FIPS mode requirement and configuration for PTP 820

Summary

This document explains about the requirement and configuration required in PTP 820 for FIPS 140-2-Compliance

Cause

The objective of FIPS 140-2 is to provide a standard for secured communication devices, with an emphasis on encryption and cryptographic methods. The FIPS standards are broadcasted by the National Institute of Standards and Technology (NIST) and provide an extensive set of requirements for both hardware and software. It is the responsibility of the customer to ensure that the above FIPS requirements are met

Solution

In order to confirm that the radios are FIPS 140-2 Compliance, we must ensure that:

1. To use the FIPS hardware
2. The FIPS validated software version to be used.

PTP 820 FIPS Requirements and Configuration

Release 8.3, PTP 820G PTP 820C and PTP 820S can be configured to be FIPS 140-2-compliant in specific hardware and software configurations.

Hardware Requirements

For PTP 820 C/S/G nodes to be FIPS-compliant, the unit must be FIPS-compliant hardware.

Software Requirements

FIPS compliance requires the user to operate the PTP 820C/S/G in FIPS mode. FIPS mode must be enabled by the user. It can be enabled via the Web EMS, the CLI, or SNMPv3. Enabling FIPS mode requires a system reset.

Requirements for FIPS Compliance:

For PTP 820C or PTP 820S node to be FIPS-compliant, the unit must be FIPS-compliance hardware.

For PTP 820G node to be FIPS-compliant, the chassis must be FIPS-compliant.

For PTP 820C, PTP 820S, or PTP 820G AES-256 Payload Encryption must be configured

Note: Special labels must be affixed to a FIPS-compliant PTP 820G unit. These labels are tamper-evident and must be applied in such a way that it is not possible to open the chassis. These labels must be replaced whenever components are added to or removed from the unit. Replacement labels can be ordered from Cambium Networks. Tamper-evident labels should be inspected for integrity at least once every six months. For further details, refer to the PTP 820G Installation Guide.

Enabling FIPS Mode from GUI

To set the unit to operate in FIPS mode:

1.Select Platform > Security > General > Configuration. The Security General Configuration page opens:

FIPS -1.png624×599 25 KB

2.Click on enable under FIPS admin configuration and then apply the configuration:

FIPS-2.png594×571 24.5 KB

Note: Changing the FIPS configuration causes a unit reset.

3.Apply the same configuration on second radio as well.

Enabling  FIPS Mode from CLI

To set the unit to operate in FIPS mode, enter the following command in root view:

root> platform security fips-mode set admin enable

Note: Changing the FIPS configuration causes a unit reset.

To disable FIPS mode, enter the following command in root view:

root> platform security fips-mode set admin disable

To display the unit’s current FIPS setting, enter the following command in root view:

root> platform security fips-mode show

Status values are:

• enable – FIPS mode is enabled.
• disable – FIPS mode is disabled.

Enabling  FIPS Mode from SNMP

The below MIB OID to be used for enabling the FIPS admin configuration and to check the status:

After enabling FIPS:

• The MD5 option for SNMPv3 is blocked.
• After any system reset, the length of time before users can log back into the system is longer than usual due to FIPS-related self-testing.

FIPS certified latest software versions:

https://support.cambiumnetworks.com/files/ptp820/#r2

For PTP 820 C & S - PTP820CS - G2U-8.3.0.0.0.517 Firmware 12-December-2018

For PTP 820 G - PTP820G - G2U-8.3.0.0.0.517 Firmware 12-December-2018

FIPS certified PTP 820 G/C/S part numbers: