Enabling Ubuntu FIPS 140 in air-gapped environments

Many US military, government or critical national infrastructure organisation workloads that require FIPS compliance are also required to be deployed in air-gapped environments to provide an extra layer of protection. 

In order to reduce operational and security risks by automating hardening, patch management and compliance to security standards like CIS and DISA-STIG as well as the FIPS 140-2 certifications, we’ve developed Ubuntu Advantage for your private infrutracture and Ubuntu Pro for cloud. 

In this blog we will look at what having a FIPS compliant instance means and the different ways you have to enable that in your disconnected environment.

What

Sponsored

does enabling FIPS mean?

FIPS 140 tackles the cryptography validation problem from the perspective of the U.S. regulator. By default, Ubuntu comes prepackaged with a series of cryptographic upstream components which do not conform to the stringent US requirements. By choosing Ubuntu Advantage and enabling the FIPS profile on Ubuntu the OS will install the following validated packages, which can then be consumed by your mission applications. In Ubuntu 20.04 these packages are:

• Linux-image-fips Linux kernel crypto API
• Libssl1.1 OpenSSL cryptographic backend (includes OpenSSH)
• Libgcrypt20 library that contains the implementation of many cryptographic functions
• Strongswan IPSec VPN implementation

The traditional approach to enabling FIPS is using Ubuntu Advantage client native functionality, however this requires that the servers are able to connect to Canonical. There are many scenarios where these firewall rules cannot be enabled or outbound connections are not permitted. In this case we offer 2 deployment scenarios based on your environment architecture.  

Air-gap scenario 1: using Landscape

Landscape is Canonical’s desktop and server management and monitoring tool. Landscape offers a comprehensive set of management functionalities including, but not limited to, repository management, package mirroring, profile based automated patching, alerting, granular administrative profiles, and much more.

You should consider this deployment scenario when:

• The risk of human error associated with manual configuration and management is unacceptable
• You have a complex workflow that requires custom automation
• You are considering a greenfield deployment of Ubuntu servers

In this scenario Landscape holds a mirror of all FIPS packages in the same way it holds a mirror of any other desired repository. The packages can then be pushed to individual servers 

Depending on your security and networking requirements the Landscape server can be deployed in 2 different configurations:

• a single landscape server in the DMZ, or
• a stacked configuration

In this first scenario the Landscape server will be deployed in your network DMZ, where it will connect to Canonical in order to fetch the required packages and then push them to the servers based on your specified deployment plan.

There are scenarios where Landscape will not be allowed to have direct Internet access. In this case Landscape can also be configured to run in the following stacked configuration:

In this configuration, the DMZ Landscape will not directly connect to any server, rather it will hold a mirror of the required FIPS package. The air-gapped Landscape server will then pull those packages and distribute them based on the package and upgrade profiles for each group of machines.

You can find more information about Landscape in the product documentation. 

Air-gap scenario 2: using your existing tools

While Landscape offers a seamless user experience for System Administrators, there are edge cases where installing Landscape is not possible for bureaucratic reasons.

Enabling FIPS on Ubuntu Pro is possible even if you are using alternative tools, as long as you are able to fetch the required packages and make them available to the servers that need to have FIPS enabled. UA Client provides a secure and auditable means to enable FIPS on your Ubuntu machines, on a machine by machine basis. Your tools can be configured to interact with the UA Client’s ua command, which produces machine-readable outputs through the –format json and –format yaml parameters.

Our field engineering team has successfully supported integration with many mirroring solutions like apt-mirror, as well as other commercial and proprietary software.

If you want to learn more about how to run Ubuntu FIPS in your air-gapped environment or discuss how we can integrate Ubuntu Pro FIPS with your configuration management solutions do not hesitate to contact us.

Contact us