?

Achieving FIPS encryption standards for specific traffic requires a more intensive encrypt/decrypt processes to ensure that the keys are maintained at the correct level of security integrity. When an instance/appliance is using the FIPS mode of encryption, it increases the amount of time required to run an encrypt or decrypt action and this reduces the total amount of TPS that can be achieved.

The more recent FIPS platforms (VPX FIPS and MPX 8900/15000-50G FIPS) are able to operate at throughput rates that are much closer to their non-FIPS counterparts due to the architecture that Citrix chose when designing these appliances. Citrix no longer uses a third-party Hardware Security Module and has been able to create an appliance that offers much better FIPS-encrypted throughput as a result.

Cloud

How do I get FIPS compliance in the Azure cloud?

There are two ways to achieve FIPS compliance or validation when using a Citrix ADC VPX appliance on Azure. One way is to directly deploy a Citrix ADC VPX FIPS appliance on Azure and use it’s designed and built in ability to provide FIPS 140-2 Level 1 validation.

The second option is to deploy a standard Citrix ADC VPX appliance, and connect it to the Azure Key Store to achieve FIPS 140-2 Level 2 and Level 3 compliance.

Citrix ADC VPX is also supported on the Azure Government and similar options are available.

How can I tell if my Citrix ADC appliance is operating in FIPS mode?

After the appliance starts, run the following command at the CLI:

> show system fipsStatus
<!--NeedCopy-->

You must get the following output.

FipsStatus: "System is operating in FIPS mode"
Done
>
<!--NeedCopy-->
FIPS compliance and validation FAQ