FIPS Management. FIPS Management Overview. Configuration Changes in FIPS Mode

Similar documents
Comprehensive Setup Guide for TLS on ESA

Release Notes for Cisco IronPort AsyncOS 7.3 for

System Administration

Content and Purpose of This Guide... 1 User Management... 2

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Security Certifications Compliance

FIPS Mode Setup

provides several new features and enhancements, and resolves several issues reported by WatchGuard customers.

Security Policy Document Version 3.3. Tropos Networks

System Administration

Configuring Secure Socket Layer HTTP

Configuring Secure Socket Layer HTTP

Configuring SSL. SSL Overview CHAPTER

Cisco Encryption

Dell SonicWALL. NSA 220, NSA 220W and NSA 240. FIPS Non-Proprietary Security Policy

Security and Certificates

BIG-IP System: SSL Administration. Version

Configuring SSL Security

Configuring SSL CHAPTER

Cisco IP Phone Security

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

HTTPS--HTTP Server and Client with SSL 3.0

About FIPS, NGE, and AnyConnect

Release Notes for Cisco IronPort AsyncOS for

Configuring SSL. SSL Overview CHAPTER

Meru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009

SSH Algorithms for Common Criteria Certification

Create Decryption Policies to Control HTTPS Traffic

This Security Policy describes how this module complies with the eleven sections of the Standard:

Release Notes for Cisco IronPort AsyncOS for

Contents. Configuring SSH 1

Validating Recipients Using an SMTP Server

TLS Setup. TLS Overview. TLS Prerequisites

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Citrix XenApp and XenDesktop 7.15 LTSR FIPS Sample Deployments

Using SSL to Secure Client/Server Connections

Platform Settings for Classic Devices

Security, Internet Access, and Communication Ports

Release Notes for Cisco IronPort AsyncOS for

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Security, Internet Access, and Communication Ports

Cisco Desktop Collaboration Experience DX650 Security Overview

Release Notes for AsyncOS for Cisco Web Security Appliances

S/MIME Security Services

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

S/MIME Security Services

Test-king q

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Actifio Data Security

Vendor: Cisco. Exam Code: Exam Name: ESFE Cisco Security Field Engineer Specialist. Version: Demo

HP Instant Support Enterprise Edition (ISEE) Security overview

Authenticating SMTP Sessions Using Client Certificates

Overview. SSL Cryptography Overview CHAPTER 1

Information Security CS 526

Installing Cisco APIC-EM on a Virtual Machine

Configuration of Microsoft Live Communications Server for Partitioned Intradomain Federation

Configuring the Cisco APIC-EM Settings

Cisco VPN 3000 Concentrator Series Security Policy

Citrix XenApp and XenDesktop 7.6 LTSR FIPS Sample Deployments

Comprehensive Spam Quarantine Setup Guide on Security Appliance (ESA) and Security Management Appliance (SMA)

Security, Internet Access, and Communication Ports

Implementing Secure Shell

How to Configure SSL Interception in the Firewall

BIG-IP System: SSL Administration. Version

Configure Site Network Settings

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

Cisco VPN 3002 Hardware Client Security Policy

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Management Access. Configure Management Remote Access. Configure ASA Access for ASDM, Telnet, or SSH

IronPort X1000 Security System

Contents. Introduction. Prerequisites. Requirements. Components Used

FireEye CM Series: CM-4400, CM-7400, CM-9400

LDAP Queries. Overview of LDAP Queries. Understanding LDAP Queries

Manage Certificates. Certificates Overview

FIPS Non-Proprietary Security Policy

FTP, SSH, and SCP Access

LDAP Queries. Overview of LDAP Queries. This chapter contains the following sections:

IEA 2048 Bit Key Support for CSR on IEA Configuration Example

Configuring Secure Socket Layer HTTP

Dell Software, Inc. Dell SonicWALL NSA Series SM 9600, SM 9400, SM 9200, NSA FIPS Non-Proprietary Security Policy

Configuring L2TP over IPsec

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

Interdomain Federation Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 11.5(1)SU2

Getting Started with the Cisco Cloud Security

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

File Reputation Filtering and File Analysis

Encrypted Phone Configuration File Setup

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Using Centralized Security Reporting

ESFE Cisco Security Field Engineer Specialist

Administration of Cisco WLC

Defining Which Hosts Are Allowed to Connect Using the Host Access Table

Symantec ST0-250 Exam

CoSign Hardware version 7.0 Firmware version 5.2

Sentry Power Manager (SPM) Software Security

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

This document describes Firepower module s system/ traffic events and various method of sending these events to an external logging server.

