FIPS compliance(Federal Information Processing Standards) is created by the US government which aims to enhance the security posture of organizations by establishing guidelines and best practices for securing data, employing strong cryptographic methods, and implementing robust key management systems (KMS).
FIPS compliance is mandatory for all US federal agencies and contractors that handle sensitive information, as it helps prevent potential security vulnerabilities and protects against cyber threats.
Note: Endpoint Central's FIPS compliance is self-claimed, indicating that we use FIPS-validated packages and employ FIPS-approved algorithms to implement the required security measures and safeguards in accordance with the Federal Information Processing Standards.
Important: Enable FIPS compliance only if you are required to do so for your organization.
Is Endpoint Central FIPS compliant?
You can now enable FIPS compliance in Endpoint Central, adhering to the standards set by the US government.
After enabling FIPS compliance, Endpoint Central will become FIPS 140-2 compliant, and will only run FIPS validated algorithms.
What modifications occur when you enable FIPS compliance in Endpoint Central?
After enabling FIPS compliance in Endpoint Central, the following changes will occur:
When FIPS compliance is enabled, all internal communications within Endpoint Central must utilize the HTTPS protocol. This means that HTTP communications will no longer be allowed. By enforcing HTTPS, Endpoint Central ensures that data exchanges occur over a secure and encrypted channel, enhancing overall system security.
To comply with FIPS regulations, all checksum validation algorithms within Endpoint Central must meet FIPS compliance standards. Consequently, the MD5 hashing algorithm, which is not FIPS compliant, will be restricted from use within the product. This ensures that the checksum validation process adheres to FIPS standards, bolstering the integrity and security of data operations.
When FIPS compliance is enabled, both the user's server and agent machines in the network should be compatible with TLSv1.2 or above. This ensures secure and uninterrupted communication between the agent and server. Older versions of TLS will not be supported, as only TLSv1.2 and above provide the necessary security protocols required for agent-server communication. For additional information regarding the ciphers used when FIPS compliance is enabled, please refer this page.
When FIPS compliance is enabled, Endpoint Central does not support the use of PFX format certificates. To ensure FIPS compliance, alternative certificate formats compatible with the security guidelines specified in the FIPS standards should be used. This restriction guarantees that certificate operations align with the required security protocols.
Prerequisites :
For your whole environment/organization to be FIPS compliant, the following criteria should be met.
Note: You must be running Endpoint Central version 11.2.2338.01 or above for FIPS compliance. None of these prerequisites are required if you are running a fresh instance of Endpoint Central. You may proceed to the steps to enable FIPS compliance.
In order to achieve FIPS compliance, all domains within Endpoint Central must be configured using LDAP SSL. LDAP connections will not be allowed. Consequently, if a user has already added an LDAP Active Directory (AD) domain, it cannot be utilized for any functionalities within the FIPS compliant environment. To modify the existing domains in Endpoint Central, navigate to Admin->Scope of Management -> Domain
To align with FIPS compliance standards, all integrations in Endpoint Central must occur through the HTTPS protocol. If any integrations were previously configured with the HTTP, it is necessary to re-establish the connections using HTTPS. This ensures secure and encrypted communication between Endpoint Central and integrated systems.
In the FIPS compliant setup, Windows authentication must be disabled specifically for the ChangeDB server. Only SQL authentication is allowed. This ensures that authentication processes within the database adhere to the required FIPS compliance standards.
You can enable FIPS compliance by performing these steps:
If you encounter any issues or have questions related to FIPS compliance in Endpoint Central, contact our support team for assistance.
By enabling FIPS compliance in Endpoint Central, you're strengthening security measures but also accepting certain associated limitations. Here's what you should be aware of:
