McAfee Firewall Enterprise 8.2.1



Similar documents
McAfee Firewall Enterprise 8.3.1

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

WebSphere DataPower Release FIPS and NIST SP a support.

Configuring Security Features of Session Recording

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

VPN SECURITY POLICIES

NEFSIS DEDICATED SERVER

Secure Web Appliance. SSL Intercept

F-Secure Messaging Security Gateway. Deployment Guide

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

ASA 8.x: VPN Access with the AnyConnect VPN Client Using Self Signed Certificate Configuration Example

Setting up Microsoft Office 365

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Complying with PCI Data Security

Configuring a VPN between a Sidewinder G2 and a NetScreen

McAfee Endpoint Encryption for PC 7.0

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

FIPS SECURITY POLICY FOR

How To Set Up Checkpoint Vpn For A Home Office Worker

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

VPN Solutions. Lesson 10. etoken Certification Course. April 2004

Setting up Microsoft Office 365

USER GUIDE WWPass Security for (Outlook) For WWPass Security Pack 2.4

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

Setup Guide. Archiving for Microsoft Exchange Server 2010

Understanding the Cisco VPN Client

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

axsguard Gatekeeper IPsec XAUTH How To v1.6

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Dlink DFL 800/1600 series: Using the built-in MS L2TP/IPSEC VPN client with certificates

Using BroadSAFE TM Technology 07/18/05

Check Point FDE integration with Digipass Key devices

F-SECURE MESSAGING SECURITY GATEWAY

Configuring Digital Certificates

KeySecure CUSTOMER RELEASE NOTES. Contents. Version: Issue Date: 2 February 2015 Document Part Number: , Rev A.

Technical Certificates Overview

WS_FTP Professional 12. Security Guide

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

ASA 8.x: Renew and Install the SSL Certificate with ASDM

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

How to configure MAC authentication on a ProCurve switch

Setup Guide Revision B. McAfee SaaS Archiving for Microsoft Exchange Server 2010

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Upgrade Guide. McAfee Vulnerability Manager Microsoft Windows Server 2008 R2

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Device LinkUP + Desktop LP Guide RDP

Scenario: IPsec Remote-Access VPN Configuration

SevOne NMS Download Installation and Implementation Guide

Configuring Basic Settings

Internet Protocol Security (IPSec)

Overview. Author: Seth Scardefield Updated 11/11/2013

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Chapter 4 Virtual Private Networking

TABLE OF CONTENTS NETWORK SECURITY 2...1

Nortel Networks, Inc. VPN Client Software (Software Version: 7_11.101) FIPS Non-Proprietary Security Policy

Scenario: Remote-Access VPN Configuration

Integrated SSL Scanning

Abstract. Avaya Solution & Interoperability Test Lab

FIPS Security Policy LogRhythm Log Manager

A Guide to New Features in Propalms OneGate 4.0

WatchGuard Mobile User VPN Guide

Microsoft IAS and NPS Agent Configuration Guide

Barracuda Networks Technical Documentation. Barracuda SSL VPN. Administrator s Guide. Version 2.x RECLAIM YOUR NETWORK

Certificate Management

Chapter 7 Managing Users, Authentication, and Certificates

NSi Mobile Installation Guide. Version 6.2

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

Configuring and Monitoring Citrix Branch Repeater

How To Industrial Networking

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

IDENTIKEY Appliance Administrator Guide

VPNC Interoperability Profile

About Archiving for Microsoft Exchange Server

What s New in Fireware XTM v11.5.1

Configuration Information

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

SBClient SSL. Ehab AbuShmais

Lab a Configure Remote Access Using Cisco Easy VPN

TLS and SRTP for Skype Connect. Technical Datasheet

Application Note: Onsight Device VPN Configuration V1.1

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Managed Services PKI 60-day Trial Quick Start Guide

Cisco AnyConnect Secure Mobility Client VPN User Messages, Release 3.1

Installation and Configuration Guide

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Advanced Administration

Transcription:

Configuration Guide FIPS 140 2 Revision A McAfee Firewall Enterprise 8.2.1 The McAfee Firewall Enterprise FIPS 140 2 Configuration Guide, version 8.2.1, provides instructions for setting up McAfee Firewall Enterprise (Firewall Enterprise) to comply with Federal Information Processing Standard (FIPS) 140 2. Introduction The Federal Information Processing Standard (FIPS) 140 2 is a U.S. government computer security standard used to accredit cryptographic modules. About FIPS 140-2 The Cryptographic Module Validation Program (CMVP) validates cryptographic modules to Federal Information Processing Standard (FIPS) 140 2 and other cryptography based standards. The CMVP is a joint effort between the U.S. National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC). Validated products that conform to FIPS 140 2 are accepted by the federal agencies of both countries for the protection of sensitive information (United States) or Designated Information (Canada). The goal of the CMVP is to promote using validated cryptographic modules and provide federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules. Firewall Enterprise models have been validated as a cryptographic module at the platform level. The McAfee Firewall Enterprise Cryptographic Module provides FIPS 140 2 compliant cryptographic services on McAfee Firewall Enterprise version 8.2.1. These services include: Symmetric key encryption and decryption Public key cryptography Hashing Random number generation 1

FIPS 140-2 and McAfee Firewall Enterprise platforms The FIPS 140 2 standard provides various increasing levels of security. These Firewall Enterprise platforms are validated to Level 1 for version 8.2.1. Virtual Appliance Crossbeam X Series Platform Firewall Enterprise version 8.2.1 hardware appliances are not validated for FIPS 140 2. If you are running version 8.2.1 on a hardware platform, you must roll back or re image to version 8.2.0. For more information, refer to the McAfee Firewall Product Guide, version 8.2.0, and the McAfee Firewall Enterprise FIPS 140 2 Configuration Guide, version 8.2.0. Making Firewall Enterprise FIPS 140-2 compliant FIPS 140 2 validated mode (FIPS mode) is a separate operational state for McAfee Firewall Enterprise. Configuration changes are necessary to put your firewall in FIPS mode and make it compliant with FIPS 140 2 requirements. This guide provides instructions to: Install version 8.2.1. [Control Center managed firewalls only] Remove firewalls from Control Center management. Enable FIPS 140 2 processing. [Control Center managed firewalls only] Update and verify configurations. [Control Center managed firewalls only] Add and re register managed firewalls. See also Install version 8.2.1 on page 2 Remove firewalls from Control Center management on page 3 Enable FIPS 140-2 processing on page 4 Updating and verifying configurations on page 5 Add and re-register managed firewalls on page 13 Install version 8.2.1 The Firewall Enterprise installation depends on the type of firewall and the version running on the appliance. Before you begin To be FIPS 140 2 compliant, your Firewall Enterprise must be running version 8.2.1 when you enable FIPS 140 2 processing and update your firewall configuration. Crossbeam X Series Platform Upgrade to 8.2.1 See the McAfee Firewall Enterprise Release Notes, version 8.2.1, Upgrade a firewall on a Crossbeam X Series Platform. Install version 8.2.1 See the McAfee Firewall Enterprise on Crossbeam X Series Platforms Installation Guide, version 8.2.1. Virtual Appliance 2

Install version 8.2.0 and upgrade to 8.2.1. 1 Perform a new installation of Firewall Enterprise version 8.2.0. See the McAfee Firewall Enterprise, Virtual Appliance Installation Guide, version 8.x. 2 Download, validate, and install the 8.2.1 package. See the McAfee Firewall Enterprise Release Notes, version 8.2.1. Upgrade from Firewall Enterprise version 7.0.1.03 to version 8.2.1. See the McAfee Firewall Enterprise Version 7.0.1.03 to 8.2.1 Migration Guide and the McAfee Firewall Enterprise Release Notes, version 8.2.1. Setting up FIPS 140-2 processing Remove and unregister firewalls managed by McAfee Firewall Enterprise Control Center (Control Center), enable FIPS 140 2 processing, then add and re register the managed firewalls. Remove firewalls from Control Center management [Firewalls managed by Control Center only] Before you enable FIPS 140 2 processing, unregister and remove managed firewalls from Control Center. [Crossbeam X Series Platforms only] Firewalls on Crossbeam X Series Platforms must be removed from Control Center. Use the Admin Console only to configure the firewall for FIPS mode; do not make configurations outside those specified in this document. After configuring the firewall for FIPS mode, you must re register to the firewall to Control Center, and use Control Center for further firewall management. Virtual appliances must also be removed from Control Center. Additional configuration unrelated to FIPS mode can be done through the Admin Console before re registering to Control Center. s Remove the firewall on page 3 To enable FIPS 140 2, you must remove a managed firewall from Control Center. Unregister the firewall on page 3 To enable FIPS 140 2, you must unregister the firewall from Control Center. Remove the firewall To enable FIPS 140 2, you must remove a managed firewall from Control Center. 1 In the Control Center Client application, select Policy. 2 Expand the node for the type of firewall you are configuring. 3 Right click the specific firewall, then select Remove Object(s). 4 Click Confirm. The firewall is removed from Control Center. Unregister the firewall To enable FIPS 140 2, you must unregister the firewall from Control Center. 1 In the Firewall Enterprise Admin Console, select Maintenance Control Center Registration. 2 Click Unregister from the Control Center now. The firewall is unregistered from Control Center. 3

