0 Replies Latest reply on Oct 13, 2014 5:48 PM by jrybicki

    ESM - FIPS Compliant Mode

    jrybicki

      I am looking at the 9.4.0 documentation for FIPS mode and I am seeing a section that states that the ELM and ACE have either restricted functionality or are not FIPS compliant.  Does anyone from McAfee know if these devices are not FIPS compliant at all, or just have restricted functionality? Would a ETM/ELM/ERC combo box be able to be FIPS compliant? (Based on the except below, I am thinking that both the cobo-box and the ace are not FIPS compliant appliances, but I would like an official ruling) If I attach and ACE to the SIEM, does that immediately violate FIPS compliance?   (Below is the except taken from esm_940_pg_en-us.pdf) Please let me know how this might pertain to FIPS compliance.  Thank you.

       

      FIPS mode information

      Due to FIPS regulations, some ESM features aren't available, some available features are not compliant, and some features are only available when in FIPS mode. These features are noted throughout the document and are listed here.

      Feature status Description Removed features

      • High-availability Receivers

      • GUI Terminal

      • Ability to SSH into device

      McAfee ESM and devices use a FIPS-capable version of SSH. SSH clients OpenSSH, Putty, dropbear, Cygwin ssh, WinSCP and TeraTerm have been tested and are known to work. If using Putty, version 0.62 is compatible and can be downloaded at www.chiark.greenend.org.uk/~sgtatham/putty/download.html.

      • On the device console, the root shell is replaced by a restricted menu of FIPS options.

      Non-Compliant or restricted available features

      • WMI data sources

      • RADIUS authentication

      • OPSEC data sources

      • ADM support and device

      • ISS SiteProtector data sources

      • ELM/ELMERC/ESMLM support and device

      • Network Discovery from SNMPv3 and SSH

      • DEM support and device

      • External database server access

      • ACE support and device

      SNMPv3 options:

      • SNMP configuration — Blacklist check box and Authentication Mode is always None

      • Health requests and blacklist traps — SNMP health requests and blacklist traps must use SNMPv3 authPriv with SHA1 and AES

      • EngineID — You can set the SNMP EngineID for the ESM

      • Event Forwarding — Authentication Mode is always None

      • Profile Management — Authentication Mode is always None

      • Data Sources — Authentication Mode is always None

      Features available only in FIPS mode

      • There are four user roles that do not overlap: User, Power User, Audit Admin, and Key & Certificate Admin.

      • All Properties pages have a Self-Test option that allows you to verify that the system is operating successfully in FIPS mode.

      • If FIPS failure occurs, a status flag is added to the system navigation tree to reflect this failure.

      • All Properties pages have a View option that, when clicked, opens the FIPS Identity Token page. It displays a value that must be compared to the value shown in those sections of the document to ensure that FIPS hasn't been compromised.

      • On System Properties | Users and Groups | Privileges | Edit Group, the page includes the FIPS Encryption Self Test privilege, which gives the group members the authorization to run FIPS self-tests.

      • When you click Import Key or Export Key on IPS Properties | Key Management, you are prompted to select the type of key you want to import or export.

      • On the Add Device Wizard, TCP protocol is always set to Port 22. The SSH port can be changed.