Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

Can anyone advise if it is possible to achieve FIPS level 1 compliancy (or above) when using the LTM VE product ?

 

We have had a request come in from a client that they would like us to become FIPS compliant however our long term design we were moving to us F5 VE (for our LTM/GTM deployments). I realise there is the HSM for the higher devices BIG-IP 6400 to 11050 to achieve FIPS l2/l3, and that it is possible to set up the supported ciphers when doing SSL decryption for a web site so that it just supports the FIPS approved range.

I am just wondering if it is at all possible to achieve level 1 FIPS compliancy on devices that do not support the HSM?

 

thanks in avance

 


3 Answer(s):

Hi MW,

Can you contact your local F5 or partner SE to get info on our plans for this?

Thanks, Aaron
Thanks Aaron - I'll reach out and see if I can find out. I guess if not I could possibly explore the option of using ESX servers with hardware based encrypted drives to hold the virtual F5's. This said I am far from knowledgeable on FIPS so only presuming this would achieve the same as the HSM.

regards
Matt
Unfortunately my reseller and a different area F5 rep has drawn a blank on any word on future plans which does pose quite a big issue for me/my company - if anyone for F5 happens to see this post and can offer any better news please advise!

Re-reading what the HSM does I am presuming it does more than securely store the key but the F5 calls via api's my initial thought that I could achieve FIPS level by running a F5 LTM VE on a ESX server that is using FIPS certified hardware based encrypted drives I presume is wrong.

I presume that my only option to run a VE in FIPS mode is (per http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-platform-fips-administration/1.html)
The Thales nShield™ HSM is a network-attached HSM (netHSM™) that is available for use with BIG-IP® systems. Because it is software-based rather than hardware-based, you can use the netHSM FIPS solution with all BIG-IP platforms, including VIPRION® Series chassis. You can also use the netHSM solution with BIG-IP Virtual Edition (VE).

Unfortunately this means in many ways I lose the benefit of going to a virtual as I will need to replace the physical LTM with a physical stand alone HSM.

Matt

Your answer:

You must be logged in to reply. You can login here.