Enable FIPS 140-2 processing Enable FIPS 140 2 processing on a Firewall Enterprise using either the Admin Console or the command line. The firewall must be restarted to activate the change. See the McAfee Firewall Enterprise Control Center FIPS 140 2 Configuration Guide for more information about configuring FIPS 140 2 on managed firewalls. s Use the Admin Console on page 4 Enable FIPS 140 2 processing on a firewall using the Admin Console. Use the command line on page 4 Enable FIPS 140 2 processing on a firewall using the command line. Use the Admin Console Enable FIPS 140 2 processing on a firewall using the Admin Console. 1 Select Maintenance FIPS. The FIPS checkbox appears in the right pane. 2 Select Enable FIPS 140 2 processing. 3 Save the configuration change. 4 A message appears stating that you must reboot Firewall Enterprise in order for changes to take effect. Click Reboot Now. Use the command line Enable FIPS 140 2 processing on a firewall using the command line. 1 Enter the following command: cf fips set enabled=1 See the cf_fips man page for more information. 2 After the command completes, restart the firewall to activate the configuration change: shutdown r now Troubleshooting FIPS 140-2 setup If FIPS 140 2 processing is successfully enabled, an audit message is generated after the firewall is restarted. Here is an example of this audit: Dec 5 16:31:42 2012 EST f_system a_general_area t_cfg_change p_major pid: 1599 ruid: 0 euid: 0 pgid: 1599 logid: 100 cmd: 'AdminConsole' domain: CARW edomain: CARW hostname: electra.example.net event: config modify user_name: a config_area: settings config_item: fips information: Changed FIPS: enabled=1 If there are problems that prevent the cryptographic module from enabling FIPS 140 2 processing, they are also audited. 4

Updating and verifying configurations Replace and verify critical security parameters to ensure FIPS 140 2 compliance. Replace critical security parameters You must replace critical security parameters (CSP): Firewall certificates and private keys for several services must be regenerated, and each administrator password must be changed. To comply with FIPS 140 2 requirements, these certificates, keys, and passwords must be created after FIPS 140 2 processing is enabled. The high level steps are: 1 Create the new parameter certificate, key, or password. 2 Select the new parameter where needed. 3 Delete the old parameter. The following table shows the service, the associated CSP, the required change, and the actions needed to make the change. Table 1 Critical security parameter (CSP) replacement Service CSP Action to take Admin Console (TLS) SSL Content Inspection (TLS) Firewall cluster management (TLS) Audit log signing IPsec/IKE certificate authentication CAC authentication McAfee Firewall Reporter (Firewall Reporter) McAfee Firewall Profiler Communication Firewall certificate/ private key 1 Generate or import a new firewall certificate and private key. a Select Maintenance Certificate/Key Management, and click the Firewall Certificates tab. b Click New to add a certificate or click Import to import an existing certificate and its related private key file. The certificate Distinguished Name should include the full machine name. 2 Replace the certificate used by each service with the new firewall certificate and private key. See Replace certificates for the steps to replace the certificates. 3 Delete the old certificate and private key. a Select Maintenance Certificate/Key Management Firewall Certificates. b Select the old certificate, then click Delete. Control Center (TLS) Firewall certificate/ private key See the McAfee Firewall Enterprise Control Center FIPS 140 2 Configuration Guide for more information about configuring FIPS 140 2 on managed firewalls. 5

