Important notes to consider before configuring SEP for FIPS 140-2 compliance mode

Article:TECH145497  |  Created: 2010-12-03  |  Updated: 2014-10-07  |  Article URL http://www.symantec.com/docs/TECH145497
Article Type
Technical Solution

Product(s)

Issue



For previous releases of Symantec Endpoint Protection, Symantec recommended that customers use the Microsoft FIPS modules to protect Symantec Endpoint Protection client and server communication for compliance with the FIPS 140-2 standard.

Starting with Symantec Endpoint Protection Release 11.0.6 MP 2 and ending with 12.1 RU1 MP1, Symantec provides the Java Cryptography Extension (JCE) and RSA BSAFE cryptography library modules to protect its server-to-server communication and console-to-server communication. You can deploy Symantec Endpoint Protection and protect its key command and control communications with NIST FIPS-validated security modules.

 


Solution



You must upgrade to Symantec Endpoint Protection 11.0.6 MP 2 or later version of 11.X, or 12.1 RU1 MP1 or earlier of 12.1.x, to get the latest Java libraries and the deployment script. SEP 12.1 RU2 does not support FIPS, but SEP 12.1 RU3 does. You can install for the first time, or you can upgrade.

If you have configure your SEP environment to be FIPS 140-2 compatible, please remember to mention it to the Technical Support personal in case you need support which demands to run the Management Server Configuration Wizard.


If you install for the first time, be sure to run the Management Server Configuration Wizard to complete the configuration of the Symantec Endpoint Protection Manager.
Using the Management Server Configuration Wizard for configuration before you deploy and enable the FIPS-compliant Java libraries can help to avoid certificate problems.


WARNING: If you need to run the Management Server Configuration Wizard after you deploy and enable the FIPS-compliant Java libraries, you should disable the libraries beforehand.

 


Deploying and using FIPS-compliant mode
You can use a Symantec-supplied script to deploy, enable, disable, and reapply FIPS-compliant mode. You can double-click the script to check the current FIPS state, on or off. You can also use the script's -reapply flag to check the current FIPS state or to repair FIPS mode after an upgrade or after other changes.

To deploy and enable the FIPS-compliant Java libraries

1. Change folder to the drive:\installation_folder\bin folder. By default, this folder is the drive:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin folder.
2. Double-click the FIPSMode-Enable.bat file.


To disable the FIPS-compliant Java libraries

1. Change folder to the drive:\installation_folder\bin folder. By default, this folder is the drive:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin folder.
2. Double-click the FIPSMode-Disable.bat file.


To reapply the FIPS-compliant Java libraries
Open a command window and type the following command:

.\bin\FIPSMode.vbs -reapply

 

 


Limitations on Symantec Endpoint Protection features
FIPS compliancy imposes some limitations on the following Symantec Endpoint Protection features:

- For Remote Management, Symantec recommends that you use the Webconsole or a connection that uses RDP to access the console locally on the server.
- Because of the increased load that TLS places on performance, Symantec recommends that you have the Symantec Endpoint Protection Manager manage a limited number of clients.
- Although you can connect Symantec Endpoint Protection Mac clients to your FIPS-mode server network, the Mac clients have not yet been upgraded to use a FIPS-validated client TLS encryption module.


Not supported features when you run Symantec Endpoint Protection in a FIPS-compliant manner
The following Symantec Endpoint Protection features have not been analyzed or tested for use in a Symantec Endpoint Protection 11.X-based FIPS-compatible deployment at this time:

- Group Update Providers
- Quarantine servers
- The Symantec Network Access Control Enforcer appliance

As a best practice, do not use these Symantec Endpoint Protection features if you want to ensure that you maintain a FIPS-protected environment.

 

For further information please read the following documentation:

Symantec™ Endpoint Protection version 11, RU 6a, MP 2 and later FIPS 140-2 Deployment Guide

Symantec Endpoint Protection 11.0.6 Maintenance Patch 2 (RU6 MP2) is now available




Article URL http://www.symantec.com/docs/TECH145497


Terms of use for this information are found in Legal Notices