2 Replies Latest reply on Sep 25, 2013 2:45 AM by Jonesthemilk

    ePO 4.66 \ MA4.6 \ EEPC 6.x  and the use of FIPS

    Jonesthemilk

      Hi all

       

      I am about to embark on a project to implement a Mcafee ePO solution for a client (5000 seats with about half as Laptops)

       

      As the work is UK classified I need to understand the downstream implications on other McAfee Products (PA. MVM, Move etc), should I install ePO & MA in FIPS Mode, (an action which is irreversible apart from rebuild)

       

      With sparse Documentation on the subject, I have decided to put it to the Community to see if anyone has experience of using this mode and whether the decision has proven to be wise.

       

      I appreciate that I can install ePO & MA in non-FIPS and still use EEPC in FIPS but have discovered this method is not covered at EAL2+ which I would ideally  like to achieve as a minimum. (The OS will be at EAL4)

       

      I also appreciate that the FIPS Compliance is a US mandated requirement for such Domains, but have not yet been able to qualify whether it should be used over here!. (obviously,  this is being followed up in other directions)

       

      Any comments as to experience\ implementation problems \ Gotchas, would help me decide.

       

      Thanks in advance

        • 1. Re: ePO 4.66 \ MA4.6 \ EEPC 6.x  and the use of FIPS
          rackroyd

          Something to bear in mind and probably confirm with McAfee directly first. I pulled up the Fips mode user Guide for ePO 4.6 and at the end in the supported environments it does say "McAfee ePolicy Orchestrator 4.6.0 through 4.6.4" It does not mention ePO 4.6.5 or 4.6.6

          1 of 1 people found this helpful
          • 2. Re: ePO 4.66 \ MA4.6 \ EEPC 6.x  and the use of FIPS
            Jonesthemilk

            yeah!  thanks rackroyd,  I had noticed that

            but..............

            with the Common Criteria Evaluation and Validation Scheme Validation Report dated  Sept last year, I was somewhat 'hoping' later versions will be using the same encryption modules ( dll's).Given the statement in FIPS certification update: EEPC v7.x and Core Cryptographic Module on 5th April this year.  things might be moving ahead. Versioning queries have already been directed to Mcafee anyways.

             

            " While this is beneficial for EEPC customers it only covers the implementation on Windows, not OS/X. There are also other McAfee products which require FIPS certified encryption capabilities. To that end, we have decided that we will create a core cryptographic module which will be shared across multiple products. This new cryptographic module will contain all of the performance improvements from EEPC v7.0 and will first be used in EEPC v7.1.

             

            We are very pleased to announce that McAfee Core Cryptographic Module (user) and McAfee Core Cryptographic Module (kernel) FIPS 140-2 cryptographic modules have entered into Block 1 of the validation process and is now officially listed as "Implementation Under Test (IUT)" on the NIST website. We are expecting to complete these validations in Q4 2013. These cryptographic modules are being validated at FIPS 140-2 Level 1 and are common crypto modules for usage across both McAfee Endpoint Encryption for PC (Windows and OS/X) and McAfee Endpoint Encryption for Files and Folders. "

             

            If need be I will have to use 4.6.4 until the later version becomes available however, at this stage of the Project,  I am more interested in the communities experience of using FIPS