FIPS Compliance in Avi Vantage

Overview

The Federal Information Processing Standard (FIPS) 140-2 is a U.S. and Canadian government standard developed by the National Institute of Standards and Technology (NIST) that defines the security standards for cryptographic modules. The FIPS 140-2 standard specifies and validates the cryptographic and operational requirements for the modules within security systems that protect sensitive information. These modules employ NIST-Approved security functions such as cryptographic algorithms, key sizes, key management and authentication techniques.

For a list of FIPS 140-2 Compliant Algorithms, refer to:

There are four levels of security in the FIPS 140-2 standard, and for each level there are different areas related to the design and implementation of a tool’s cryptographic design. Brief details for the respective levels of security are as follows:

  • Level-1, defines the standards for basic security in a cryptographic module, enables FIPS approved cipher suites.

  • Level-2, defines the standards for tamper-evidence physical security and role-based authentication of cryptographic modules. Tamper-evidence physical security includes like tamper-evident coatings, seals, or pick-resistant locks.

  • Level-3, defines standards for tamper-resistance physical security and identity-based authentication. Hardware devices should have internal HSMs with tamper-resistant like sealed epoxy cover, if it is removed, it must make it useless, and the keys should be inaccessible.

  • Level-4, requires tamper detection circuits to be able to detect any device penetration, if detected should be able to erase the contents of the device

VMware has specifically obtained FIPS 140-2 validation of the VMware’s OpenSSL FIPS Object Module v2.0.20-vmw that is used in Avi components.
VMware’s OpenSSL FIPS Object Module v2.0.20-vmw is a general-purpose cryptographic module that provides FIPS-approved cryptographic functions and services to various VMware’s products and components.
The module has been validated at the FIPS 140-2 security Level 1 and awarded Certificate #3550 by CMVP.

Note: Security Levels 2–4 are specific to various levels of physical security such as tamper-evidence physical security, which includes tamper-evident coatings, seals, or pick-resistant locks, tamper-resistance like sealed epoxy cover etc.. Hence, these security levels do not apply to software solutions (where hardware is used to run the software solution).

For more information, refer to the FIPS documentation in VMware.

FIPS Compliance for Avi

Avi supports FIPS mode for the entire system:

  • Control plane, comprising of Avi Controller or Controller cluster

  • Data plane, comprising of Avi Service Engines

Avi Vantage uses the FIPS canister 2.0.20-vmw referred above, which is compliant with FIPS 140-2 Level 1 cryptography.

Supported Environments

FIPS supported when:

  • The Avi Controller cluster is deployed in a VMware vSphere environment
  • The Avi Service Engines are deployed in a VMware vSphere Environment, specifically the following cloud connectors:

    • VMware vCenter and NSX-T Cloud

    • No-Orchestrator Cloud running on VMware vSphere

FIPS is supported for a single-Controller as well as Controller cluster-based deployments.

Enabling FIPS Mode

Considerations

Consider the following while enabling FIPS mode for Avi Vantage:

  • FIPS mode can be enabled only on deployments where there are no Service Engines present.

  • FIPS mode will be enabled on the entire system, i.e. the Controller (all nodes in case of a cluster), as well as all Service Engines.

  • There is no option to selectively enable FIPS for specific components (i.e only Controller, only Service Engines, or specific SE Groups).

  • Once the Avi system is in FIPS mode, you cannot disable FIPs mode for the system

Enabling FIPS mode for a Single Controller Deployment

  1. Ensure that the Controller does not have any Service Engines deployed. It is recommended to disable all virtual services and deleting any Service Engines which may be present.

  2. Upload the controller.pkg file (i.e, the upgrade package) for the same Controller base version, to the Controller node. For example, if the Controller being used is on version 20.1.5, upload the 20.1.5 controller.pkg to the Controller.

    For step-by-step instructions on how to upload, refer to the Uploading Software section.

  3. Enable FIPS mode via the CLI:


 [admin:avi-cntrl]: > system compliancemode fips_mode
 +----------------------+----------------------------------------------------------------------------------+
 | Field                | Value                                                                            |
 +----------------------+----------------------------------------------------------------------------------+
 | fips_mode            | True                                                                             |
 | common_criteria_mode | False                                                                            |
 | force                | False                                                                            |
 | details[1]           | 'Compliance mode transition started. Use 'show upgrade status' to check the stat |
 |                      | us.'                                                                             |
 +----------------------+----------------------------------------------------------------------------------+ 

The Controller will reboot and return online in FIPS mode.

