As I have been teaching (and studying!) the newer Cisco training courses, the emphasis of compliance with the Federal Information Processing Standard Publication 140-2 (FIPS PUB 140-2), Security Requirements for Cryptographic Modules, became readily apparent. Not only do the training materials and data sheets emphasize this compliance, but special product licenses exist to support Cisco Remote Access VPN client to VPN server connections. This blog post provides an overview of the FIPS standard and highlights of its implementation on security hardware and software from Cisco Systems.
I first heard of the FIPS standard during a VPN class I taught which focused on the VPN concentrator. Two of my students, employees of a major government contractor, were disappointed that our curriculum was based on software version 4.0 as they had to be FIPS compliant with version 3.6.7F. They also informed me of the often time-intensive nature of the qualification process.
Closer examination of the FIPS 140-2 standard reveals that there are four levels of security constraints.
1. The lowest level, Level 1, specifies cryptographic components without requiring any physical security. This would naturally be the level VPN software would be placed.
2. The next level, Level 2, requires the inclusion of detection mechanisms for device tampering including coatings, seals, etc.
3. Level 3 requires identity-based authentication mechanisms as well as an out-of-band channel for the input of what is designated as a set of “critical security parameters” (a config file in a router or firewall, for example).
4. Level 4 guarantees physical security by requiring auto-erase types of tamper detection mechanisms as well as environmental controls with the assumption that the device could well be placed in a highly vulnerable environment.
Once vendors have been granted FIPS certification with its combination of hardware and software or software alone, they’re included in the Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules document. Closer examination of this document reveals that the VPN Concentrator achieved FIPS certification in 2004 under Certificate #421 and the ASA under Cert #1436. The ASA certificate is displayed below (with apologies for the blurriness!):
You can see this certificate for each vendor in the document by clicking on the hyperlink by the same name. If you click on the Security Policy link for the ASA, you will get the FIPS 140-2 Non-Proprietary Security Policies for the Cisco ASA 5500 Series Security Appliance document. In a manner similar to the document for the VPN Concentrator some six years ago, detailed descriptions and illustrations are provided for the placement of tamper-detective stickers as well as exacting specifications of cryptographic algorithms. To use a FIPS compliant remote access Virtual Private Network, both the client and the VPN server require the certification. A special ASA license needs to be procured to meet this requirement.