Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
24-2
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 24 FIPS Management
Configuration Changes in FIPS Mode
To be FIPS Level 1 compliant, the Email Security appliance makes the following changes to your
configuration:
configuration:
•
SMTP receiving and delivery. Incoming and outgoing SMTP conversations over TLS between a
public listener on the Email Security appliance and a remote host use TLS version 1 and FIPS cipher
suites. You can modify the cipher suites using
public listener on the Email Security appliance and a remote host use TLS version 1 and FIPS cipher
suites. You can modify the cipher suites using
sslconfig
when in FIPS mode. TLS v1 is the only
version of TLS supported in FIPS mode.
•
Web interface. HTTPS sessions to the Email Security appliance’s web interface use TLS version 1
and FIPS cipher suites. This also includes HTTPS sessions to the IronPort Spam Quarantine and
other IP interfaces. You can modify the cipher suites using
and FIPS cipher suites. This also includes HTTPS sessions to the IronPort Spam Quarantine and
other IP interfaces. You can modify the cipher suites using
sslconfig
when in FIPS mode.
•
Certificates. FIPS mode restricts the kinds of certificates used by the appliances. Certificates must
use one of the following signature algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and
SHA-512 and RSA keys of the size 2048 bits. The appliance will not import certificates that do not
use one of these algorithms. The appliance cannot be switched to FIPS mode if it has any
non-compliant certificates in use. It will displays an error message instead. See
use one of the following signature algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and
SHA-512 and RSA keys of the size 2048 bits. The appliance will not import certificates that do not
use one of these algorithms. The appliance cannot be switched to FIPS mode if it has any
non-compliant certificates in use. It will displays an error message instead. See
for more information.
•
DKIM signing and verification. RSA keys used for DKIM signatures and verification must be 2048
bits in length. The appliance cannot be switched to FIPS mode if it has any non-compliant RSA keys
in use. It will displays an error message instead. When verifying a DKIM signature, the appliance
returns a permanent failure if the signature does not use a FIPS-compliant key. See
bits in length. The appliance cannot be switched to FIPS mode if it has any non-compliant RSA keys
in use. It will displays an error message instead. When verifying a DKIM signature, the appliance
returns a permanent failure if the signature does not use a FIPS-compliant key. See
•
LDAPS. TLS transactions between the Email Security appliance and LDAP servers, including using
an LDAP server for external authentication, use TLS version 1 and FIPS cipher suites. If the LDAP
server uses MD5 hashes to store passwords, the SMTP authentication query will fail because MD5
is not FIPS-compliant.
an LDAP server for external authentication, use TLS version 1 and FIPS cipher suites. If the LDAP
server uses MD5 hashes to store passwords, the SMTP authentication query will fail because MD5
is not FIPS-compliant.
•
Logs. SSH2 is the only allowed protocol for pushing logs via SCP. For error messages related to
FIPS management, read the FIPS Logs at the INFO level.
FIPS management, read the FIPS Logs at the INFO level.
•
Centralized Management. For clustered appliances, FIPS mode can only be turned on at the cluster
level.
level.
•
SSL Ciphers. Only the following SSL ciphers are supported in FIPS mode:
AES256-SHA:AES128-SHA:DES-CBC3-SHA.
AES256-SHA:AES128-SHA:DES-CBC3-SHA.
Ciphers and Algorithms Used in FIPS Mode
OpenSSH
Public Key Authentication Algorithms
ssh-rsa,
ssh_dss
Cipher Algorithms
aes256-cbc,
aes192-cbc,
aes128-cbc,
3des-cbc
Minimum Server Key Size
2048