Monday, September 1, 2014

Hardening your fortigate firewall by operating in a fips certified mode

The Fortigate firewalal has held  FIPS certifications for the longest time. The FGT50B was one of the 1st units to gain this certification iirc.

You can validate if you running in FIPS cc mode by the  execution of the cli cmd "get system status" .The normal mode of operation for any fortigate is non fips-cc mode. See screenshot


Okay now before we  enable FIPS cc mode, you need to know the impact of this change. Here's some of these characteristics;

1: only accessible via ssh or HTTPs.  ( the  HTTP/TELNET  allowacess mode are disabled )
2: all security policies are wiped ( erased )
3: all address are removed
4: all passwords for admin access requires 2 confirmation  upon creation
5: weak ciphers and hash are eliminated ( mainly md5 and des ) 
6: DH-group 15 becomes your default for ipsec-vpn
7: strong crypto ciphers are support for web interfaces
8: the lock-out timer is increased for failed logins
9: the only way to disable this fips mode is by execution of  an cli "execue factory reset"
10:  All security policies are disabled upon creation and must be enabled directly within the policy
11: the cli  hidden "fnsysctl" cmd is removed 
12; ssh v1 is not supported
13: you will need a fips certfied image
14: you need a firewall model that's FIPS certified ( obviously )


Okay now, you need to read up on  FIPS. FIPS cc mode is not something that you don't  take lightly and just wake up and say " wow I'm going to enable FIPS mode of operations on my firewall ".  You should be aware of the requirements and needs for FIPS and the gains and limitations.

http://en.wikipedia.org/wiki/Federal_Information_Processing_Standards


Now for fortigate,  you have a limited set of devices that are FIPS-CC image ready. These fall under the  4.3 families. The latest build # 38XX





So read the security policy notes B4 doing anything with FIPS


Other firewall vendors that I'm aware that are FIPS 140 -certified

cisco ( some ISR, ASA & some PIX )
Juniper ( SRX )
CheckPoint ( most models )
Palo Alto ( most PA models )

Okay one last thing to remember, just using a FIPS-cc model and firmware does not make you reduce your security posture. You need to still use good common sense. Strong passwords, don't share passwords, and deploy BCPs.

Let 's look at a upgrade  for a FGT110C.

1st here's the original mode of operation after we installed our  FIPS image;





Next we must enable FIPS and acknowledge the warning. The firewall will also reboot;


After the reboot the firewall run a series of test, you can confirm FIPS  mode of operation after logging in and accepting the banner.




Now let's look a few of the advance secured features.

1st you can't use Telnet or HTTP ( these access modes for management are not secure )



Weaker IPSEC-VPN protocols are not available (  md5 and des for example )


All interface are plumbed in a down state

All firewall policies are removed. Any new firewall policies are also automatically in a admin-down state

The list goes on, but these are some of the main features when operating in FIPS-cc mode. 



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

No comments:

Post a Comment