Some organizations require stricter standards for protecting sensitive, but unclassified, data. The Federal
Information Processing Standards (FIPS) 140 is a publicly announced standard developed jointly by the
United States and Canadian federal governments specifying requirements for cryptographic modules
that are used by all government agencies to protect sensitive but unclassified information. The Cisco
IronPort S670 Web Security appliance is offered with a Hardware Security Module (HSM) card that is
FIPS 140-2 level 2 certified. The HSM card is a type of secure cryptoprocessor targeted at managing
digital keys for server applications.

When the Cisco IronPort S670 Web Security appliance includes the HSM card, it offloads cryptographic
operations to the HSM card in a FIPS compliant manner. The HSM card is responsible for the storage
and protection of the cryptographic keys.

FIPS compliance is achieved by use of the CAVIUM Nitrox XL NFBE (HSM), FIPS certificate #1360.

Understanding How FIPS Management Works

FIPS-compliant versions of AsyncOS for Web only run on hardware models that include an HSM card.
The HSM card works by performing all cryptographic operations and storing and protecting all
cryptographic keys. The HSM card only stores keys, not the corresponding certificates. Certificates are
stored on the Web Security appliance hard drive.

The HSM card stores keys for the following components:

•

SSH. This applies to SSH sessions to the Web Security appliance management interface for
administering the appliance using the CLI. The certificate and key pair is automatically generated
when you initialize the HSM card.