Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Malcolm_Levy
Employee
Employee
Jump to solution

FIPS mode operation and some manual configurations

The attached provides some information on FIPS mode, and commands that can be used when not in FIPS mode to achieve some of the same 

31-May-2022: I've updated according to the current status. For the new certificate we are waiting for the Validator approval. Hope to hear in a short time.

22-September-2022: Removed May document and replaced with August version following certificate award

1 Solution

Accepted Solutions
Malcolm_Levy
Employee
Employee

1. It is only possible to see if FIPS mode is enabled on the GW

2. The status of FIPS mode can be seen by:

ckp_regedit -p "software\\checkpoint\\SIC\\FIPS_140"

or

ckp_regedit -p "software\\checkpoint\\SIC” and looking for fips registry

Malcolm_Levy_0-1612441064885.png

3. Enabling FIPS mode does not change the cryptographic library (there is a single library on the GW) or protocol implementation of SSL VPN (including TLS 1.2) and it should be noted FIPS does not validate protocols, only crypto algorithms (it does validate Key Derivation Functions - KDFs)

5. For configuring cyphers refer to sk126613: Cipher configuration tool for Security Gateways

View solution in original post

5 Replies
Daniel_Kavan
Advisor

Hi Malcolm, RE: R80.10 and R80.20 soon to be R81.

How can I show a FISMA auditor that FIPs is enabled when a customer connects with TLS 1.2 to our SSLVPN?  There is no mention of FIPS in the ES admin guide.  Assuming windows OS and browser they are connecting from is using FIPs would be enforced by an ES policy.

On the CP VPN side, RE: site to site, Endpoint Security or SSLVPN (network extender) I haven't found a way to show that FIPS is enabled/disabled one way or the other. I do see the libraries and FIPs certification. Would FIPs have to be turned on - on the gateway for it to be supported on the VPN?
https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security... IOW, on the CP side how can we show proof FIPs is enabled, other than
Checkpoint is using a validated cryptographic module per: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules

0 Kudos
Malcolm_Levy
Employee
Employee

1. It is only possible to see if FIPS mode is enabled on the GW

2. The status of FIPS mode can be seen by:

ckp_regedit -p "software\\checkpoint\\SIC\\FIPS_140"

or

ckp_regedit -p "software\\checkpoint\\SIC” and looking for fips registry

Malcolm_Levy_0-1612441064885.png

3. Enabling FIPS mode does not change the cryptographic library (there is a single library on the GW) or protocol implementation of SSL VPN (including TLS 1.2) and it should be noted FIPS does not validate protocols, only crypto algorithms (it does validate Key Derivation Functions - KDFs)

5. For configuring cyphers refer to sk126613: Cipher configuration tool for Security Gateways

Daniel_Kavan
Advisor

Hi Malcolm,

After FIPs is enabled on the gw,  on the client side - can both SSLVPN (logging into the portal) and using the fat client (Endpoint Security/Harmony) be FIPS compliant?    I'm fairly certain both the fat Harmony client could also be configured with FIPS as well as the web client (SSLVPN portal). It would just require the windows PC on the client end to be FIPs compliant.   Maybe, nothing more needs to be done on the ES / Harmony client or the web (sslvpn) client.

0 Kudos
Daniel_Kavan
Advisor

From the above attached pdf, FIPS mode disables SSH, WebUI, the remote installation daemon cprid_d and removes support for SSLv3 from SIC (i.e. only TLS is supported). When in FIPS mode access to the fw, fwm, and vpn command line utilities are removed. FIPS mode disables AES-NI, CPRIDthe QOS blade and the monitoring blade

 

How are you supposed to manage the gateway if you can't manage the gw with webui OR SSH?   How are you supposed to manage VPN tunnel if it disable vpn command and the monitoring blade?

0 Kudos
Malcolm_Levy
Employee
Employee

FIPS mode is restricted by design. This will be reviewed for our next FIPS certification, but be aware the FIPS certification process is very long. 

Most customers prefer to run in a self-configured FIPS like mode which is the reason this document was written. I understand that the restrictions were originally implemented to prevent modification into a configuration that is not FIPS compliant. There is a conflict between the FIPS standard that does not allow flaw remediation and a security product that is under constant revision. Understandably, customers of security products need the ability to apply updates. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events