OpenControls Logo

STIG Viewer

The RUCKUS ICX device must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-273808RCKS-NDM-000500SV-273808r1111022_ruleCCI-000803high
Description
Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms. Satisfies: SRG-APP-000179-NDM-000265, SRG-APP-000156-NDM-000250, SRG-APP-000172-NDM-000259, SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331, SRG-APP-000880-NDM-000290
STIGDate
RUCKUS ICX NDM Security Technical Implementation Guide2025-05-28

Details

Check Text (C-273808r1111022_chk)

Verify the FIPS module has been enabled. Router#fips show Cryptographic Module Version: FI-IP-CRYPTO FIPS mode: Administrative status ON: Operational status ON Common-Criteria: Administrative status ON: Operational status ON System Specific: OS monitor access status is: Disabled Management Protocol Specific: Telnet server: Disabled Telnet client: Disabled TFTP client: Disabled SNMP Access to security objects: Disabled Critical security Parameter updates across FIPS boundary: Protocol Shared secret and host passwords: Clear Password Display: Disabled Certificate Specific: HTTPS RSA Host Keys and Signature: Clear SSH DSA Host keys: Clear SSH RSA Host keys: Clear CC Enable AAA Server Any: Retain If the fips show command does not output "FIPS mode: Administrative status ON: Operational status ON", this is a finding.

Fix Text (F-77804r1111021_fix)

Configure the network device to use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module. Use a console session directly attached to the ICX switch to log in: device(config)#configuration terminal device(config)# fips enable common-criteria device# fips zeroize all device# write memory device# reload