Forum Discussion

MW1's avatar
MW1
Icon for Cirrus rankCirrus
Dec 06, 2012

F5 LTM VE - FIPS level 1

Can anyone advise if it is possible to achieve FIPS level 1 compliancy (or above) when using the LTM VE product ?

 

 

We have had a request come in from a client that they would like us to become FIPS compliant however our long term design we were moving to us F5 VE (for our LTM/GTM deployments). I realise there is the HSM for the higher devices BIG-IP 6400 to 11050 to achieve FIPS l2/l3, and that it is possible to set up the supported ciphers when doing SSL decryption for a web site so that it just supports the FIPS approved range.

 

I am just wondering if it is at all possible to achieve level 1 FIPS compliancy on devices that do not support the HSM?

 

 

thanks in avance

 

 

security

7 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 06, 2012
    Hi MW,

     

     

    Can you contact your local F5 or partner SE to get info on our plans for this?

     

     

    Thanks, Aaron
  • MW1's avatar
    MW1
    Icon for Cirrus rankCirrus
    Dec 07, 2012
    Thanks Aaron - I'll reach out and see if I can find out. I guess if not I could possibly explore the option of using ESX servers with hardware based encrypted drives to hold the virtual F5's. This said I am far from knowledgeable on FIPS so only presuming this would achieve the same as the HSM.

     

     

    regards

     

    Matt
  • MW1's avatar
    MW1
    Icon for Cirrus rankCirrus
    Dec 11, 2012
    Unfortunately my reseller and a different area F5 rep has drawn a blank on any word on future plans which does pose quite a big issue for me/my company - if anyone for F5 happens to see this post and can offer any better news please advise!

     

     

    Re-reading what the HSM does I am presuming it does more than securely store the key but the F5 calls via api's my initial thought that I could achieve FIPS level by running a F5 LTM VE on a ESX server that is using FIPS certified hardware based encrypted drives I presume is wrong.

     

     

    I presume that my only option to run a VE in FIPS mode is (per http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-platform-fips-administration/1.html)

     

    The Thales nShield™ HSM is a network-attached HSM (netHSM™) that is available for use with BIG-IP® systems. Because it is software-based rather than hardware-based, you can use the netHSM FIPS solution with all BIG-IP platforms, including VIPRION® Series chassis. You can also use the netHSM solution with BIG-IP Virtual Edition (VE).

     

     

    Unfortunately this means in many ways I lose the benefit of going to a virtual as I will need to replace the physical LTM with a physical stand alone HSM.

     

     

    Matt
    • Eduardo_N__1674's avatar
      Eduardo_N__1674
      Icon for Nimbostratus rankNimbostratus
      Sep 28, 2014
      This is not true, the Thales HSM is networked and can be configured to work on VE LTMs. It can actually be clustered for HA and be shared among passive and active nodes alike.
    • MW1's avatar
      MW1
      Icon for Cirrus rankCirrus
      Sep 28, 2014
      Eduardo - I am not following your comment. I stated I could use the Thales with the VE, however I lose the benefit of the load balancing being all virtual (e.g. migration of the setup to a different geographical location solely by copying the VE over the network to a different site etc. Can you clarify your comment, or did you mis-understand something I stated originally?
    • Andras_Kis-Szab's avatar
      Andras_Kis-Szab
      Icon for Nimbostratus rankNimbostratus
      Nov 24, 2014
      Dear Eduardo, In case of VE LTM cluster with nCipher Connect clusters: where should I put the RFS and how should I sync them with the HSMs, please? Thank you in advance, Best regards, Andras