You can validate if you running in FIPS cc mode by the execution of the cli cmd "get system status" .The normal mode of operation for any fortigate is non fips-cc mode. See screenshot
Okay now before we enable FIPS cc mode, you need to know the impact of this change. Here's some of these characteristics;
1: only accessible via ssh or HTTPs. ( the HTTP/TELNET allowacess mode are disabled )
2: all security policies are wiped ( erased )
3: all address are removed
4: all passwords for admin access requires 2 confirmation upon creation
5: weak ciphers and hash are eliminated ( mainly md5 and des )
6: DH-group 15 becomes your default for ipsec-vpn
7: strong crypto ciphers are support for web interfaces
8: the lock-out timer is increased for failed logins
9: the only way to disable this fips mode is by execution of an cli "execue factory reset"
10: All security policies are disabled upon creation and must be enabled directly within the policy
11: the cli hidden "fnsysctl" cmd is removed
12; ssh v1 is not supported
13: you will need a fips certfied image
14: you need a firewall model that's FIPS certified ( obviously )
Okay now, you need to read up on FIPS. FIPS cc mode is not something that you don't take lightly and just wake up and say " wow I'm going to enable FIPS mode of operations on my firewall ". You should be aware of the requirements and needs for FIPS and the gains and limitations.
http://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
Now for fortigate, you have a limited set of devices that are FIPS-CC image ready. These fall under the 4.3 families. The latest build # 38XX
So read the security policy notes B4 doing anything with FIPS
Other firewall vendors that I'm aware that are FIPS 140 -certified
cisco ( some ISR, ASA & some PIX )
Juniper ( SRX )
CheckPoint ( most models )
Palo Alto ( most PA models )
Okay one last thing to remember, just using a FIPS-cc model and firmware does not make you reduce your security posture. You need to still use good common sense. Strong passwords, don't share passwords, and deploy BCPs.
Let 's look at a upgrade for a FGT110C.
1st here's the original mode of operation after we installed our FIPS image;
Next we must enable FIPS and acknowledge the warning. The firewall will also reboot;
After the reboot the firewall run a series of test, you can confirm FIPS mode of operation after logging in and accepting the banner.
1st you can't use Telnet or HTTP ( these access modes for management are not secure )
Weaker IPSEC-VPN protocols are not available ( md5 and des for example )
All interface are plumbed in a down state
All firewall policies are removed. Any new firewall policies are also automatically in a admin-down state
The list goes on, but these are some of the main features when operating in FIPS-cc mode.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( $ $ )=
o
/ \
No comments:
Post a Comment