FIPS Compliance in Firewall Analyzer
Federal Information Processing Standards (FIPS) compliance comprises a set of standards developed by the US government, aimed at ensuring the security of sensitive and non-sensitive government data in computer systems and networks. Compliance with these standards is mandatory for all US federal agencies and contractors that handle sensitive information. The primary goal is to ensure that federal agencies and private organizations working with the government implement secure cryptographic methods and Key Management Systems (KMS) to safeguard sensitive data.
The National Institute of Standards and Technology (NIST) recommends specific encryption and key generation techniques that a tool must adhere to for FIPS compliance. The modules conforming to FIPS 140-2 are recognized and widely used by Federal Agencies in both the US and Canada to protect sensitive information.
You can run Firewall Analyzer in FIPS compliant mode, aligning with the standards set by the US government. Enabling FIPS mode in Firewall Analyzer ensures that it becomes FIPS 140-2 compliant and operates using only FIPS approved algorithms.
Pre-requisites for FIPS Compliance:
To achieve FIPS compliance for your entire environment or organization, you need to meet the following criteria:
- Fresh installation: FIPS mode can only be enabled during a fresh installation setup. We strongly recommend enabling FIPS mode during the initial installation rather than upgrading Firewall Analyzer.
- FIPS Compliant OS: Install Firewall Analyzer on a device with a FIPS compliant operating system to ensure compatibility with FIPS requirements.
- SNMP v3 Credentials: As only SNMP v3 credentials are FIPS compliant, it's essential to change all SNMP credentials to SNMP v3.
- Mail Server Compatibility: Ensure that your User's Mail server version is compatible with TLSv1.2 or TLSv1.3, as these versions will be supported in FIPS mode.
- FIPS Compliant Authentication and Privacy Methods: All authentication and privacy methods used in the FIPS compliant environment should adhere to FIPS 140-2 standards.
How to Configure FIPS in Firewall Analyzer:
Enabling FIPS mode in Firewall Analyzer ensures that, only secure and FIPS compliant algorithms, which align with the security requirements outlined in the FIPS standards are utilized in cryptographic operations.
To enable FIPS Mode, follow these steps:
- Open command prompt in administrative mode, navigate to <opmanagerhome>/bin directory and run configureFIPSMode.bat or configureFIPSMode.sh file. After successful execution of the batch file, the trace 'FIPS configuration script executed successfully' will appear.
- Ensure that Firewall Analyzer's service is completely stopped before enabling FIPS mode.
- Remember that FIPS mode can only be enabled during a fresh installation, so it is recommended to fresh install the product to enable FIPS mode successfully.
- FIPS mode cannot be disabled once it has been enabled.
What will change after FIPS mode has been enabled?
- Enabling FIPS mode in Firewall Analyzer brings about several significant changes to enhance security and ensure compliance with FIPS guidelines:
- SNMP v3 communication becomes FIPS compliant.
- Weak ciphers used by CLI protocol is disabled, and only FIPS compliant protocols are utilized.
- REST API communication follows FIPS compliance when enabled.
- In case the RDP feature is not working for Windows 2016 and above after making Firewall Analyzer FIPS compliant, refer to the link provided for assistance.
- It is important to note that once FIPS mode is enabled, it cannot be disabled.
Communication with Third Party Integrations:
- HTTPS with only strong FIPS compliant ciphers will be used for communication with third party integrations.
Changes in Certificates:
- In FIPS mode, pfx file format and PKCS12 certificate type are restricted. Instead, the BCFKS keystore type is utilized in Firewall Analyzer's FIPS compliant version.
- Pre-configured SSL certificates will be converted to BCFKS format upon enabling FIPS mode. The SSL certificate in BCFKS format with '.keystore' extension can be imported via the UI to enable SSL.
- Data communication between various components, including central server and probe server, and application to database, will be secure and FIPS compliant.
- The Failover migration process and data transmission between the primary and secondary server will be encrypted following FIPS compliance guidelines.
- Communication with Mail server will adhere to FIPS compliance.
- Passwords and saved data will be automatically converted to FIPS compliant formats.
Limitations of FIPS Mode:
- RADIUS authentication is not FIPS compliant, therefore it will be removed upon enabling FIPS mode.
- MS SQL with Windows authentication is not supported in FIPS mode.
- MS SQL versions 2014 and below are not supported in FIPS mode due to the use of non-FIPS compliant algorithms in those versions.
By enabling FIPS mode, Firewall Analyzer ensures heightened security, compliance with industry standards, and protection against potential vulnerabilities that may arise from weak cryptographic protocols and algorithms. It provides a robust framework to safeguard data communication and integrations within the system while adhering to the strict FIPS guidelines.