Many US military, government or critical national infrastructure organisation workloads that require FIPS compliance are also required to be deployed in air gapped network to provide an extra layer of protection.
In order to reduce operational and security risks by automating hardening, patch management and compliance to security standards like CIS and DISA-STIG as well as the FIPS 140-2 certifications, we’ve developed Ubuntu Pro (formerly Ubuntu Advantage) for your private infrastructure and Ubuntu Pro for cloud.
In this blog, we will look at what having a FIPS-compliant instance means and the different ways you have to enable that in your disconnected environment.
FIPS 140 tackles the cryptography validation problem from the perspective of the U.S. regulator. By default, Ubuntu comes prepackaged with a series of cryptographic upstream components which do not conform to the stringent US requirements.
By choosing Ubuntu Pro and enabling the FIPS profile on Ubuntu the OS will install the following validated packages, which can then be consumed by your mission applications. In Ubuntu 20.04 these packages are:
The traditional approach to enabling FIPS is using Ubuntu Pro client native functionality, however, this requires that the servers are able to connect to Canonical. There are many scenarios where these firewall rules cannot be enabled or outbound connections are not permitted. In this case, we offer 2 deployment scenarios based on your environment architecture.
Landscape is Canonical’s desktop and server management and monitoring tool. Landscape offers a comprehensive set of management functionalities including, but not limited to, repository management, package mirroring, profile-based automated patching, alerting, granular administrative profiles, and much more.
You should consider this deployment scenario when:
Landscape holds a mirror of all FIPS packages in the same way it holds a mirror of any other desired repository. The packages can then be pushed to individual servers
Depending on your security and networking requirements the Landscape server can be deployed in 2 different configurations:
In this first scenario, the Landscape server will be deployed in your network DMZ, where it will connect to Canonical in order to fetch the required packages and then push them to the servers based on your specified deployment plan.
While this scenario does not strictly classify as air gapped it is a good reference architecture to use in all environments that require stricter security measures.
In air gap networks, Landscape will not be allowed to have direct Internet access. In this case, Landscape can also be configured to run in the following stacked configuration:
In this configuration, the DMZ Landscape will not directly connect to any server, rather it will hold a mirror of the required FIPS packages. The air gapped Landscape server can then be configured to mirror those packages and distribute them based on the FIPS and upgrade profiles for each group of machines.
You can find more information about Landscape in the product documentation.
While Landscape offers a seamless user experience for System Administrators, there are edge cases where installing Landscape is not possible for bureaucratic reasons.
Enabling FIPS on Ubuntu Pro is possible even if you are using alternative tools, as long as you are able to fetch the required packages and make them available to the servers that need to have FIPS enabled. UA Client provides a secure and auditable means to enable FIPS on your Ubuntu machines, on a machine by machine basis. Your tools can be configured to interact with the UA Client’s ua command, which produces machine-readable outputs through the –format json and –format yaml parameters.
Our field engineering team has successfully supported integration with many mirroring solutions like apt-mirror, as well as other commercial and proprietary software.
If you want to learn more about how to run Ubuntu FIPS in your air gap network or discuss how we can integrate Ubuntu Pro FIPS with your configuration management solutions do not hesitate to contact us.
Microsoft Edge is now available for Ubuntu. In this guide, I’ll walk you through the…
Our latest Canonical website rebrand did not just bring the new Vanilla-based frontend, it also…
At Canonical, the work of our teams is strongly embedded in the open source principles…
Welcome to the Ubuntu Weekly Newsletter, Issue 873 for the week of December 29, 2024…
Have WiFi troubles on your Ubuntu 24.04 system? Don’t worry, you’re not alone. WiFi problems…
The following is a post from Mark Shuttleworth on the Ubuntu Discourse instance. For more…