FIPS 140-2 Certification

Solved
graberb
New here

FIPS 140-2 Certification

I would love to use the Meraki full stack in my environment but the network is subject to LEIN audits every three years.  Devices that pass criminal justice information are required to hold a valid FIPS 140-2 certificate.  I have heard from many sources that Meraki is in the process of acquiring these certs.  Does anyone know more?  

1 Accepted Solution
EAzevedo
Meraki Employee
Meraki Employee

Hi everyone. I am aware that this is an old post, but I believe is relevant to share this here even for future reference.

 

Please refer to our Meraki Device to Cloud Connectivity - FIPS document, where we list all the certifications available at this moment

Hope this helps

Eduardo Azevedo

View solution in original post

29 Replies 29
Adam
Kind of a big deal

I would like this too.  It is a big hold up being to implement full stack Meraki in a Criminal Justice environment. 

 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
PhilipDAth
Kind of a big deal
Kind of a big deal

I haven't heard of any rumours of Meraki applying for FIPS140-2 compliance (to be specific, FIPS140-2 relates to VPN and crypto).

 

However the 15.x code train (not available to the public yet) has significant changes on the VPN side - and perhaps those changes might make FIPS140-2 possible.

 

One significant issue is that FIPS140-2 is given to specific software versions.  This would mean you could not upgrade the firmware to maintain compliance.  This kinda violates the whole Merai principle where the software is kept up to date automatically for you.

 

The last part of this year is going to prove to be exciting in this area!

Adam
Kind of a big deal

@PhilipDAth the encryption Meraki uses for its VPN tunnels is likely FIPS 140-2 compliant but getting the actual devices certified is what we'd be after.  Cisco already does this with their ASA line of products and those have regular updates available.  So I don't see why Cisco couldn't do this for its Meraki line of products as well.  It cuts out a big chunk of law enforcement and criminal justice customers otherwise. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Adam,
Have you heard any more?  I'm curious about this as well.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Cisco already does this with their ASA line of products and those have regular updates available

 

Note that specific software releases are certified FIPS140-2 for the ASA.  You can not just upgrade the ASA software and maintain your FIPS140-2 certification.

I have just heard a rumor...mind you it is just a rumor and is not substantiated at all, but I heard that Meraki devices will be on the FIPS 140-2 compliance list as soon as May of 2020.

I know it's not May yet but has anyone heard anything about the progress of FIPS?

Due to confidentiality and non-disclosure agreements, I cannot share the content of the signed letter I received from an SVP in Meraki.  I can tell you that though the Meraki devices may not be on the FIPS compliancy list by May, the intent is to be by May.

Can you share the SVP name? Thanks!

Annotation 2020-02-13 131707.png

Has anyone heard any new information on this?  I know it's not May yet. but at least it's been two months 🙂

Since it is not May as you state, I have not heard anything more.  I'm going to at least wait until then to start asking more questions.

It is May! I have been tracking this thread for at least a year, and now that we are here I wanted to see if there were updates. 

In a previous life as an MSP, Meraki was a great solution. In my current role, we must have FIPS to purchase, and our ASAs are due for replacement. 

Please tell me there is a solution, or if one is on the roadmap still and when. I would prefer to purchase Meraki over the others but need to have this in the pocket before I can. 

From my rep at Meraki...

 

Here’s the synopsis of what we heard from Product Management yesterday:
 
  1. FIPS 140-2 validation for AutoVPN network traffic has been delayed due to a software architectural issue with incorporating the FIPS validated object module that they were looking to use. As a result, we are looking at a minimum of 18 months before AutoVPN traffic will support FIPS 140-2 validation as they will likely have to certify a brand new hardware-based object module and this process alone takes around 12 months.
  2. While FIPS for AutoVPN has been delayed, this software limitation will not delay the roadmap for FedRAMP certification. Development efforts are now being focused on achieving FedRAMP in progress (and certification) by using this object module for Meraki control traffic (mtunnel).

So Fortinet it is.. who knows how long this next wait will be..  I can't risk further deployment of Meraki gear with this unknown not being handled in a reasonable amount of time.

Thank you for that. A ton. 

Meraki is obviously not following this thread. I spent a lot of time looking for roadmaps and news. They don't want to say "FIPS, the concept breaks our system and putting that burden on every customer for the DoD / DOJ / etc isn't worth it, ever." They should say that.

Cisco should step up and say "ASA and Firepower our our platforms for customers who require FIPS." 

I will also be giving up on this, I don't have 15 more months to hope that they support it. 

That's your choice.  I'll just continue to buy the cheapest FP1010 for FIPS and run Meraki everywhere else until Meraki gets up to speed.  I love Meraki and their concepts.  Now with the muscle of Cisco, I can wait.  I'm patient. 

I wish I was in that situation. We aren't in a place where we could run two solutions. 99% of our employees and data requires protection. 

I see that the Cisco website shows version 16 of the MX firmware as compliant. I've only seen version 15 so far (beta).

 

Here is the page on the Cisco site showing version 16 as compliant:

 

https://www.cisco.com/c/en/us/solutions/industries/government/global-government-certifications/fips-...

 

Is there a "special" beta of version 16 available? Is it perhaps just for some particular physical models?

 

Thanks

We just need everyone to upgrade to 15.x, then it will become the new stable release, the 14.x train will be dropped, and 16.x will become the new public beta which everyone can use.

cmr
Kind of a big deal
Kind of a big deal

@martin-netx I see from that link that the next beta for wireless, switching and firewalling are all going to be FIPS compliant.

 

We're running 27.x on MRs, 14.x on MSs* and 15.x on MXs so if the rest of you all follow, as @PhilipDAth said, we'll have FIPS compliance all the sooner.

 

*Not on an L3 stack of 3x MS210s as it is sorely unstable on that configuration as of 14.10.'

I'm really glad we held out for Meraki's FIPS compliancy.  This is going to just make everything much nicer in my realm.

Thanks cmr,

I work for a Cisco partner and we run beta versions on most of our own Meraki kit already. Got quite a few customers running version 15 on the MX's too. 

I've heard on the grape vine that only certain models of MX are going to be FIPS compliant. Don't know if this is down to the physical encryption processors in use. I'd be very happy to hear anything back from Meraki about this.

cmr
Kind of a big deal
Kind of a big deal

@martin-netx I'd think you'll be correct.  I imagine some of the smaller older devices (MX64/65 etc.) will not be able to go to MX16 at all or perhaps only in a limited way.

From my Meraki rep,

 

Meraki MX450, MX250, and any MX6x will become FIPS compliant, but the rest of the MXs will not.  So for instance, the MX84 will never be FIPS compliant.

Thanks LandrinLong,

 

Yeah those model numbers correspond with what I've heard. Shame about the MX84 and MX100 in particular.

For the MX84 and MX100, they are currently in development for replacements that will be FIPS 140-2 compliant that have similar price points and throughput, but the current MX84 and MX100 will not be unfortunately.  At least that is what my reps and Cisco/Meraki engineers are telling me.

cmr
Kind of a big deal
Kind of a big deal

I'd hope the replacements are somewhat more performant for a similar cost, especially in terms of raw throughout as that would then be a worthwhile improvement.

EAzevedo
Meraki Employee
Meraki Employee

Hi everyone. I am aware that this is an old post, but I believe is relevant to share this here even for future reference.

 

Please refer to our Meraki Device to Cloud Connectivity - FIPS document, where we list all the certifications available at this moment

Hope this helps

Eduardo Azevedo

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.