Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Kavan
Advisor

Check Point VPN encprytion and FIPS 140-2

Hi,

Is the Endpoint Security, SSLVPN (TLS 1.2)  or IPSEC tunnel traffic (AES-256, SHA256, Group 2) considered FIPS 140-2 validated encryption?   If its not called FIPS 140-2 validated encryption what is it called?  Non-validated encryption/basic encryption/encryption?  Our security auditors want to know.

side point:  It would be nice to be able to print out crypto-maps like CISCO for VPN configs or something else that's graphical and sums up VPN encryption/access or both.

 

This is the official request:

Encryption configuration for remote access. If FIPS 140-2 validated encryption is being used please demonstrate the cryptographic module was configured in accordance with the CMVP security policy.

4 Replies
Ryan_St__Germai
Collaborator

Are the auditors asking if Checkpoint is using a validated cryptographic module that needs to be listed here?: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules

If so....Then as long as you are running R77.30 https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2995

PhoneBoy
Admin
Admin

There’s also the client side of this: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2788
I assume we are working on getting a more recent version of the modules certified but they aren’t substantially different from what’s in these releases.

Daniel_Kavan
Advisor

FISMA auditors are here & they say

That CMVP cert says “When operated in FIPD mode” in the Caveat section.  So there is a switch.  Can you check it to find out its status?

Normally, there would be a way to initiate FIPS mode for FIPS capable products. If there is a way to initiate FIPS mode, is that being used?

-Show that the VPN is running in FIPS mode or using FIPS-validated cryptography for data in transit.  I believe currently we only have a screenshot showing that TLS 1.2 and higher is being used.

-Show how a user’s VPN connection would be disconnected by an administrator.

Daniel_Kavan
Advisor

RE:VPN only

RE: S2S, fat C2S and/or SSLVPN?   Maybe, you have to run in the gw in FIPS mode as a pre-req to VPN, I'm not sure.  After that, how do you set FIPS on for the TLS 1.2 connection to SSLVPN?   I'm guessing there are 3 things involved 1. windows OS 2. browser 3. network extender

I have to assume that FIPS library is enabled by default in the browser when a user connects with TLS 1.2 to our sslvpn, but how can I show proof?

 

On the gateway, is there a way to show an auditor fips is on for VPN?  I see here you can turn it ON in general for the gateway, with some serious limitations.  https://community.checkpoint.com/t5/Security-Gateways/FIPS-mode-operation-and-some-manual-configurat...

 

0 Kudos