Secure Mobile Access 12.4 Administration Guide

Requirements for FIPS

These items are required to properly configure FIPS for full compliance:

  • An SMA 7200, 7210,6200, 6210, and 8200v appliance. No other appliances are FIPS-certified.

    If you have purchased an SMA 7200, 7210,6200, 6210, and 8200v appliance with 140-2 Level 2 FIPS certification, the tamper-evident sticker affixed to it must remain in place.

  • A license to run FIPS

  • A secure connection to your authentication server

  • A strong administrator password, which should be at least 14 characters long and contain punctuation characters, numbers, and a combination of uppercase and lowercase letters. In addition, you must specify an authentication server when you set up a realm; null auth is not allowed.

  • When in FIPS mode, the Grub shell MUST be disabled in order to prevent a user from gaining unauthorized access to its shell.

    Modification of any Grub configuration files IS NOT allowed. Modification makes the device Non-FIPS compliant and causes the device to become inoperable.

These states prevent FIPS from being activated, or from reaching full compliance:

  • Unsecured connections with authentication servers

  • Use of RADIUS authentication servers

  • Use of LDAP authentication servers without using SSL connections employing only FIPS approved ciphers

  • Use of Active Directory single domain authentication servers without using SSL connections employing only FIPS approved ciphers

  • Use of RSA Authentication Manager authentication servers without strong passwords as shared secrets

  • Use of USB devices for any purpose

  • Loading or unloading of any kernel modules via the shell command line

  • Installation of third party software via the shell command line

  • Firmware upgrades via the shell command line

  • Use of Debug 1, Debug 2, Debug 3 or plaintext logging

  • Use of certificates with private/public key-pairs generated by a non-FIPS-compliant system

  • Use of the zeroization procedure without the primary administrator being physically present until the procedure completes; see Zeroization

FIPS mode is not automatically enabled after you import your license. You must set it up as described in Enabling FIPS.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.