Compliance with standards (FIPS, SOX, LEADS, HIPAA), etc.

[anomaly0617]

Hi all,

I've been around the community for a few years now, but I'm a pfSense convert like most of us here. I've used pf/OpnSense for going on 10 years (?) now. So, not exactly a newb, but I generally stay pretty quiet.

I have a small municipality who is running pfSense. I'm in the process of converting all the firewalls over to OpnSense. The local Sheriff's Office IT only uses Cisco, and nothing else. Since we have to interface with them for various agency records, this means they have Cisco appliances in key buildings sitting right next to the pf/OpenSense firewalls, plugged into the same ISP router, and with their own external and internal IP address. This creates two points of entry into the networks instead of one, which makes it doubly difficult for me to take responsibility for keeping the network safe. So, on this last expansion run (for ancillary stations) I suggested that we just set up an IPSec VPN tunnel between the county and the existing pfSense/OpnSense firewalls that are on-site at each location.

You'd think I dropped a bomb on them.

The present (valid) argument for why this is not feasible is that the OpnSense firewall platform is not FIPS 140-2 certified. Looking purely at the technical requirements, I think it'd pass with no problem, but the question is, what does it cost to make a firewall FIPS compliant? Is this something the OpnSense community should consider pursuing? Is HardenedBSD going to make this easier for us, assuming the development of OpnSense eventually gets there?

I can foresee running into this problem with other industries that have a standards-based auditing system of firewalls, examples being PCI, SOX, HIPAA, etc. so it'd be nice to hammer this one out before those come up.

Any/all responses are appreciated.

[mulvak]

I realize I am replying years later, but this is still a topic of concern and very little out there.

We are a MSP serving small businesses.  One of those does some work for the Feds and we're working through NIST 800-171 for self eval.

So the firewall comes into question, with regards to being FIPS 140-2 compliant.  Now let me say up front, having an OPNSense "Certified" FIPS 140-2 firewall is highly unlikely.  I'm sure someone could build it then go for certification.  To be "compliant" though, I am pretty sure we can do.

FIPS 140 is "SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES" this means hardware and/or software, it could be a CPU, a crypto library, a firewall, etc.  It is a set of requirements.
https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402.pdf

"Security Level 1 allows the software and firmware components of a cryptographic module to be executed
on a general purpose computing sy stem using an unevaluated operating system."


We can get to Level 2 (compliance) without much sweat but the OS may be the kicker.

OS
EAL2 is a tough one.  OpenBSD/FreeBSd is not certified.  Cisco and others have modified kernels that have been certified.
https://commoncriteriaportal.org/search/?cx=016233930414485990345%3Af_zj6spfpx4&cof=FORID%3A11&ie=UTF-8&q=freebsd&sa=Search
This is the only area that would be a show stopper, and is a big one.  There are a LOT of Linux distros that are EAL3-4 certified.  I'd be curious to hear others thoughts on the underlying OS, maybe there is something on the above list?  Maybe possible to just port OPNSense linux as a package?  Run it on Suse/Redhat/Ubuntu?


https://www.commoncriteriaportal.org/files/ppfiles/PP_OS_V4.2.1.pdf

OpenSSL (the crypto module") is certified.  This is the cryptographic module used in BSD and OPNSense.
https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1747.pdf
https://www.openssl.org/docs/man3.0/man7/fips_module.html

CPU
Intel 6th gen vPro processors and at least the AMD Ryzen 5000 series processors are certified.  I've had some trouble locating definitive proof on others.
https://www.amd.com/en/products/apu/amd-ryzen-3-pro-5475u
https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/IUT-List
https://www.intel.com/content/www/us/en/government/strengthening-client-security-solution-brief.html

Hardware
With the above cryptographic modules certified we are good on hardware.  One thing remains regarding hardware and that is physical security of the chassis.  The chassis used will need to be secured with non-ickable locks, or security screws and tamper evident stickers.

"Security Level 2 enhances the physical security mechanisms of a Security Level 1 cryptographic module by
adding the requirement for tamper-evidence, which includes the use of tamper-evident coatings or seals or
for pick-resistant locks on removable covers or doors of the module. Tamper-evident coatings or seals are
placed on a cryptographic module so that the coating or seal must be broken to attain physical access to the
plaintext cryptographic keys and critical security parameters (CSPs) within the module. Tamper-evident
seals or pick-resistant locks are placed on covers or doors to protect against unauthorized physical access."

Access Control
A level 2 requirement is role based access control.  Check, we can do that one too.  Users/groups in OPNSense.

In my opinion, for open source security to continue to be viable, then it needs to keep up with security standards that are becoming really the minimum.  Yes certification costs money, but that's why we donate to support the projects. 

If you do the above, then you are very very close.  Is it "good enough" for a commercial environment, well you will have to judge that in your situation.  For my client with Fed work, then answer I fear is no.  We'll likely be putting a Palo Alto device in.  Is it good for the others, well maybe. 

We're all connected and a weak link in security can affect others.  OPNSense and other projects allow us to do enterprise grade tech, on a small business budget. 

I'll post and edit anything new I find.  I for one think FIPS 140-2 compliance in an open source firewall would be spectacular.

[lilsense]

The FIPS 140-2 would require the physical appliance to have special stickers to identify the the appliance has been opened. your best best bet is to purchase FIPS certified equipment from vendors such as Fortinet, Juniper, Palo Alto, or your mentioned Cisco.

FIPS process costs lots of lots of lots of money to get one appliance certified. Good luck.