Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Massimiliano Gori
on 19 February 2023


Many US military, government or critical national infrastructure organisation workloads that require FIPS compliance are also required to be deployed in air gapped network to provide an extra layer of protection.

In order to reduce operational and security risks by automating hardening, patch management and compliance to security standards like CIS and DISA-STIG as well as the FIPS 140-2 certifications, we’ve developed Ubuntu Pro (formerly Ubuntu Advantage) for your private infrastructure and Ubuntu Pro for cloud. 

In this blog, we will look at what having a FIPS-compliant instance means and the different ways you have to enable that in your disconnected environment.

What does enabling FIPS mean?

FIPS 140 tackles the cryptography validation problem from the perspective of the U.S. regulator. By default, Ubuntu comes prepackaged with a series of cryptographic upstream components which do not conform to the stringent US requirements.

By choosing Ubuntu Pro and enabling the FIPS profile on Ubuntu the OS will install the following validated packages, which can then be consumed by your mission applications. In Ubuntu 20.04 these packages are:

  • Linux-image-fips Linux kernel crypto API
  • Libssl1.1 OpenSSL cryptographic backend (includes OpenSSH)
  • Libgcrypt20 library that contains the implementation of many cryptographic functions
  • Strongswan IPSec VPN implementation

The traditional approach to enabling FIPS is using Ubuntu Pro client native functionality, however, this requires that the servers are able to connect to Canonical. There are many scenarios where these firewall rules cannot be enabled or outbound connections are not permitted. In this case, we offer 2 deployment scenarios based on your environment architecture. 

Distributing FIPS packages with Landscape

Landscape is Canonical’s desktop and server management and monitoring tool. Landscape offers a comprehensive set of management functionalities including, but not limited to, repository management, package mirroring, profile-based automated patching, alerting, granular administrative profiles, and much more.

You should consider this deployment scenario when:

  • The risk of human error associated with manual configuration and management is unacceptable
  • You have a complex workflow that requires custom automation
  • You are considering a greenfield deployment of Ubuntu servers 

Landscape holds a mirror of all FIPS packages in the same way it holds a mirror of any other desired repository. The packages can then be pushed to individual servers

Depending on your security and networking requirements the Landscape server can be deployed in 2 different configurations:

  • a single landscape server in the DMZ for firewall restricted environments, or
  • a stacked configuration for air gapped network

Landscape server in DMZ

Single Landscape server in DMZ

In this first scenario, the Landscape server will be deployed in your network DMZ, where it will connect to Canonical in order to fetch the required packages and then push them to the servers based on your specified deployment plan.

While this scenario does not strictly classify as air gapped it is a good reference architecture to use in all environments that require stricter security measures.

Landscape in air gapped network

In air gap networks, Landscape will not be allowed to have direct Internet access. In this case, Landscape can also be configured to run in the following stacked configuration:

Stacked Landscape server configuration

In this configuration, the DMZ Landscape will not directly connect to any server, rather it will hold a mirror of the required FIPS packages. The air gapped Landscape server can then be configured to mirror those packages and distribute them based on the FIPS and upgrade profiles for each group of machines.

You can find more information about Landscape in the product documentation

Distributing FIPS packages with your existing tools

While Landscape offers a seamless user experience for System Administrators, there are edge cases where installing Landscape is not possible for bureaucratic reasons.

Enabling FIPS on Ubuntu Pro is possible even if you are using alternative tools, as long as you are able to fetch the required packages and make them available to the servers that need to have FIPS enabled. UA Client provides a secure and auditable means to enable FIPS on your Ubuntu machines, on a machine by machine basis. Your tools can be configured to interact with the UA Client’s ua command, which produces machine-readable outputs through the –format json and –format yaml parameters.

Our field engineering team has successfully supported integration with many mirroring solutions like apt-mirror, as well as other commercial and proprietary software.

If you want to learn more about how to run Ubuntu FIPS in your air gap network or discuss how we can integrate Ubuntu Pro FIPS with your configuration management solutions do not hesitate to contact us.

Contact us

Learn more about what we do around FIPS compliance here!

Related posts


Canonical
5 September 2023

도커(Docker) 컨테이너 보안: 우분투 프로(Ubuntu Pro)로 FIPS 지원 컨테이너 이해하기

FIPS Security

오늘날 급변하는 디지털 환경에서 강력한 도커 컨테이너 보안 조치의 중요성은 아무리 강조해도 지나치지 않습니다. 컨테이너화된 계층도 규정 준수 표준의 적용을 받기 때문에 보안 문제 및 규정 준수 요구 사항이 발생합니다. 도커 컨테이너 보안 조치는 경량의 어플라이언스 유형 컨테이너(각 캡슐화 코드 및 해당 종속성)를 위협 및 취약성으로부터 보호하는 것을 수반합니다. 민감한 개인 데이터를 처리하는 데 의존하는 ...


Henry Coggill
7 December 2023

Ubuntu 22.04 FIPS 140-3 modules available for preview

FIPS Article

Canonical has been working with our testing lab partner, atsec information security, to prepare the cryptographic modules in Ubuntu 22.04 LTS (Jammy Jellyfish) for certification with NIST under the new FIPS 140-3 standard. The modules passed all of atsec’s algorithm validation tests and are in the queue awaiting NIST’s approval. We can’t ...


Marina Khachatryan
2 November 2023

Meet the Canonical Federal and DOD team at Alamo Ace 2023

DISA STIG Article

Find us at the booth #54 or join a special joint session on November 14th at 2:15 PM. ...