Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

What are the known issues with utilizing FIPS mode on TippingPoint Devices?

    • Updated:
    • 3 Aug 2016
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint NGFW All
    • TippingPoint SMS All
    • TippingPoint TPS All
    • TippingPoint Virtual SMS
    • TippingPoint Virtual TPS All
    • Platform:
Summary
This article discusses what issues exist with utilizing the Federal Information Processing Standard (FIPS) mode on TippingPoint devices.

Federal Information Processing Standard (FIPS) - Is a publicly announced standard developed by the United States federal government for use in computer systems. If devices are operating in FIPS mode, the cryptographic operations are performed in accordance with the rules set forth by the FIPS 140-2 certification standard.
Details
Public
Operational Support:
TippingPoint devices support the following levels of FIPS 140-2 Level 1 operation.
DisabledNo FIPS compliant actions or restrictions are active in the device.
Crypto OnlyOnly the connection between the SSH client and the SMS server is affected by this mode. When a connection is made from an SSH client to the SMS server, the SSH client negotiates connections using only FIPS 140-2 approved algorithms.
Full-FIPS
(certain models only)
Devices operate in a manner that is fully compliant with the FIPS 140-2 publication.
 
The following TippingPoint devices support FIPS 140-2 Level 1.
DeviceTOSFIPS Mode
10/110/330v3.6.1 & higherFull-FIPS
660N, 1400N, 2500N, 5100N, 6100Nv3.6.1 & higherFull-FIPS
2600NX, 5200NX, 6200NX, 7100NX, 7500NXv3.6.1 & higherFull-FIPS
Security Management System (SMS)v3.6.0 & higherFull-FIPS
Virtual Security Management System (vSMS)v3.6.0 & higherCrypto-Only
Next Generation Firewall (NGFW)Not SupportedNot Supported
Threat Protection System (TPS/vTPS)Not SupportedNot Supported

Security Management System (SMS) and Full-FIPS mode

Transitioning an SMS server to operate in Full-FIPS mode implements changes to core elements of the SMS server. The transition:

  • Deletes all existing SMS users.
  • Removes all SMS backup and device snapshots stored on the SMS server.
  • Deletes all custom responder actions.
  • Regenerates SSH server and HTTPS web security keys.

The transition process reboots the SMS server and requires you to upload a new SMS key package to the SMS server. Placing the SMS server into one of the FIPS modes does not necessarily mean the SMS server is operating in compliance with FIPS 140-2. In order to operate in compliance with FIPS 140-2, you must place the SMS server into Full-FIPS mode and satisfy the following conditions:

  • The external database replication feature cannot be enabled.
  • The failed-lockout attempts counter must remain activated for all users.
  • The password security level setting for each SMS user should remain at or above level 1.
  • To insure continued FIPS 140-2 compliance during operation, the telnet and http services must be disabled on the SMS.
  • It is recommended that the boot device section of the BIOS in the SMS hardware appliance be configured such that the only device configured as a boot device is the main hard drive.

Because security must be tightened while the SMS server is operating in Full-FIPS mode, the following restrictions are in effect:

  • The SMS will perform software integrity self-test each time the SMS boots and if this test fails the SMS server will not be operational.
  • The SSH terminal will only negotiate connections utilizing FIPS 140-2 approved algorithms.
  • You are not permitted to restore SMS backups that were created when the SMS was not in Full-FIPS mode.
  • You cannot import or execute custom Responder Actions. The SMS user password security is restricted to a minimum level of 1.
  • The password recovery option is no longer available. In case of a password failure the SMS will have to be returned.
  • You are not permitted to use custom web security SSL certificates. The SMS hardware appliance must have a BIOS password enabled and set.
  • An SMS server operating in Full-FIPS mode cannot be configured as part of an SMS HA cluster; it must operate as a standalone SMS server.
  • When an SMS is in Full-FIPS Mode, importing or exporting a profile to or from another SMS is not supported.
  • Service Mode is no longer available.
  • FIPS mode cannot be enabled if SSH is disabled. Disabling SSH automatically disables FIPS mode.

Virtual Security Management System (vSMS) FIPS Support
  • vSMS can be configured in "Crypto Only" mode only, "Full-FIPS" mode is not available. While vSMS is not FIPS certified, FIPS functionality is supported.

Intrusion Prevention System (IPS) and Full-FIPS mode

Transitioning an IPS device to operate in Full-FIPS mode implements changes to core elements. The transition:

  • Deletes all existing IPS users.
  • Removes all device snapshots stored on the device.
  • Regenerates SSH and HTTPS security keys.

Because security must be tightened while the IPS device is operating in Full-FIPS mode, the following restrictions are in effect:

  • Snapshots created on devices with Full-FIPS mode enabled are not compatible with other IPS devices that have FIPS mode disabled, or vice versa.
  • The SSH terminal will only negotiate connections utilizing FIPS 140-2 approved algorithms.
  • You cannot roll back to a previous TOS version if the IPS device is currently in Full-FIPS mode and the previous TOS version was not.
  • The password recovery option is no longer available. In case of a password failure, a "Factory Reset" will have to be performed.
  • The IPS user password security is restricted to a minimum level of 1.
  • Stand-alone IPS devices in Full-FIPS mode require manual installation of an authorized SSL key package that will enable TMC access. Each package is unique to each customer. SMS devices will automatically download the SSL key package, which can then be applied to any FIPS-supporting devices that are managed by the SMS.

Browser Compatibility and FIPS Mode

  • If you experience issues when connecting to a device in crypto or Full-FIPS modes, you may need to disable SSL 2 and enable TLS 1.0 in your web browser settings.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000085778
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.