Cisco Cisco Email Security Appliance C650 Guía Del Usuario
29-2
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 29 FIPS Management
Switching the Appliance to FIPS Mode
•
Web interface. HTTPS sessions to the Email Security appliance’s web interface use TLS v1.1
and/or v1.2 and FIPS cipher suites. This also includes HTTPS sessions to the Spam Quarantine and
other IP interfaces. You can modify the cipher suites using
and/or v1.2 and FIPS cipher suites. This also includes HTTPS sessions to the Spam Quarantine and
other IP interfaces. You can modify the cipher suites using
sslconfig
when in FIPS mode.
•
Certificates. FIPS mode restricts the kinds of certificates used by the appliances. Certificates must
use one of the following signature algorithms: SHA-256, SHA-384, and SHA-512 and RSA keys of
the size 2048 bits. The appliance will not import certificates that do not use one of these algorithms.
The appliance cannot be switched to FIPS mode if it has any non-compliant certificates in use. It
will displays an error message instead. See
use one of the following signature algorithms: SHA-256, SHA-384, and SHA-512 and RSA keys of
the size 2048 bits. The appliance will not import certificates that do not use one of these algorithms.
The appliance cannot be switched to FIPS mode if it has any non-compliant certificates in use. It
will displays an error message instead. See
for more
information.
•
DKIM signing and verification. RSA keys used for DKIM signatures and verification must be 2048
bits in length. The appliance cannot be switched to FIPS mode if it has any non-compliant RSA keys
in use. It will displays an error message instead. When verifying a DKIM signature, the appliance
returns a permanent failure if the signature does not use a FIPS-compliant key. See
bits in length. The appliance cannot be switched to FIPS mode if it has any non-compliant RSA keys
in use. It will displays an error message instead. When verifying a DKIM signature, the appliance
returns a permanent failure if the signature does not use a FIPS-compliant key. See
•
LDAPS. TLS transactions between the Email Security appliance and LDAP servers, including using
an LDAP server for external authentication, use TLS version 1 and FIPS cipher suites. If the LDAP
server uses MD5 hashes to store passwords, the SMTP authentication query will fail because MD5
is not FIPS-compliant.
an LDAP server for external authentication, use TLS version 1 and FIPS cipher suites. If the LDAP
server uses MD5 hashes to store passwords, the SMTP authentication query will fail because MD5
is not FIPS-compliant.
•
Logs. SSH2 is the only allowed protocol for pushing logs via SCP. For error messages related to
FIPS management, read the FIPS Logs at the INFO level.
FIPS management, read the FIPS Logs at the INFO level.
•
Centralized Management. For clustered appliances, FIPS mode can only be turned on at the cluster
level.
level.
•
SSL Ciphers. Only the following SSL ciphers are supported in FIPS mode:
–
DHE-RSA-AES256-SHA
–
AES128-SHA
–
AES256-SHA
–
DHE-RSA-AES128-SHA
–
DHE-RSA-AES128-SHA256
–
DHE-RSA-AES128-GCM-SHA256
–
DHE-RSA-AES256-SHA256
–
AES128-SHA256
–
AES256-SHA256
Switching the Appliance to FIPS Mode
Use the
fipsconfig
command in CLI to switch the appliance over to FIPS mode.
Note
Only administrators can use this command. A reboot is required after switching the appliance from
non-FIPS mode to FIPS mode.
non-FIPS mode to FIPS mode.