Configuring FIPS Security Mode

The device can operate in "FIPS Mode" to fully comply with Federal Information Processing Standards (FIPS) 140-2 Level 1, which is a security standard specified by the United States Government that is used to validate cryptographic modules (i.e., the device). The FIPS standards specify best practices and security requirements for implementing crypto algorithms, encryption schemes, handling important data, and working with various operating systems and hardware, whenever cryptographic-based security systems have to be used to protect sensitive, valuable data. FIPS also defines specific methods for encryption and specific methods for generating encryption keys. For more information on AudioCodes FIPS certification, go to https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3708.

Before enabling the FIPS security mode, you must upgrade the device's software (.cmp file) with an image file that includes authentication (2048-bit / SHA-256 digital signature). When you have enabled FIPS, the device performs authentication on the .cmp image file every time it restarts. If authentication fails, the device performs zeroization and disables the FIPS mode.

When you first enable the FIPS mode, the device automatically performs zeroization, which finally causes a restart. Zeroization completely wipes out all sensitive content residing on the device:

Security secrets (e.g., private keys for SSH and TLS)
Core dump files
System Snapshot files

When operating in FIPS mode, the device removes all secret keys from generated syslog and debug recording messages. It also performs many internal security tests during runtime. As soon as any one of these tests fail, connection to the device is lost and the device automatically performs zeroization, disables FIPS mode, and then restarts.

FIPS is applicable only to Mediant 9080.
After the device performs zeroization, it automatically generates new secrets (private key) for the self-signed certificate. You can then use this certificate to connect to the device over HTTPS, if needed.
For detailed configuration of the device for compliance with FIPS, refer to the document Mediant SBC for FIPS 140-2 Configuration Guide.
To enable FIPS mode:
Web Interface:
a. Open the Security Settings page (Setup menu > IP Network tab > Security folder > Security Setting).
b. Click the Enable FIPS button.

CLI (privileged mode):
# fips on

If the device is operating in FIPS mode and you disable FIPS, the device automatically performs zeroization.

To check if the device is operating in FIPS mode (through CLI):
show system security status

You can also manually trigger zeroization. This is useful, for example, when taking the device out of deployment for service (Return of Merchandise or RMA).

To trigger zeroization (through CLI privileged mode):
# clear security-files