Federal Information Processing Standards
Federal Information Processing Standards (FIPS) are mandated under US Public Law (100-235 and 104-106). The Federal Information Security Management Act of 2002 eliminated any agency’s ability to waive mandatory Federal Information Processing Standards.
Department of Defense National Security Telecommunications Information Systems Security Policy (NSTISSP) # 11 is acquisition policy that must be complied with prior to the purchase of information technology (IT) for DoD. NSTISSP #11 mandated FIPS 140-2 for all systems that encrypt DoD unclassified information.
FIPS 140-2 is the mandatory standard associated with encryption of unclassified information. There are two basic approaches to achieving compliance with FIPS 140-2. A, require the use of National Institute of Standards and Technology (NIST) certified encryption modules. B, FIPS 140-2 Level 1 can be achieved by incorporating a software- based certified encryption module. FIPS 140-2 Level 2 and above can be achieved by incorporating an embedded hardware based certified encryption module. FIPS 140-2 includes three key processes; private key creation/storage, digital signature, and encryption.
Load Balancing for FIPS
Load balancers/application delivery controllers (ADCs) are used to securely connect users to applications using Secure Socket Layer (SSL) or Transport Layer Security (TLS). Load balancers typically terminate the incoming SSL/TLS connection from the user and create the SSL/TLS connection to the application server. SSL/TLS is an encryption process for protecting data in motion. To meet federal mandates, SSL/TLS must use NIST certified FIPS 140-2 cryptography.
FIPS 140-2 network-attached Hardware Security Modules (HSMs) provide for secure creation/storage of private keys associated with certificates. Network-Attached HSMs use secure connections to the load balancer to share private key information needed for the load balancer to establish SSL/TLS connections. The cryptography used by the load balancer to create these SSL/TLS encrypted connections must be FIPS 140-2 certified. Network-attached HSMs can improve upon a FIPS 140-2 compliant system by providing a single point to manage certificates. Network-attached HSMs cannot make a non-FIPS system compliant to FIPS 140-2.
Kemp is fully aware of federal mandates and public laws and has incorporated a FIPS 140-2 certified software encryption module into our core operating system and made it available to all our LoadMaster load balancers. (OpenSSL FIPS Object Module certificate # 2473)
Kemp also understands that some customers require additional protection above that which is mandatory and we have incorporated FIPS 140-2 certified hardware security modules (HSMs) into select Kemp Hardware LoadMasters. (Cavium certificate # 2316).
Kemp has enabled all our LoadMasters to interface with FIPS 140-2 certified network-based HSMs to add additional protection for the private keys used in FIPS 140-2 encryption processes. The associated FIPS certificates for these solutions are held by the networked HSM vendors.
In summary, all Kemp LoadMasters (physical, virtual, cloud, multitenant and bare metal) incorporate NIST certified FIPS 140-2 encryption.