This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gto_gary
Participant
Participant
3 weeks ago
Jump to solution

FIPS and Hotfix Installation

Hi All, 

I have a need to enable FIPS mode on a number of our 81.20 take 120 appliances to meet some compliance requirements. I am working in a virtual lab environment to test this out. I do understand that ssh, https (web interface), and cprid are unavailable in R81.20 when running in FIPS mode. However I was under the impression after reading:

https://community.checkpoint.com/t5/Firewall-and-Security-Management/Disable-FIPS-for-HotFix-install...

and other similar posts that after enabling FIPS I would no longer be able to install a jumbo hotfix on the gateways. However in my lab I have found that I can indeed install take 127 after enabling FIPS mode.

To install, I enabled ssh on the gateway so I could manually copy the offline package to the gateway. Then used CPUSE to import and install the hotfix with no issues that I can see. 

I used the following commands to enable FIPS as listed in (pg30):

chkconfig --add jitterentropy_rngd_init
chkconfig --level 2345 jitterentropy_rngd_init on
fips on

https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security...

Should this have been possible in FIPS mode? Or perhaps I did not enable it properly? 

I need to understand what to expect in our production environments when in comes time to install jumbos.

I appreciate any clarity you can help provide! 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Malcolm_Levy
Employee
Employee
3 weeks ago
In response to gto_gary
Jump to solution

Gary,

If you find your method works I will not contradict. As certifications are for a point release, and FIPS 140-2 does not support updates, your question is outside the scope of the certification work and therefore not considered when we certify. However, we have certified multiple versions on the same FIPS 140-2 certificate to provide an upgrade path.

I would recommend to make a fresh installation, preferably of R82 as the latest that is certified, take the latest JHF and after configuration enable FIPS mode. As data is stored on the Management Server I don't even think that back up of the data should be required. 

View solution in original post

0 Kudos
6 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
3 weeks ago
Jump to solution

Not to oversimplify it but in ways FIPS by nature conflicts with the need to regularly update security products...

@Malcolm_Levy Touches on this topic here:

https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-ma...

 

CCSM R77/R80/ELITE
0 Kudos
Malcolm_Levy
Employee
Employee
3 weeks ago
In response to Chris_Atkinson
Jump to solution

The FIPS 140-2 implementation is distributed amongst the libraries identified in the FIPS Security Policy.

In the 140-3 implementation the security relevant code will just be an updated jitter and CPOpenSSL library. 

Further, the FIPS mode will be based on the OpenSSL FIPS provider rather than the legacy code.

The code will be fully integrated in of R82.20. 

The code will also be in a branch of R82.10 that will be used by FedRAMP

With the new code the existing restrictions will be removed, but I cannot tell you the support that will be provided for the R82.10 branch.

gto_gary
Participant
Participant
3 weeks ago
In response to Malcolm_Levy
Jump to solution

HI, 

Thank you for your reply! 

For my immediate requirements I need to know if what the restriction is on applying a Jumbo Hotfix on a FIPS enabled gateway?  Is the method I used to install a hotfix on a FIPS gateway supported? 

Thank you!  

 

0 Kudos
Malcolm_Levy
Employee
Employee
3 weeks ago
In response to gto_gary
Jump to solution

Gary,

If you find your method works I will not contradict. As certifications are for a point release, and FIPS 140-2 does not support updates, your question is outside the scope of the certification work and therefore not considered when we certify. However, we have certified multiple versions on the same FIPS 140-2 certificate to provide an upgrade path.

I would recommend to make a fresh installation, preferably of R82 as the latest that is certified, take the latest JHF and after configuration enable FIPS mode. As data is stored on the Management Server I don't even think that back up of the data should be required. 

0 Kudos
gto_gary
Participant
Participant
3 weeks ago
In response to Malcolm_Levy
Jump to solution

Thank you Malcom!

So while the method may work, FIPS 140-2 does not support updates. So the best method when it comes time for a new jumbo is a clean install, install the latest jumbo, and Enable FIPS. 

I really appreciate the assistance! 

0 Kudos
Malcolm_Levy
Employee
Employee
3 weeks ago
In response to gto_gary
Jump to solution

Gary,

It is always safer to tread a standard well trodden path than to hoe your own! So yes, that is my recommendation. 

Malcolm 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events