Massimiliano Gori
on 19 February 2023
Air gapped network: FIPS 140 compliance with Ubuntu
Many US military, government or critical national infrastructure organisation workloads that require FIPS compliance are also required to be deployed in air gapped network to provide an extra layer of protection.
In order to reduce operational and security risks by automating hardening, patch management and compliance to security standards like CIS and DISA-STIG as well as the FIPS 140-2 certifications, we’ve developed Ubuntu Pro (formerly Ubuntu Advantage) for your private infrastructure and Ubuntu Pro for cloud.
In this blog, we will look at what having a FIPS-compliant instance means and the different ways you have to enable that in your disconnected environment.
What does enabling FIPS mean?
FIPS 140 tackles the cryptography validation problem from the perspective of the U.S. regulator. By default, Ubuntu comes prepackaged with a series of cryptographic upstream components which do not conform to the stringent US requirements.
By choosing Ubuntu Pro and enabling the FIPS profile on Ubuntu the OS will install the following validated packages, which can then be consumed by your mission applications. In Ubuntu 20.04 these packages are:
- Linux-image-fips Linux kernel crypto API
- Libssl1.1 OpenSSL cryptographic backend (includes OpenSSH)
- Libgcrypt20 library that contains the implementation of many cryptographic functions
- Strongswan IPSec VPN implementation
The traditional approach to enabling FIPS is using Ubuntu Pro client native functionality, however, this requires that the servers are able to connect to Canonical. There are many scenarios where these firewall rules cannot be enabled or outbound connections are not permitted. In this case, we offer 2 deployment scenarios based on your environment architecture.
Distributing FIPS packages with Landscape
Landscape is Canonical’s desktop and server management and monitoring tool. Landscape offers a comprehensive set of management functionalities including, but not limited to, repository management, package mirroring, profile-based automated patching, alerting, granular administrative profiles, and much more.
You should consider this deployment scenario when:
- The risk of human error associated with manual configuration and management is unacceptable
- You have a complex workflow that requires custom automation
- You are considering a greenfield deployment of Ubuntu servers
Landscape holds a mirror of all FIPS packages in the same way it holds a mirror of any other desired repository. The packages can then be pushed to individual servers
Depending on your security and networking requirements the Landscape server can be deployed in 2 different configurations:
- a single landscape server in the DMZ for firewall restricted environments, or
- a stacked configuration for air gapped network
Landscape server in DMZ
In this first scenario, the Landscape server will be deployed in your network DMZ, where it will connect to Canonical in order to fetch the required packages and then push them to the servers based on your specified deployment plan.
While this scenario does not strictly classify as air gapped it is a good reference architecture to use in all environments that require stricter security measures.
Landscape in air gapped network
In air gap networks, Landscape will not be allowed to have direct Internet access. In this case, Landscape can also be configured to run in the following stacked configuration:
In this configuration, the DMZ Landscape will not directly connect to any server, rather it will hold a mirror of the required FIPS packages. The air gapped Landscape server can then be configured to mirror those packages and distribute them based on the FIPS and upgrade profiles for each group of machines.
You can find more information about Landscape in the product documentation.
Distributing FIPS packages with your existing tools
While Landscape offers a seamless user experience for System Administrators, there are edge cases where installing Landscape is not possible for bureaucratic reasons.
Enabling FIPS on Ubuntu Pro is possible even if you are using alternative tools, as long as you are able to fetch the required packages and make them available to the servers that need to have FIPS enabled. UA Client provides a secure and auditable means to enable FIPS on your Ubuntu machines, on a machine by machine basis. Your tools can be configured to interact with the UA Client’s ua command, which produces machine-readable outputs through the –format json and –format yaml parameters.
Our field engineering team has successfully supported integration with many mirroring solutions like apt-mirror, as well as other commercial and proprietary software.
If you want to learn more about how to run Ubuntu FIPS in your air gap network or discuss how we can integrate Ubuntu Pro FIPS with your configuration management solutions do not hesitate to contact us.