BLOG

The Force of FIPS

Jay Kelley Miniature
Jay Kelley
Published June 07, 2016

If you work for any number of governments around the world; or, if you’re in healthcare, financial services, legal services, or any other business dealing with the collection and transmission of sensitive but unclassified (SBU) data, you’re likely already familiar with the Federal Information Processing Standards (FIPS).

If not, here’s a quick primer:

FIPS is a U.S. government standard for various forms of security. It’s administered by agencies within the U.S. and Canadian governments, specifically the National Institute of Standards and Technology (NIST) and Communications Security Establishment (CSE) in Canada.

There are many different FIPS requirements that deal with different elements of security. For example, there is FIPS 197, which is the Advanced Encryption Standard (AES); or FIPS 201, the Personal Identity Verification (PIV) of federal employees and contractors – the basis for the PIV cards used for identity in many government agencies.

One of the FIPS requirements that is most applicable to us in the network and cloud security world is FIPS 140-2, which applies to cryptographic module security accreditation, the validation and certification of the security for the combination of hardware, software, and firmware executing cryptographic functions. Many U.S. federal and Canadian government agencies – in addition to security-conscious enterprises – require that their network and security equipment adhere to and are compliant with FIPS 140-2.

Within FIPS 140-2, there are four additional security levels, ranging from Level 1, which requires approved ciphers, defined security boundaries within the system, and validation of initialization of crypto components, to Level 4, which, in addition to including the requirements of the other three other levels, adds atmospheric and other physical protections to a security hardened physical enclosure where the keys are zero-ized if a physical attack is detected.

The most commonly applied standards are FIPS 140-2 Level 2, which requires tamper-evident means to indicate physical access to cryptographic keys or a security parameter; and, FIPS 140-2 Level 3, which adds tamper-resistance, an additional means of detection to the tamper-evident methods of Level 2, as well as a response to physical access attempts, or to cryptographic module use or tampering. Basically these levels of FIPS security help networking guys know if some bad actor has had (or tried to gain) access to your crypto keys.

To government agencies and security conscious businesses such as FSIs, legal and healthcare, the importance of FIPS is its cryptographic key and security parameter protection, and its inherent threat defense. FIPS compliance ensures that federal agencies and secure businesses maintain compliance with government and industry regulations, such as the Payment Card Industry Data Security Standard (PCI DSS)Health Information Portability and Accountability Act (HIPAA), International Traffic in Arms Regulations (ITAR), and more. It delivers multi-layered, physical and logical security, and protects data against theft and attacks at layer 3 and layer 4 (including network and DNS attacks), and layer 7 (SSL and HTTP attacks).

Enter F5’s BIG-IP 10350v-F platform, a FIPS 140-2 Level 3 supported implementation of the latest generation hardware security module (HSM), F5’s first supported FIPS 140-2 Level 3 platform. The BIG-IP 10350v-F platform protects key storage, utilizing a tamper-evident HSM and other physical security. Through its HSM, the BIG-IP 10350v-F provides government agencies, financial services institutions, and other security conscious businesses secure scale while meeting today’s ever-increasing SSL performance numbers. It offers leading SSL bulk crypto performance, and a superior price to performance ratio. The 10350v-F simplifies certificate management and reduces compliance costs.

But, why is an HSM so important, you may ask? Can’t you just use software crypto libraries? Each deployment must evaluate the material being protected. And, whereas FIPS 140-2 Level 1 and Level 2 deliver a degree of confidence that the encryption being used has attained a measure of assurance and implementation review, higher scales of protection are required by many government entities and other sensitive programs where personally identifiable information (PII) and protected health information (PHI) can only be met with a FIPS 140-2 Level 3 HSM. Plus, HSMs secure cryptographic operations and protect critical cryptographic keys, segregating administrative and security domains, and enforcing policies over key usage.

The F5 BIG-IP 10350v-F platform provides unparalleled scalability, with enhanced security and key protection, delivering superior cost efficiency. Among the use cases this platform addresses are SSL offloading, visibility and acceleration; as well as forward proxy, either via airgap functionality or in conjunction with F5’s Secure Web Gateway (SWG) Services.

Any government agency and enterprise that deals with the collection, storage, and distribution of sensitive, unclassified data should be interested in FIPS 140-2 compliant network and security products. And, any agency and business that wants to assure the security of their sensitive data should be concerned with ensuring their crypto keys remain secure; those organizations need FIPS 140-2 Level 3.

That’s why all those agencies and businesses require the F5 BIG-IP 10350v-F platform, which delivers the lowest cost per FIPS TPS of any Application Delivery Controller (ADC) with an HSM.