Cisco Cisco Email Security Appliance X1070 Guía Del Usuario
27-2
Cisco AsyncOS 9.0 for Email User Guide
Chapter 27 FIPS Management
Switching the Appliance to FIPS Mode
To be FIPS Level 1 compliant, the Email Security appliance makes the following changes to your
configuration:
configuration:
•
SMTP receiving and delivery. Incoming and outgoing SMTP conversations over TLS between a
public listener on the Email Security appliance and a remote host use TLS version 1 and FIPS cipher
suites. You can modify the cipher suites using
public listener on the Email Security appliance and a remote host use TLS version 1 and FIPS cipher
suites. You can modify the cipher suites using
sslconfig
when in FIPS mode. TLS v1 is the only
version of TLS supported in FIPS mode.
•
Web interface. HTTPS sessions to the Email Security appliance’s web interface use TLS version 1
and FIPS cipher suites. This also includes HTTPS sessions to the IronPort Spam Quarantine and
other IP interfaces. You can modify the cipher suites using
and FIPS cipher suites. This also includes HTTPS sessions to the IronPort Spam Quarantine and
other IP interfaces. You can modify the cipher suites using
sslconfig
when in FIPS mode.
•
Certificates. FIPS mode restricts the kinds of certificates used by the appliances. Certificates must
use one of the following signature algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and
SHA-512 and RSA keys of the size 2048 bits. The appliance will not import certificates that do not
use one of these algorithms. The appliance cannot be switched to FIPS mode if it has any
non-compliant certificates in use. It will displays an error message instead. See
use one of the following signature algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and
SHA-512 and RSA keys of the size 2048 bits. The appliance will not import certificates that do not
use one of these algorithms. The appliance cannot be switched to FIPS mode if it has any
non-compliant certificates in use. It will displays an error message instead. See
for more information.
•
DKIM signing and verification. RSA keys used for DKIM signatures and verification must be 2048
bits in length. The appliance cannot be switched to FIPS mode if it has any non-compliant RSA keys
in use. It will displays an error message instead. When verifying a DKIM signature, the appliance
returns a permanent failure if the signature does not use a FIPS-compliant key. See
bits in length. The appliance cannot be switched to FIPS mode if it has any non-compliant RSA keys
in use. It will displays an error message instead. When verifying a DKIM signature, the appliance
returns a permanent failure if the signature does not use a FIPS-compliant key. See
•
LDAPS. TLS transactions between the Email Security appliance and LDAP servers, including using
an LDAP server for external authentication, use TLS version 1 and FIPS cipher suites. If the LDAP
server uses MD5 hashes to store passwords, the SMTP authentication query will fail because MD5
is not FIPS-compliant.
an LDAP server for external authentication, use TLS version 1 and FIPS cipher suites. If the LDAP
server uses MD5 hashes to store passwords, the SMTP authentication query will fail because MD5
is not FIPS-compliant.
•
Logs. SSH2 is the only allowed protocol for pushing logs via SCP. For error messages related to
FIPS management, read the FIPS Logs at the INFO level.
FIPS management, read the FIPS Logs at the INFO level.
•
Centralized Management. For clustered appliances, FIPS mode can only be turned on at the cluster
level.
level.
•
SSL Ciphers. Only the following SSL ciphers are supported in FIPS mode:
AES256-SHA:AES128-SHA:DES-CBC3-SHA.
AES256-SHA:AES128-SHA:DES-CBC3-SHA.
Switching the Appliance to FIPS Mode
Use the
fipsconfig
CLI command to switch the appliance over to FIPS mode.
Note
Only administrators can use this command. A reboot is required after switching the appliance from
non-FIPS mode to FIPS mode.
non-FIPS mode to FIPS mode.
Before You Begin
Make sure that the appliance do not have any objects that are not FIPS compliant, for example, a DKIM
verification profile with a key size of 512 bits. To enable FIPS mode, you must modify all the
non-FIPS-compliant objects to meet FIPS requirements. See
verification profile with a key size of 512 bits. To enable FIPS mode, you must modify all the
non-FIPS-compliant objects to meet FIPS requirements. See
. For instructions to check if your appliance contains non-FIPS-compliant objects, see