Table 1 Critical security parameter (CSP) replacement (continued) Service CSP Action to take Global Threat Intelligence (TLS) Firewall certificate/ private key 1 Delete the old certificate and private key. a Select Maintenance Certificate/Key Management and click the Firewall Certificates tab. b In the Certificates list, select MFE_Communication_Cert_*, then click Delete. 2 Re activate the firewall license. a Select Maintenance License. b Select a firewall from the list. c Select Firewall. d Click Activate firewall, then click Yes. IKE IKE IKE preshared keys IPsec manual keys Find and replace IKE preshared keys. 1 Select Network VPN Configuration VPN Definitions. 2 For each VPN definition, click Modify. The VPN Properties window appears. 3 Modify VPN definitions either through Remote Authentication or Local Authentication. a Select Remote Authentication or Local Authentication. b Check both tabs. If the Method is listed as Password, you must create a new one. c Enter the new password and confirm it. Find and replace IPsec manual keys. 1 Select Network VPN Configuration VPN Definitions. 2 For each VPN definition, click Modify. The VPN Properties window appears. 3 From the Mode drop down list, look for VPN definitions that list Manually Keyed VPN. 4 For those with Manually Keyed VPN, click Generate Keys. New keys are generated. SSH server SSH host key Generate a new SSH server host key. 1 Select Maintenance Certificate Key Management Keys. 2 Create new DSA and RSA keys. 3 Replace the SSH keys. a Select Policy Application Defenses Defenses SSH. b Examine all application defenses, on the Client Advanced tab select the new DSA and RSA key. 4 Select Maintenance Cert/Key Management Keys. 5 Delete the old keys. 6

Table 1 Critical security parameter (CSP) replacement (continued) Service CSP Action to take Administrator passwords Hashed administrator password Change each administrator password. 1 Select Maintenance Administrator Accounts. 2 Select an administrator, then click Modify. 3 In the Password field, type a new password. Retype the password in the Confirm Password field. Local certificate authority Local CA private key Delete local CAs. 1 From the command line, use the following command to query local CAs that have been created: cf lca query 2 Delete each listed CA by name using the following command: cf lca delete name=[name] SSL CA (SSL Content Inspection) SSL server certificate key (SSL Content Inspection) Local CA private key Firewall certificate/ private key Generate a new SSL CA certificate and key. 1 Select Maintenance Certificate/Key Management Certificate Authorities. 2 Click New Single CA. The New Certificate Authority window appears. 3 From the Type drop down list, select Local. 4 Complete the fields. 5 Click Close. 6 Delete the old SSL CA key. Generate a new SSL server certificate key. If you generated SSH server keys, you may skip the followings steps. 1 Select Maintenance Certificate Key Management Keys. 2 Create new DSA and RSA keys. 3 Replace the SSL keys. a Select Policy SSL Rules. b Examine all SSL rules. c For any that outbound, and have Decrypt/Re encrypt selected, select the new DSA and RSA key. 4 Select Maintenance Cert/Key Management Keys. 5 Delete the old keys. 7

Replace certificates The following table lists each service and the steps required to replace the certificate used by the service. After each certificate is changed, you will need to change the key for each certificate. For instructions, see the McAfee Firewall Enterprise Product Guide, version 8.2.0. Table 2 Steps to replace certificates for listed services Service Admin Console Action to take 1 Select Maintenance Remote Access Management Admin Console Properties. 2 From the SSL certificate drop down list, select a new certificate, then click OK. The certificate is replaced. SSL Content Inspection 1 Select Policy SSL Rules. 2 Select each rule, then click Modify. The SSL Rule Properties window appears. 3 Replace the certificate or key depending on the instance. Scenario 1 a If Type shows Inbound and Action shows Decrypt only or Decrypt and re encrypt, click SSL decryption settings (client to firewall). b Change the Certificate to present to clients for DSA and RSA. Scenario 2 a If Type shows Outbound and Action shows Decrypt and re encrypt, click SSL decryption settings (client to firewall). b Change the Key to use in server certificate for both, DSA and RSA. c Change the Local CA used to sign server cert. Firewall cluster management 1 If you have an High Availability cluster, remove the firewalls from the cluster and restore them to standalone status. For instructions, see the McAfee Firewall Enterprise Product Guide, version 8.2.0. 2 Replace the certificate. a Select Maintenance Certificate/Key Management SSL Certificates. b Select the fwregister proxy, then click Modify. c From the Certificate drop down list, select a new certificate, then click OK. The certificate is replaced. 3 Reconfigure the High Availability cluster. For instructions, see the McAfee Firewall Enterprise Product Guide, version 8.2.0. Audit log signing 1 Select Monitor Audit Management. 2 If Sign exported files is selected, from the Sign with drop down list, select a new certificate. IPSec/IKE 1 Select Network VPN Configuration VPN Definitions. The VPN Definitions area appears. 2 Navigate to Modify Local Authentication. 3 From the Local Certificate drop down list, select a new certificate, then click OK. The certificate is replaced. 8

