Show Posts
1
General Discussion / Re: Compliance with standards (FIPS, SOX, LEADS, HIPAA), etc.
« on: April 17, 2022, 01:39:44 am »
I realize I am replying years later, but this is still a topic of concern and very little out there.
We are a MSP serving small businesses. One of those does some work for the Feds and we're working through NIST 800-171 for self eval.
So the firewall comes into question, with regards to being FIPS 140-2 compliant. Now let me say up front, having an OPNSense "Certified" FIPS 140-2 firewall is highly unlikely. I'm sure someone could build it then go for certification. To be "compliant" though, I am pretty sure we can do.
FIPS 140 is "SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES" this means hardware and/or software, it could be a CPU, a crypto library, a firewall, etc. It is a set of requirements.
https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402.pdf
"Security Level 1 allows the software and firmware components of a cryptographic module to be executed
on a general purpose computing sy stem using an unevaluated operating system."
We can get to Level 2 (compliance) without much sweat but the OS may be the kicker.
OS
EAL2 is a tough one. OpenBSD/FreeBSd is not certified. Cisco and others have modified kernels that have been certified.
https://commoncriteriaportal.org/search/?cx=016233930414485990345%3Af_zj6spfpx4&cof=FORID%3A11&ie=UTF-8&q=freebsd&sa=Search
This is the only area that would be a show stopper, and is a big one. There are a LOT of Linux distros that are EAL3-4 certified. I'd be curious to hear others thoughts on the underlying OS, maybe there is something on the above list? Maybe possible to just port OPNSense linux as a package? Run it on Suse/Redhat/Ubuntu?
https://www.commoncriteriaportal.org/files/ppfiles/PP_OS_V4.2.1.pdf
OpenSSL (the crypto module") is certified. This is the cryptographic module used in BSD and OPNSense.
https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1747.pdf
https://www.openssl.org/docs/man3.0/man7/fips_module.html
CPU
Intel 6th gen vPro processors and at least the AMD Ryzen 5000 series processors are certified. I've had some trouble locating definitive proof on others.
https://www.amd.com/en/products/apu/amd-ryzen-3-pro-5475u
https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/IUT-List
https://www.intel.com/content/www/us/en/government/strengthening-client-security-solution-brief.html
Hardware
With the above cryptographic modules certified we are good on hardware. One thing remains regarding hardware and that is physical security of the chassis. The chassis used will need to be secured with non-ickable locks, or security screws and tamper evident stickers.
"Security Level 2 enhances the physical security mechanisms of a Security Level 1 cryptographic module by
adding the requirement for tamper-evidence, which includes the use of tamper-evident coatings or seals or
for pick-resistant locks on removable covers or doors of the module. Tamper-evident coatings or seals are
placed on a cryptographic module so that the coating or seal must be broken to attain physical access to the
plaintext cryptographic keys and critical security parameters (CSPs) within the module. Tamper-evident
seals or pick-resistant locks are placed on covers or doors to protect against unauthorized physical access."
Access Control
A level 2 requirement is role based access control. Check, we can do that one too. Users/groups in OPNSense.
In my opinion, for open source security to continue to be viable, then it needs to keep up with security standards that are becoming really the minimum. Yes certification costs money, but that's why we donate to support the projects.
If you do the above, then you are very very close. Is it "good enough" for a commercial environment, well you will have to judge that in your situation. For my client with Fed work, then answer I fear is no. We'll likely be putting a Palo Alto device in. Is it good for the others, well maybe.
We're all connected and a weak link in security can affect others. OPNSense and other projects allow us to do enterprise grade tech, on a small business budget.
I'll post and edit anything new I find. I for one think FIPS 140-2 compliance in an open source firewall would be spectacular.
We are a MSP serving small businesses. One of those does some work for the Feds and we're working through NIST 800-171 for self eval.
So the firewall comes into question, with regards to being FIPS 140-2 compliant. Now let me say up front, having an OPNSense "Certified" FIPS 140-2 firewall is highly unlikely. I'm sure someone could build it then go for certification. To be "compliant" though, I am pretty sure we can do.
FIPS 140 is "SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES" this means hardware and/or software, it could be a CPU, a crypto library, a firewall, etc. It is a set of requirements.
https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402.pdf
"Security Level 1 allows the software and firmware components of a cryptographic module to be executed
on a general purpose computing sy stem using an unevaluated operating system."
We can get to Level 2 (compliance) without much sweat but the OS may be the kicker.
OS
EAL2 is a tough one. OpenBSD/FreeBSd is not certified. Cisco and others have modified kernels that have been certified.
https://commoncriteriaportal.org/search/?cx=016233930414485990345%3Af_zj6spfpx4&cof=FORID%3A11&ie=UTF-8&q=freebsd&sa=Search
This is the only area that would be a show stopper, and is a big one. There are a LOT of Linux distros that are EAL3-4 certified. I'd be curious to hear others thoughts on the underlying OS, maybe there is something on the above list? Maybe possible to just port OPNSense linux as a package? Run it on Suse/Redhat/Ubuntu?
https://www.commoncriteriaportal.org/files/ppfiles/PP_OS_V4.2.1.pdf
OpenSSL (the crypto module") is certified. This is the cryptographic module used in BSD and OPNSense.
https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1747.pdf
https://www.openssl.org/docs/man3.0/man7/fips_module.html
CPU
Intel 6th gen vPro processors and at least the AMD Ryzen 5000 series processors are certified. I've had some trouble locating definitive proof on others.
https://www.amd.com/en/products/apu/amd-ryzen-3-pro-5475u
https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/IUT-List
https://www.intel.com/content/www/us/en/government/strengthening-client-security-solution-brief.html
Hardware
With the above cryptographic modules certified we are good on hardware. One thing remains regarding hardware and that is physical security of the chassis. The chassis used will need to be secured with non-ickable locks, or security screws and tamper evident stickers.
"Security Level 2 enhances the physical security mechanisms of a Security Level 1 cryptographic module by
adding the requirement for tamper-evidence, which includes the use of tamper-evident coatings or seals or
for pick-resistant locks on removable covers or doors of the module. Tamper-evident coatings or seals are
placed on a cryptographic module so that the coating or seal must be broken to attain physical access to the
plaintext cryptographic keys and critical security parameters (CSPs) within the module. Tamper-evident
seals or pick-resistant locks are placed on covers or doors to protect against unauthorized physical access."
Access Control
A level 2 requirement is role based access control. Check, we can do that one too. Users/groups in OPNSense.
In my opinion, for open source security to continue to be viable, then it needs to keep up with security standards that are becoming really the minimum. Yes certification costs money, but that's why we donate to support the projects.
If you do the above, then you are very very close. Is it "good enough" for a commercial environment, well you will have to judge that in your situation. For my client with Fed work, then answer I fear is no. We'll likely be putting a Palo Alto device in. Is it good for the others, well maybe.
We're all connected and a weak link in security can affect others. OPNSense and other projects allow us to do enterprise grade tech, on a small business budget.
I'll post and edit anything new I find. I for one think FIPS 140-2 compliance in an open source firewall would be spectacular.