Understanding the Pipeline

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Transcription:

This chapter contains the following sections: Overview, on page 1 Configuration Changes in FIPS Mode, on page 1 Switching the Appliance to FIPS Mode, on page 2 Encrypting Sensitive Data in FIPS Mode, on page 3 Checking FIPS Mode Compliance, on page 4 Managing Certificates and Keys, on page 4 Managing Keys for DKIM Signing and Verification, on page 5 Overview The Federal Information Processing Standard (FIPS) 140 is a publicly announced standard developed jointly by the United States and Canadian federal governments specifying requirements for cryptographic modules that are used by government agencies to protect sensitive but unclassified information. The Cisco Email Security appliance uses the Cisco SSL Cryptographic Toolkit to achieve FIPS 140-2 Level 1 compliance. The Cisco SSL Cryptographic Toolkit is a a GGSG-approved cryptography suite that includes Cisco SSL, which is an enhanced version of OpenSSL s FIPS support, and the FIPS-compliant Cisco Common Cryptography Module. The Cisco Common Cryptography Module is a software library that Email Security appliance uses for FIPS-validated cryptographic algorithms for protocols such SSH. Configuration Changes in FIPS Mode The Email Security appliance uses Cisco SSL and FIPS-compliant certificates for communication when the appliance is in FIPS mode. See Switching the Appliance to FIPS Mode, on page 2 for more information. To be FIPS Level 1 compliant, the Email Security appliance makes the following changes to your configuration: SMTP receiving and delivery. Incoming and outgoing SMTP conversations over TLS between a public listener on the Email Security appliance and a remote host use TLS version 1.0, 1.1, or 1.2 and FIPS cipher suites. You can modify the cipher suites using sslconfig when in FIPS mode. TLS v1 is the only version of TLS supported in FIPS mode. Web interface. HTTPS sessions to the Email Security appliance s web interface use TLS version 1.0, 1.1, or 1.2 and FIPS cipher suites. This also includes HTTPS sessions to the Spam Quarantine and other IP interfaces. You can modify the cipher suites using sslconfig when in FIPS mode. 1

Switching the Appliance to FIPS Mode Certificates. FIPS mode restricts the kinds of certificates used by the appliances. Certificates must use one of the following signature algorithms: SHA-224, SHA-256, SHA-384, and SHA-512 and RSA keys of the size 2048 bits. The appliance will not import certificates that do not use one of these algorithms. The appliance cannot be switched to FIPS mode if it has any non-compliant certificates in use. It will displays an error message instead. See Managing Certificates and Keys, on page 4for more information. DKIM signing and verification. RSA keys used for DKIM signatures and verification must be 2048 bits in length. The appliance cannot be switched to FIPS mode if it has any non-compliant RSA keys in use. It will displays an error message instead. When verifying a DKIM signature, the appliance returns a permanent failure if the signature does not use a FIPS-compliant key. See Managing Keys for DKIM Signing and Verification, on page 5 LDAPS. TLS transactions between the Email Security appliance and LDAP servers, including using an LDAP server for external authentication, use TLS version 1 and FIPS cipher suites. If the LDAP server uses MD5 hashes to store passwords, the SMTP authentication query will fail because MD5 is not FIPS-compliant. Logs. SSH2 is the only allowed protocol for pushing logs via SCP. For error messages related to FIPS management, read the FIPS Logs at the INFO level. Centralized Management. For clustered appliances, FIPS mode can only be turned on at the cluster level. SSL Ciphers. Only the following SSL ciphers are supported in FIPS mode: AES256-SHA:AES128-SHA:DES-CBC3-SHA. Switching the Appliance to FIPS Mode Use the fipsconfig CLI command to switch the appliance over to FIPS mode. Note Only administrators can use this command. A reboot is required after switching the appliance from non-fips mode to FIPS mode. Before You Begin Make sure that the appliance do not have any objects that are not FIPS compliant, for example, a DKIM verification profile with a key size of 512 bits. To enable FIPS mode, you must modify all the non-fips-compliant objects to meet FIPS requirements. See Configuration Changes in FIPS Mode, on page 1. For instructions to check if your appliance contains non-fips-compliant objects, see Checking FIPS Mode Compliance, on page 4. Procedure mail.example.com> fipsconfig FIPS mode is currently disabled. Choose the operation you want to perform: - SETUP - Configure FIPS mode. - FIPSCHECK - Check for FIPS mode compliance. []> setup To finalize FIPS mode, the appliance will reboot immediately. No commit will be required. Are you sure you want to enable FIPS mode and reboot now? [N]> y Do you want to enable encryption of sensitive data in configuration file when FIPS mode is enabled? Changing the value will result in system reboot [N]> n Enter the number of seconds to wait before forcibly closing connections. 2

