If you work in government or a regulated industry, you’ve no doubt heard of the Federal Information Processing Standards, perhaps better known by the acronym FIPS. FIPS is a very broad set of standards publications, but in the software industry the term usually refers to the publication specifically about cryptography, FIPS 140-2 Security Requirements for Cryptographic Modules. FIPS 140-2 is a product of the joint effort between the United States and Canada called the Cryptographic Module Validation Program. It standardizes the testing and certification of cryptographic modules that are accepted by the federal agencies of both countries for the protection of sensitive information.
FIPS 140-2 defines four security levels (1–4) which correlate to the level of protection a FIPS‑certified module must provide.
The consequences of processing sensitive information in a non‑compliant fashion can be severe. At best, it can mean the loss of a valuable contract with an organization that requires FIPs compliance, such as the U.S. Federal government. At worst, it can lead to theft of personal information or national security documents. Although FIPS 140-2 is a North American government certification, it has become a global cryptographic baseline for:
Global usage, coupled with the fact that FIPS 140-2 testing provides third‑party verification that crypto operations meet a defined standard, is a basis for greater confidence that data is secure as it traverses the Internet.
To become FIPS compliant, you need to configure your operating system to run in FIPS mode. But did you know that you can still be at risk of non‑compliance, even if your operating system is in FIPS mode? By enabling FIPS mode on NGINX Plus, you can ensure the clients talking to NGINX Plus are using a strong cipher with a trusted implementation.
Configuring NGINX Plus for FIPS 140-2 Level 1 is a very simple process. NGINX Plus uses the OpenSSL cryptographic module exclusively for all operations relating to the encryption and decryption of SSL/TLS and HTTP/2 traffic. OpenSSL is not part of NGINX Plus, but instead comes bundled with the operating system. So NGINX Plus becomes compliant with FIPS 140-2 for the processing of all SSL/TLS and HTTP/2 traffic when it is running on an OS from a vendor that has obtained FIPS 140-2 Level 1 validation and the OS is running in FIPS mode.
Because we find that many customers who require FIPS compliance are using Red Hat Enterprise Linux (RHEL), we’ve written our FIPS mode instructions for a RHEL 7.4 server, which applies to both bare‑metal and containerized deployments if both the host and the container are in FIPS 140-2 mode. Equivalent instructions are available from the vendors of other Linux distributions.
RHEL is one of our primary target operating systems, and we have a goal of testing and fully supporting NGINX Plus on all supported RHEL versions. Once you install NGINX Plus on RHEL, upgrades become the same as for any other piece of Red Hat software, meaning you can download and install updates natively within RHEL.
You can verify that your NGINX Plus instance is running in FIPS‑compliant mode using several techniques:
openssl
or nmap
to investigate the ciphers supported by NGINX Plus. Verify that ciphers not supported by FIPS are not offered by NGINX Plus.NGINX tests and verifies that NGINX Plus operates correctly when it is run on a FIPS‑enabled OS that is running in FIPS mode. NGINX cannot make similar statements for NGINX Open Source, particularly for third‑party builds or when third‑party modules that implement their own crypto functions are involved. There are many pitfalls in building and validating a FIPS‑compliant solution using open source tools. Depending on your organization’s security policies, compiling and maintaining the code can be challenging or even impossible. You also run the risk of introducing a directive that can prevent FIPS certification – for example, enabling TLS 1.0 or introducing a deprecated cypher stack such as 3DES.
Finally, with some operating systems, compiling NGINX Open Source so that it operates correctly in FIPS mode requires dependencies beyond those for NGINX itself, which we therefore cannot document and which might have unintended consequences. Please review the guidance provided by your organization’s security and compliance groups to make sure that the solutions you are working with meet their requirements.
Of course, there are more differences between NGINX Plus and NGINX Open Source than just how easy it is to achieve compliance with FIPS 140-2. Explore the differences and see if NGINX Plus is right for your organization.
To try NGINX Plus, start your free 30-day trial today or contact us to discuss your use cases.
"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous NGINX.com links will redirect to similar NGINX content on F5.com."