At Metasys Release 11.0, the encryption methods used for communication between the NAE SNC and the Metasys Server have been updated to meet FIPS 140-2. FIPS 140-2 is based on the Federal Information Processing Standard (FIPS) Publication 140-2, a U.S. government computer security standard used to approve cryptographic modules.
FIPS140-2 compliance is a standard feature on all NAE SNC engines at Release 11.0 and an optional, licensed feature for the Metasys Server and NAE85/LCS85 software engines. After you update an NAE SNC to Release 11.0, the only method for removing FIPS 140-2 compliance is to reimage the engine to an earlier release. Also, there is no attribute in the user interface to indicate that a particular network engine is FIPS compliant. All NAE SNC engines that run Release 11.0 firmware are FIPS compliant; all engines at any earlier release are not FIPS compliant.
For the Metasys Server at Release 11.0, FIPS 140-2 compliance is a purchased and licensed feature. The attribute called FIPS Compliance Status, located under the Engineering Values section of the ADS device object, indicates the current FIPS status of the server. The value is either Compliant (Licensed) or Non-Compliant (Unlicensed). This read-only attribute is set to Compliant (Licensed) after you license FIPS compliance and install the FIPS compliance software on the Metasys Server. After you license the server for FIPS compliance, the server communicates only with other network engines that are also FIPS compliant. This restriction is necessary for a facility to be fully FIPS compliant.
Refer to the following table for an overview of how communication between the Site Director and network engines is affected using various security settings. As indicated in Table 1, a Site Director at an earlier release cannot communicate to a network engine that is at a later release, regardless of security settings.
Site Director with release |
Site Director Advanced Security |
Server FIPS Compliance |
Network Engine communication to Site Director |
||
---|---|---|---|---|---|
Rel. 9.0 or earlier |
Rel. 10.0 or 10.1 |
Rel. 11.0 |
|||
ADS/ADX Rel. 9.0 or earlier |
<na> |
<na> |
ALLOWED |
BLOCKED |
BLOCKED |
ADS/ADX Rel. 10.0 or 10.1 |
FALSE |
<na> |
ALLOWED |
ALLOWED |
BLOCKED |
TRUE |
<na> |
BLOCKED |
ALLOWED |
BLOCKED |
|
ADS/ADX Rel. 11.0 |
FALSE |
Unlicensed |
ALLOWED |
ALLOWED |
ALLOWED |
TRUE |
Unlicensed |
BLOCKED |
ALLOWED |
ALLOWED |
|
TRUE or FALSE |
Licensed |
BLOCKED |
BLOCKED |
ALLOWED |
|
Network Engine Rel. 9.0 or earlier |
<na> |
<na> |
ALLOWED |
BLOCKED |
BLOCKED |
Network Engine Rel. 10.0 or 10.1 |
FALSE |
<na> |
ALLOWED |
ALLOWED |
ALLOWED |
TRUE |
<na> |
BLOCKED |
ALLOWED |
BLOCKED |
|
Network Engine Rel. 11.0 |
TRUE or FALSE |
Always Licensed |
BLOCKED |
BLOCKED |
ALLOWED |