Cisco Cisco Email Security Appliance X1050
5
Release Notes for Cisco AsyncOS 8.0.1 for Email
What’s New
FIPS 140-2 Level 1
Compliance
Compliance
The Cisco Email Security appliance uses the CiscoSSL Cryptographic Toolkit, a
GGSG-approved cryptography suite, to comply with FIPS 140-2 Level 1
standard. CiscoSSL contains an enhanced version of OpenSSL as well as the
FIPS-compliant Cisco Common Cryptography Module.
GGSG-approved cryptography suite, to comply with FIPS 140-2 Level 1
standard. CiscoSSL contains an enhanced version of OpenSSL as well as the
FIPS-compliant Cisco Common Cryptography Module.
Administrators can turn FIPS mode on or off using the
fipsconfig
CLI
command.
In addition to using CiscoSSL, AsyncOS 8.0 for Email has the following
enhancements to when the appliance is in FIPS mode:
enhancements to when the appliance is in FIPS mode:
•
AsyncOS restricts the types of certificates and keys used by the appliance in
FIPS mode.
FIPS mode.
•
AsyncOS has dropped support for version 1 of the SSH protocol for incoming
and outgoing connections, including pushing logs by SCP.
and outgoing connections, including pushing logs by SCP.
•
RSA keys for DKIM signing can only be 1024, 1536, and 2048 bits. DKIM
verification will return
verification will return
permfail
for certificates that aren’t FIPS-compliant.
•
Serial port sessions to the Email Security appliance time out 30 minutes after
the connection to the port is terminated.
the connection to the port is terminated.
•
The following communication between the appliance and other servers will
be FIPS compliant, including LDAPS, remote mail hosts, Cisco servers, and
the web interface.
be FIPS compliant, including LDAPS, remote mail hosts, Cisco servers, and
the web interface.
•
Features that do not need to use CiscoSSL for communication or do not send
customer data do not need to be FIPS-compliant. These features include:
other clustered appliances, RSA Enterprise Manager (DLP), Cisco update
servers, and encryption.
customer data do not need to be FIPS-compliant. These features include:
other clustered appliances, RSA Enterprise Manager (DLP), Cisco update
servers, and encryption.
Note
As part of FIPS compliance, AsyncOS for Email no longer supports SSH
version 1.
version 1.
Warning
If you have upgraded from AsyncOS 7.3, the appliance will no longer
be running in FIPS mode. You will need to import or generate new
certificates and keys after the upgrade.
be running in FIPS mode. You will need to import or generate new
certificates and keys after the upgrade.
You can use FIPS on both the physical and virtual appliances.
My Favorites list
Add the pages you use most to a quick-access menu of your favorite pages.
date
command
You can now view the appliance’s current date, time, and time zone by using the
date
command on the CLI.
Rollback to a
previously
committed
configuration
previously
committed
configuration
You can now rollback to one of the previously committed 10 configurations by
using the
using the
rollbackconfig
command on the CLI.
Enhancements
Download
Upgrades in the
Background
Upgrades in the
Background
You can now download upgrades in the background and install them later,
allowing you to minimize interruption of service.
allowing you to minimize interruption of service.
Feature
Description