Table 2 Steps to replace certificates for listed services (continued) Service CAC Authentication Action to take 1 Select Policy Rule Elements Authenticators. 2 Click Add. If you see a CAC Authenticator, select it. 3 Click Modify. The CAC Authenticator properties window appears. 4 From the Certificate drop down list, select a new certificate, then click OK. Firewall Reporter 1 Select Maintenance Certificate Management SSL Certificates. 2 Select Firewall Reporter, then click Modify. 3 From the Certificate drop down list, select a new certificate, then click OK. The certificate is replaced. Profiler Communication 1 Select Maintenance Profiler Advanced Options. 2 From the Certificate drop down list, select a new certificate, then click OK. The certificate is replaced. Verify allowed cryptographic services Allowed and prohibited cryptographic services for firewalls in FIPS mode are listed below. Examine your firewall configuration and make adjustments as necessary. Do not configure FIPS 140 2 prohibited algorithms while FIPS 140 2 processing is enabled. All requests to use FIPS 140 2 prohibited algorithms will be rejected and audited. Allowed cryptographic services These cryptographic services are allowed on firewalls in FIPS mode. Passive Passport (MLC) Control Center management Admin Console management IPsec and IKE VPNs Audit log signing and validation SSH client and server Firewall package signature validation and decryption Safeword authentication (DES) (cannot be used for administrator logon) CAC authentication Firewall Profiler communication RIPv2 and OSPF (cannot be used with MD5 authentication), other routing protocols Geo Location, Virus Scanning, and IPS downloads SSL content inspection (SSL Rules) McAfee Global Threat Intelligence queries Cluster management (entrelayd) 9

Firewall license management Certificate and key management SNMPv3 (SHA, AES) Secure Sendmail (via STARTTLS) RADIUS authentication (MD5) (cannot be used for administrator logon) Microsoft NT authentication (MD5, DES, RC4) (cannot be used for administrator logon) McAfee Firewall Reporter communication NTP (cannot be used with MD5 authentication) Prohibited cryptographic services These cryptographic services are not allowed on firewalls in FIPS mode. SSH proxy SCEP certificate enrollment Secure DNS McAfee SmartFilter Hardware Acceleration (cavium) NTP with MD5 authentication RIPv2 and OSPF with MD5 authentication Modify the SSL rule settings Services that use SSL or TLS must use TLSv1. SSLv2 and SSLv3 are not allowed. To make sure a service is using the appropriate SSL settings, perform this procedure for SSL rules. 1 Select Policy SSL Rules. The SSL Rules window appears. 2 For each rule, click Modify. The SSL Rule Properties window appears. 3 Replace the certificate or key depending on the instance. a For each rule that mentions the Action as Decrypt or Decrypt / re encrypt, click SSL decryption settings (client to firewall) and make sure TLSv1 is selected, and SSLv2 and SSLv3 are deselected. b For each rule that mentions the Action as Decrypt / re encrypt, click SSL encryption settings (firewall to server) and make sure TLSv1 is selected, and SSLv2 and SSLv3 are deselected. Figure 1 FIPS 140 2 compliant TLS and SSL selections Verify approved cryptographic algorithms and key lengths Make sure all FIPS 140 2 cryptographic services use only these approved algorithms. Symmetric encryption AES128, AES192, AES256, 3DES Asymmetric algorithms RSA and DSA (minimum 1024 bit key lengths) 10

