No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the FIPS Mode

Configuring the FIPS Mode

This section describes how to configure the FIPS mode. To ensure that a device meets FIPS security requirements, you must enable the FIPS mode.

Context

After the FIPS mode is enabled and the device is restarted, the device runs in a working mode that supports FIPS 140-2. In this mode, the system has higher security requirements and performs self-check on cryptographic algorithm modules to ensure that the modules run properly.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run fips-mode enable

    The FIPS mode is enabled.

    NOTE:

    The FIPS mode takes effect only after the device is restarted.

  3. Run commit

    The configuration is committed.

Follow-up Procedure

After the FIPS mode is enabled, perform the following operations on security-related services to meet security requirements in FIPS mode:

  • NTP: After switching to the FIPS mode, you are advised to run the ntp authentication-keyid command to set an NTP authentication key. Using the HMAC-SHA256 authentication algorithm is recommended.
  • Unicast VRRP: If no authentication key is configured for unicast VRRP before FIPS mode switching, authentication key reconfiguration is not required after the switching. However, if an authentication key is configured for unicast VRRP, run the vrrp vrid authentication-mode command to reconfigure the authentication key after switching to the FIPS mode. You are advised to use the simple authentication algorithm.
  • MSDP: After switching to the FIPS mode, you are advised to run the peer keychain (MSDP) command to configure keychain authentication for the TCP connections and MSDP messages between MSDP peers. Select a secure algorithm in the keychain. You are not advised to run the peer password (MSDP) command to configure MD5 authentication.
  • Keychain: After switching to the FIPS mode, you are advised to use the HMAC-SHA256 authentication algorithm, not the MD5 authentication algorithm, when running the algorithm command to configure a key-ID authentication algorithm.
  • IPsec: After switching to the FIPS mode, run both the sa authentication-hex and sa encryption-hex commands or only the sa string-key command to reconfigure an authentication key. The MD5 authentication algorithm is not recommended when you run the ah authentication-algorithm and esp authentication-algorithm commands.
  • DLDP: After switching to the FIPS mode, run the dldp authentication-mode command to reconfigure the authentication mode. The MD5 authentication algorithm is not recommended.
  • User login: If the set authentication password command is not run before FIPS mode switching, no action is required after the switching. If one of the commands is run before the switching, the command needs to be run again after the switching.
  • SSH: After switching to the FIPS mode, run the ssh server dh-exchange min-len command on the SSH server to configure the minimum key length for the Diffie-hellman-group-exchange key exchange between the SSH server and client. It is recommended that the minimum key length be greater than 1024 bits.
  • OSPF: After switching to the FIPS mode, run the ospf authentication-mode or authentication-mode (OSPF area) command to reconfigure an authentication key. You are advised to use the HMAC-SHA256 or simple authentication algorithm, not the MD5 or HMAC-MD5 authentication algorithm.
  • OSPFv3: After switching to the FIPS mode, run the ospfv3 authentication-mode or authentication-mode (OSPFv3) command to reconfigure an authentication key. You are advised to use the HMAC-SHA256 authentication algorithm.
  • IS-IS: After switching to the FIPS mode, run the isis authentication-mode, area-authentication-mode, or domain-authentication-mode command to reconfigure an authentication key. You are advised to use the HMAC-SHA256, keychain, or simple authentication algorithm, not the MD5 authentication algorithm.

  • TRILL: After switching to the FIPS mode, run the trill authentication-mode command to reconfigure an authentication key. Alternatively, run the area-authentication-mode (TRILL) command to reconfigure an authentication key. You are advised to use the HMAC-SHA256, keychain, or simple authentication algorithm, not the MD5 authentication algorithm.

  • RIP: After switching to the FIPS mode, run the rip authentication-mode command to reconfigure an authentication key. You are advised to use the HMAC-SHA256 or simple authentication algorithm, not the MD5 authentication algorithm.
  • AAA: Local user passwords are insecure. You need to reconfigure a password after switching to the FIPS mode.

  • BGP: After switching to the FIPS mode, you are advised to run the peer keychain (BGP) command to configure keychain authentication for the TCP connections and MSDP messages between BGP peers. Select a secure algorithm in the keychain. You are not advised to run the peer password command to configure MD5 authentication.
  • BGP: After switching to the FIPS mode, you are advised to use the keychain algorithm, not the MD5 authentication algorithm, when running the tcp (BMP) command to configure information for the TCP connection between the BMP and monitoring server.
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 23010

Downloads: 93

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next