FIPS and non-FIPS compliance - Metasys - LIT-1201519 - MS-NAE35xx-2 - MS-NAE45xx-2 - MS-NAE5510-2U - MS-NAE5510-3U - MS-NAE551S-2 - MS-NAE55xx-3 - MS-NCE25xx-0 - MS-NXE85SW-x - Supervisory Device - NAE35 Network Automation Engine - NAE45 Network Automation Engine - NAE55 Network Automation Engine - NAE85 Network Automation Engine - NCE25 Network Control Engine - 11.0

NAE Commissioning Guide

Product
Network Engines > Network Automation Engines > NAE55 Network Automation Engine
Network Engines > Network Automation Engines > NAE35 Network Automation Engine
Network Engines > Network Automation Engines > NAE45 Network Automation Engine
Network Engines > Network Automation Engines > NAE85 Network Automation Engine
Document type
Commissioning Guide
Document number
LIT-1201519
Version
11.0
Revision date
2022-02-09

At Metasys Release 11.0, the encryption methods used for communication between the NAE SNC and the Metasys Server have been updated to meet FIPS 140-2. FIPS 140-2 is based on the Federal Information Processing Standard (FIPS) Publication 140-2, a U.S. government computer security standard used to approve cryptographic modules.

FIPS140-2 compliance is a standard feature on all NAE SNC engines at Release 11.0 and an optional, licensed feature for the Metasys Server and NAE85/LCS85 software engines. After you update an NAE SNC to Release 11.0, the only method for removing FIPS 140-2 compliance is to reimage the engine to an earlier release. Also, there is no attribute in the user interface to indicate that a particular network engine is FIPS compliant. All NAE SNC engines that run Release 11.0 firmware are FIPS compliant; all engines at any earlier release are not FIPS compliant.

For the Metasys Server at Release 11.0, FIPS 140-2 compliance is a purchased and licensed feature. The attribute called FIPS Compliance Status, located under the Engineering Values section of the ADS device object, indicates the current FIPS status of the server. The value is either Compliant (Licensed) or Non-Compliant (Unlicensed). This read-only attribute is set to Compliant (Licensed) after you license FIPS compliance and install the FIPS compliance software on the Metasys Server. After you license the server for FIPS compliance, the server communicates only with other network engines that are also FIPS compliant. This restriction is necessary for a facility to be fully FIPS compliant.

Refer to the following table for an overview of how communication between the Site Director and network engines is affected using various security settings. As indicated in Table 1, a Site Director at an earlier release cannot communicate to a network engine that is at a later release, regardless of security settings.

Table 1. Network Engine security overview

Site Director with release

Site Director Advanced Security

Server FIPS Compliance

Network Engine communication to Site Director

Rel. 9.0 or earlier

Rel. 10.0 or 10.1

Rel. 11.0

ADS/ADX

Rel. 9.0 or earlier

<na>

<na>

ALLOWED

BLOCKED

BLOCKED

ADS/ADX

Rel. 10.0 or 10.1

FALSE

<na>

ALLOWED

ALLOWED

BLOCKED

TRUE

<na>

BLOCKED

ALLOWED

BLOCKED

ADS/ADX

Rel. 11.0

FALSE

Unlicensed

ALLOWED

ALLOWED

ALLOWED

TRUE

Unlicensed

BLOCKED

ALLOWED

ALLOWED

TRUE or FALSE

Licensed

BLOCKED

BLOCKED

ALLOWED

Network Engine

Rel. 9.0 or earlier

<na>

<na>

ALLOWED

BLOCKED

BLOCKED

Network Engine

Rel. 10.0 or 10.1

FALSE

<na>

ALLOWED

ALLOWED

ALLOWED

TRUE

<na>

BLOCKED

ALLOWED

BLOCKED

Network Engine

Rel. 11.0

TRUE or FALSE

Always Licensed

BLOCKED

BLOCKED

ALLOWED