Hash algorithms SHA1, SHA2 (256, 384, 512) HMAC algorithms HMAC SHA1, HMAC SHA2 (256, 384, 512) s Certificate authorities and remote certificates on page 11 Make sure certificate authorities and remote certificates use approved cryptographic algorithms. IPsec and IKE on page 11 To verify that IPsec and IKE are using approved cryptographic algorithms, review VPN definition properties. Passive Passport (MLC) on page 12 Make sure Passive Passport certificates use the RSA signature algorithm. Certificate authorities and remote certificates Make sure certificate authorities and remote certificates use approved cryptographic algorithms. 1 Select Maintenance Certificate/Key Management. The Certificate Management window appears. 2 Click the appropriate tab to examine the certificates: Remote Certificates Firewall Certificates Certificate Authorities 3 Select the certificate you want to inspect, then click Export. The Certificate Export window appears. 4 Select Export Certificate to screen, then click OK. The Certificate Data window appears. 5 Scroll through the certificate data to find the Signature Algorithm line. Make sure it is a FIPS 140 2 approved signature algorithm. If the signature algorithm is not approved, perform the following steps. The minimum size of the key needs to be specified as 1024 bit. However, the recommended size of the key is 2048 bit or higher. a b c Generate or import a new certificate. Select the new certificate to replace the old certificate. Delete the old certificate. IPsec and IKE To verify that IPsec and IKE are using approved cryptographic algorithms, review VPN definition properties. 1 Select Network VPN Configuration VPN Definitions. The VPN Definitions window appears. 2 Select a VPN definition, then click Modify. The VPN Properties window appears. 3 Click the Crypto and Advanced tabs to review algorithms used in the definition. Modify the definition as necessary. You might have to make corresponding adjustments to remote peers. 11

For more information, see the VPN (virtual private networks) chapter of the McAfee Firewall Enterprise Product Guide, version 8.2.0. Passive Passport (MLC) Make sure Passive Passport certificates use the RSA signature algorithm. 1 Select Policy Rule Elements Passport. The Passport window appears. 2 In the Certificate field, make sure a certificate that uses the RSA signature algorithm is specified. 3 Click Advanced. The Advanced tab appears. 4 In the Certificate Authority field, make sure a certificate that uses the RSA signature algorithm is specified. Verify SSH client and server configurations The McAfee Firewall Enterprise client and server configurations are compliant by default. However, if you modified any of the following files, you must make sure your firewall SSH server and client is FIPS 140 2 compliant. /secureos/etc/ssh/ssh_config /secureos/etc/ssh/sshd_config Verify the following: The SSH client and server use approved cryptographic algorithms. Only SSH Protocol 2 is enabled (SSH Protocol 1 is not allowed for the client or server). In the /secureos/etc/ssh/sshd_config file, PubkeyAuthentication is disabled (SSH public key authentication is not allowed in FIPS mode). If you have problems with SSH or SSHD, view the firewall audit for details on any FIPS related problems. See the SSH and SSHD man pages for information about configuring SSH and SSHD. Restrict administrator access These logon and authentication restrictions apply to FIPS 140 2 compliant firewalls. Administrators must use local Password authentication to log on to McAfee Firewall Enterprise. All other authentication methods are prohibited for administrator logon. Authenticated logons are required when the firewall is in emergency maintenance mode. To enable authentication for emergency maintenance mode, use a file editor to open /etc/ttys and make the following change: Locate this line: console none unknown off secure Make this change: console none unknown off insecure You cannot log on to McAfee Firewall Enterprise through Telnet. If you have a Telnet rule allowing administrator logon, disable the rule. 12

Add and re-register managed firewalls If you unregistered your firewall from Control Center to enable FIPS 140 2 processing, re register it to Control Center. For instructions, see the McAfee Firewall Enterprise Control Center Product Guide, version 5.2.0. Leaving FIPS mode If you no longer want your McAfee Firewall Enterprise to be in FIPS mode, re install your firewall. For instructions, refer to one of the following documents: Virtual Appliance See the McAfee Firewall Enterprise, Virtual Appliance Installation Guide, version 8.x. Crossbeam X Series Platforms See the McAfee Firewall Enterprise on Crossbeam X Series Platforms Installation Guide, version 8.2.1. Copyright 2013 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. A00 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information