This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
MVP Gold
MVP Gold
‎2020-08-12 11:33 AM
Jump to solution

Check Point VPN encprytion and FIPS 140-2

Hi,

Is the Endpoint Security, SSLVPN (TLS 1.2)  or IPSEC tunnel traffic (AES-256, SHA256, Group 2) considered FIPS 140-2 validated encryption?   If its not called FIPS 140-2 validated encryption what is it called?  Non-validated encryption/basic encryption/encryption?  Our security auditors want to know.

side point:  It would be nice to be able to print out crypto-maps like CISCO for VPN configs or something else that's graphical and sums up VPN encryption/access or both.

 

This is the official request:

Encryption configuration for remote access. If FIPS 140-2 validated encryption is being used please demonstrate the cryptographic module was configured in accordance with the CMVP security policy.

1 Solution

Accepted Solutions
Ryan_St__Germai
Advisor
‎2020-08-12 08:03 PM
Jump to solution

Are the auditors asking if Checkpoint is using a validated cryptographic module that needs to be listed here?: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules

If so....Then as long as you are running R77.30 https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2995

View solution in original post

7 Replies
Ryan_St__Germai
Advisor
‎2020-08-12 08:03 PM
Jump to solution

Are the auditors asking if Checkpoint is using a validated cryptographic module that needs to be listed here?: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules

If so....Then as long as you are running R77.30 https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2995

PhoneBoy
Admin
Admin
‎2020-08-12 09:23 PM
In response to Ryan_St__Germai
Jump to solution

There’s also the client side of this: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2788
I assume we are working on getting a more recent version of the modules certified but they aren’t substantially different from what’s in these releases.

Daniel_Kavan
MVP Gold
MVP Gold
‎2020-09-29 08:31 AM
In response to PhoneBoy
Jump to solution

FISMA auditors are here & they say

That CMVP cert says “When operated in FIPD mode” in the Caveat section.  So there is a switch.  Can you check it to find out its status?

Normally, there would be a way to initiate FIPS mode for FIPS capable products. If there is a way to initiate FIPS mode, is that being used?

-Show that the VPN is running in FIPS mode or using FIPS-validated cryptography for data in transit.  I believe currently we only have a screenshot showing that TLS 1.2 and higher is being used.

-Show how a user’s VPN connection would be disconnected by an administrator.

Daniel_Kavan
MVP Gold
MVP Gold
‎2021-02-01 10:46 AM
In response to Daniel_Kavan
Jump to solution

RE:VPN only

RE: S2S, fat C2S and/or SSLVPN?   Maybe, you have to run in the gw in FIPS mode as a pre-req to VPN, I'm not sure.  After that, how do you set FIPS on for the TLS 1.2 connection to SSLVPN?   I'm guessing there are 3 things involved 1. windows OS 2. browser 3. network extender

I have to assume that FIPS library is enabled by default in the browser when a user connects with TLS 1.2 to our sslvpn, but how can I show proof?

 

On the gateway, is there a way to show an auditor fips is on for VPN?  I see here you can turn it ON in general for the gateway, with some serious limitations.  https://community.checkpoint.com/t5/Security-Gateways/FIPS-mode-operation-and-some-manual-configurat...

 

0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2024-03-05 01:56 PM
In response to PhoneBoy
Jump to solution

Now, I'm being asked about FIPS 140-3-certified.   I assume that will take a while, maybe R82.  Does the current FIPS 140-2-certified include the SD-WAN blade?  Or do the blades get grandfathered in?

0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2022-09-15 05:23 AM
In response to Ryan_St__Germai
Jump to solution

Another year, here we go agian...

1. Crypto module and CMVP utilized by the VPN.
2. Crypto modules and CMVPs that applications instances utilize to communicate inside the cloud.

0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2022-09-20 04:18 AM
In response to Ryan_St__Germai
Jump to solution

Cryptographic Module Validation Program | CSRC (nist.gov) 

It looks like #4264 is the latest, still we have FIPs mode disabled on our GW.   I assume if FIPs is disabled none of the blades are using this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events