Page tree

Contents

The FIPS (Federal Information Processing Standard) 140-2 is a computer security standard that defines a set of rules and regulations to validate cryptographic modules. It gives assurance that the product satisfies a set of internationally recognized security standards.

This document provides additional guidance on the secure installation of the Target of Evaluation (TOE) for FIPS. The TOE includes the following Infoblox appliances that are network appliances and provides delivery of IP network services and management, Grid and HA configuration:

  • Virtual appliances (certificate number 3330),
  • Trinzic physical appliances: TE-825, TE-1425, TE-2225, TE-4015,
  • TE-4025 DDI appliances (certificate number 3332).

Note that the module must run NIOS version 8.2.6 with Hotfix-NIOS_8.2.6-371069_J67303_FIPS_2-6f0806b9bc9cbdbc9837391bb5a86a26-Tue-Aug-21-22-24-14-2018. For more information about the FIPS mode, refer to the following:

https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program

https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program

https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3330

https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3332


The Trinzic appliances can be made compliant with Common Criteria and FIPS 140-2 security standards. They contain a FIPS and Common Criteria certified cryptographic module that is utilized in both FIPS and/or Common Criteria modes. To comply with FIPS 140-2 requirements, you must properly affix the security label on the appliance. For more information, refer to the respective Installation Guide. To enable Common Criteria mode, execute the commands mentioned in Enabling/Disabling Common Criteria Mode. When you enable the Common Criteria mode, only the respective mode is enabled in the device.

Infoblox recommends that you configure FIPS mode if you want to configure only FIPS or both Common Criteria and FIPS certifications as it covers FIPS specific functionality (additional required POST testing) as well as Common Criteria certified cryptographic module and audit records. FIPS includes all features of Common Criteria mode and setting FIPS mode implicitly sets the Common Criteria mode. When you enable the FIPS mode in your device, it enables both FIPS and Common Criteria mode. This appendix is a supplement to Appendix C in which all information also applies to FIPS. For more information, see Guidance Documentation Supplement for Common Criteria. To enable and disable FIPS, see Enabling/Disabling FIPS.

To ensure that your appliance is FIPS compliant, make sure that your hardware and software settings match the evaluated configuration that was certified for FIPS. This document provides clarifications and changes to the Infoblox Administrator Guide and Infoblox CLI Guide, and should be used as the guiding document for installation of the TOE in the FIPS evaluated configuration.

This appendix contains the following sections:

Secure Initialization

Follow the instructions mentioned below to initialize the module in to FIPS approved mode of operation. Failure to follow the instructions below may result in a non-compliant system:

  • The module must be running NIOS version 8.2.6 with Hotfix-NIOS_8.2.6- 371069_J67303_FIPS_2-6f0806b9bc9cbdbc9837391bb5a86a26-Tue-Aug-21-22-24-14-2018.
  • Apply tamper evident labels to the appliance as mentioned in the respective installation guide.
  • Enable FIPS mode using the set fips_mode command. For more information, see Enabling/Disabling FIPS.
  • The Minimum Password Length must be at least 6 characters. For more information, see Setting Password Restrictions for Local Admins.
  • You cannot use the keys/CSPs (Cryptographic Critical Security Parameters), which are generated in a FIPS mode, in a non-FIPS mode and vice-versa.
  • Infoblox does not support certain services while operating in the FIPS approved mode.

Non-Approved Services

Enabling any of the listed services may result in a non-compliant system.

NameDescription
Support AccessSupport Access SSH service
BloxToolsPre-installed environment to host custom web-based applications
RADIUS authenticationRemote user authentication using RADIUS protocol
TACACS+ authenticationRemote user authentication using TACACS+ protocol
Cisco ISE IntegrationManaging Cisco ISE Integration
Microsoft Server IntegrationManaging Microsoft DNS/DHCP servers using BIND
SNMPv1/v2Simple Network Management Protocol versions 1 and 2. This is valid for both Network Insight Discovery services as well as the NIOS SNMP
  • No labels

This page has no comments.