Enabling FIPS mode for a Controller Cluster Deployment

  1. Ensure that the Controller does not have any Service Engines deployed. It is recommended to disable all virtual services and deleting any Service Engines which may be present.

  2. Create the Controller cluster before enabling FIPS.

  3. Upload the controller.pkg file (i.e, the upgrade package) for the same Controller base version, to the leader node. For example, if the Controller being used is 20.1.5, upload the 20.1.5 controller.pkg to the leader.

    For step-by-step instructions on how to upload, refer to the Uploading Software section.

  4. Enable FIPS mode via the CLI:


[admin:avi-cntrl]: > system compliancemode fips_mode
+----------------------+----------------------------------------------------------------------------------+
| Field                | Value                                                                            |
+----------------------+----------------------------------------------------------------------------------+
| fips_mode            | True                                                                             |
| common_criteria_mode | False                                                                            |
| force                | False                                                                            |
| details[1]           | 'Compliance mode transition started. Use 'show upgrade status' to check the stat |
|                      | us.'                                                                             |
+----------------------+----------------------------------------------------------------------------------+

The Controller nodes will reboot and return online in FIPS mode.

Verifying FIPS Mode

Use the following commands to verify that FIPS mode has been successfully enabled:


[admin:avi-cntrl]: > show version controller
+-----------------+--------------------------------------+-------+------+
| Controller Name | Version                              | Patch | Fips |
+-----------------+--------------------------------------+-------+------+
| 100.65.32.101   | 20.1.5(5000) 2021-04-15 09:36:00 UTC | -     | True |
+-----------------+--------------------------------------+-------+------+

[admin:admin-ctrl-write]: > show version serviceengine
No results.
[admin:avi-cntrl]: > show version serviceengine
+--------------+--------------------------------------+-------+------+
| SE Name      | Version                              | Patch | Fips |
+--------------+--------------------------------------+-------+------+
| Avi-se-rencf | 20.1.5(5000) 2021-04-15 09:36:00 UTC | -     | True |
| Avi-se-nvlwj | 20.1.5(5000) 2021-04-15 09:36:00 UTC | -     | True |
+--------------+--------------------------------------+-------+------+

Disaster Recovery Considerations

Restoring the Configuration to a new Controller Cluster

Restoring the Avi configuration from a FIPS enabled deployment can only be performed to a Controller which has FIPS mode enabled. Ensure that the destination Controller or Controller cluster has FIPS enabled before performing a configuration import.

Adding a new Controller node to a Cluster

A Controller cluster requires all the nodes to be FIPS enabled. If a Controller node needs to be replaced with a new Controller node, ensure that the new node has FIPS enabled, before adding it to the Controller cluster.

Upgrading a Deployment with FIPS Mode Enabled

Upgrade and Patch Upgrade in the FIPS mode, follow the same process as the non-FIPS deployments. No special considerations are required for FIPS deployments.

Disabling FIPS Mode

Once enabled, disabling of FIPS compliance mode is not supported.

Features Unavailable in the FIPS-Compliant Mode

On enabling FIP compliance in Avi Vantage, only cryptographic algorithms that are FIPS-compliant will be used. The following non-compliant modules will be unavailable in order to adhere to the FIPS 140-2 standards:

  • RADIUS health monitor

    Note: RADIUS as an L4 application supported.

  • In BGP, the setting of md5_secret for peers

  • TLS v1.3 and 0-RTT (the enable_early_data option under the SSL Profile)

  • 1024 RSA Key

  • The set of elliptic curves (EC) which are not supported as per VMware’s OpenSSL FIPS Object Module

  • L7 Sideband

  • HTTP(S) Health Monitor with NTML authentication

  • HTTP cookie persistence key rotation

  • Use of flushdb.sh for Controller recovery scenarios, is not supported. It is recommended to use clean_cluster.py. Both these scripts should be used under Avi Support team supervision.

Note
The following features are available starting NSX Advnaced Load Balancer version 22.1.1:

  • Hardware Security Modules (HSM devices) such as Safenet and CloudHSM
  • Async SSL (This is a feature under the SE Group that goes in tandem with the HSM configuration. This feature is not relevant when HSM is not allowed.)

However, these limitations are applicable for SE groups running versions less than 22.1.1.

Document Revision History

Date Change Summary
July 15, 2022 Updated the article for features supported in version 22.1.1
April 16, 2021 Published the feature KB for FIPS Compliance (Version 20.1.5)