For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MW1's avatar
MW1
Icon for Cirrus rankCirrus
Dec 06, 2012

F5 LTM VE - FIPS level 1

Can anyone advise if it is possible to achieve FIPS level 1 compliancy (or above) when using the LTM VE product ?     We have had a request come in from a client that they would like us to be...
security
MW1's avatar
MW1
Icon for Cirrus rankCirrus
Dec 11, 2012
Unfortunately my reseller and a different area F5 rep has drawn a blank on any word on future plans which does pose quite a big issue for me/my company - if anyone for F5 happens to see this post and can offer any better news please advise!

 

 

Re-reading what the HSM does I am presuming it does more than securely store the key but the F5 calls via api's my initial thought that I could achieve FIPS level by running a F5 LTM VE on a ESX server that is using FIPS certified hardware based encrypted drives I presume is wrong.

 

 

I presume that my only option to run a VE in FIPS mode is (per http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-platform-fips-administration/1.html)

 

The Thales nShield™ HSM is a network-attached HSM (netHSM™) that is available for use with BIG-IP® systems. Because it is software-based rather than hardware-based, you can use the netHSM FIPS solution with all BIG-IP platforms, including VIPRION® Series chassis. You can also use the netHSM solution with BIG-IP Virtual Edition (VE).

 

 

Unfortunately this means in many ways I lose the benefit of going to a virtual as I will need to replace the physical LTM with a physical stand alone HSM.

 

 

Matt
  • Eduardo_N__1674's avatar
    Eduardo_N__1674
    Icon for Nimbostratus rankNimbostratus
    Sep 28, 2014
    This is not true, the Thales HSM is networked and can be configured to work on VE LTMs. It can actually be clustered for HA and be shared among passive and active nodes alike.
  • MW1's avatar
    MW1
    Icon for Cirrus rankCirrus
    Sep 28, 2014
    Eduardo - I am not following your comment. I stated I could use the Thales with the VE, however I lose the benefit of the load balancing being all virtual (e.g. migration of the setup to a different geographical location solely by copying the VE over the network to a different site etc. Can you clarify your comment, or did you mis-understand something I stated originally?
  • Andras_Kis-Szab's avatar
    Andras_Kis-Szab
    Icon for Nimbostratus rankNimbostratus
    Nov 24, 2014
    Dear Eduardo, In case of VE LTM cluster with nCipher Connect clusters: where should I put the RFS and how should I sync them with the HSMs, please? Thank you in advance, Best regards, Andras
  • flypast's avatar
    flypast
    Icon for Altostratus rankAltostratus
    Nov 13, 2018

    How many RFSs can be deployed in a security world?