Encrypting Sensitive Data in FIPS Mode [30]> System rebooting. Please wait while the queue is being closed... Closing CLI connection. Rebooting the system... Encrypting Sensitive Data in FIPS Mode Use the fipsconfig command to encrypt sensitive data such as passwords and keys, in your appliance. If you enable this option, The following critical security parameters in your appliance are encrypted and stored: Certificate private keys RADIUS passwords LDAP bind passwords Local users' password hashes SNMP password DK/DKIM signing keys Outgoing SMTP authentication passwords PostX encryption keys PostX encryption proxy password FTP Push log subscriptions' passwords IPMI LAN password Updater server URLs Note All users, including the administrators, cannot view the sensitive information in the configuration files. Swap space in your appliance is encrypted to prevent any unauthorized access or forensic attacks, if the physical security of the appliance is compromised. Procedure mail.example.com> fipsconfig FIPS mode is currently enabled. Choose the operation you want to perform: - SETUP - Configure FIPS mode. - FIPSCHECK - Check for FIPS mode compliance. []> setup To finalize FIPS mode, the appliance will reboot immediately. No commit will be required. Are you sure you want to disable FIPS mode and reboot now? [N]> n Do you want to enable encryption of sensitive data in configuration file when FIPS mode is enabled? Changing the value will result in system reboot [N]> y Enter the number of seconds to wait before forcibly closing connections. [30]> System rebooting. Please wait while the queue is being closed... Closing CLI connection. Rebooting the system... 3

Checking FIPS Mode Compliance Checking FIPS Mode Compliance Use the fipsconfig command to check if your appliance contains any non-fips-compliant objects. Procedure mail.example.com> fipsconfig FIPS mode is currently disabled. Choose the operation you want to perform: - SETUP - Configure FIPS mode. - FIPSCHECK - Check for FIPS mode compliance. []> fipscheck All objects in the current configuration are FIPS compliant. FIPS mode is currently disabled. Managing Certificates and Keys AsyncOS allows you to encrypt communications between the appliance and external machines by using a certificate and private key pair. You can upload an existing certificate and key pair, generate a self-signed certificate, or generate a Certificate Signing Request (CSR) to submit to a certificate authority to obtain a public certificate. The certificate authority will return a trusted public certificate signed by a private key that you can then upload onto the appliance. When the appliance is in FIPS mode, you can continue to The appliance s FIPS mode adds a number of restrictions to the certificates that the appliance uses in order for the appliance to be FIPS compliant. Certificates must use one of the following signature algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. The appliance will not import certificates that do not use one of these algorithms. It also cannot be switched to FIPS mode if it has any non-compliant certificates in use on a listener. It will displays an error message instead. A Non-FIPS status for a certificate will be displayed in both the CLI and the GUI when the appliance is in FIPS mode. When selecting a certificate to use for a feature, such as a listener or destination control, the appliance does not display non-compliant certificates as an option. See Working with Certificatesfor more information on using certificates on your appliance. You can use FIPS-compliant certificates with any of the following services: SMTP receiving and delivery. Use the Network > Listeners page (or the listenerconfig -> edit -> certificate CLI command) to assign the certificate to any listeners that require encryption using TLS. You may want to only enable TLS on listeners facing the Internet (that is, public listeners), or you may want to enable encryption for all listeners, including internal systems (that is, private listeners). Destination controls. Use the Mail Policies > Destination Controls page (or the destconfig CLI command) to assign the certificate as a global setting to for all outgoing TLS connections for email delivery. Interfaces. Use the Network > IP Interfaces page (or the interfaceconfig CLI command) to enable the certificate for HTTPS services on an interface, including the management interface. LDAP. Use the System Administration > LDAP page to assign the certificate for all LDAP traffic that requires TLS connections. The appliance can also use LDAP for external authentication of users. 4

Managing Keys for DKIM Signing and Verification Managing Keys for DKIM Signing and Verification DKIM Signing DKIM Verification For an overview of how DomainKeys and DKIM work on the Email Security appliance, see Email Authentication. Related Topics DKIM Signing, on page 5 DKIM Verification, on page 5 When creating a DKIM signing key, you specify a key size. Email Security appliances in FIPS mode only support 2048 bits key size. The larger key sizes is more secure; however, larger keys can have an impact on performance. The appliance cannot be switched to FIPS mode if it has any non-compliant RSA keys in use. It will displays an error message instead. FIPS-compliant signing keys are available for use in domain profiles and appear in the Signing Key list when creating or editing a domain profile using the Mail Policies > Domain Profiles page. Once you have associated a signing key with a domain profile, you can create DNS text record which contains your public key. You do this via the Generate link in the DNS Text Record column in the domain profile listing (or via domainkeysconfig -> profiles -> dnstxt in the CLI). The appliance requires a message to use a FIPS-compliant key in order to verify a DKIM signature. If the signature does not use a FIPS-compliant key, the appliance returns a permanent failure. 5

DKIM Verification 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback