NSX-T 2.5 is now officially tested and certified to encrypt data using FIPS 140-2 compliant encryption standards. What does this mean and why is this important?
This is good news for VMware NSX-T seeing FIPS (Federal Information Processing Standards) has been widely adopted around the world in both governmental and non-governmental sectors (e.g. financial services, utilities, healthcare), as well as Fortune 100 companies, as a practical security benchmark and a realistic best practice. Products unable to satisfy this standard are unlikely to be selected by this customer base.
FIPS defines certain specific encryption methods that can be used, as well as methods for generating encryption keys. It’s published by the National Institute of Standards and Technology, or NIST. NSX-T is not the first VMware product to meet the FIPS standards, for more information you can (publicly) view all VMware FIPS related certificates at https://www.vmware.com/nl/security/certifications/fips.html
As with most security solutions it has to be audit-able, so NSX-T 2.5 is now able to generate a FIPS compliance report. Most of the required encryption ciphers were already in place in earlier versions of NSX-T, but Elliptic Curve Cryptography (ECC) has been added with the v2.5 update (More on this on a separate blog post).
By default the NSX (simple) Load-balancer is in NON-FIPS complaint mode, FIPS mode can be enabled using the REST API. Though some LB related performance bugs have been smashed in the 2.4 -> 2.4.1 update, keep in mind heavier encryption usually needs more horsepower to encrypt and decrypt so keep an eye on the LB performance, throughput and resource utilization when enabling FIPS mode.
General detailed information about FIPS 140-2 is described in this PDF document: NIST.FIPS.140-2
Want to get all “nerdy” ? As usual I’ve got you covert! check out the encryption algorithms and ciphers: Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules