Netgate SG-1000 microFirewall

Author Topic: Is pfsense FIPS 140-2 complainant  (Read 213 times)

0 Members and 1 Guest are viewing this topic.

Offline jridings

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Is pfsense FIPS 140-2 complainant
« on: December 02, 2017, 03:39:43 pm »
Simple Yes or No question!  Is pfsense FIPS 140-2 complainant?  If YES, how do I go about getting a FIPS 140-2 complainant Certificate?


Thanks,
James

Offline motific

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +4/-0
    • View Profile
Re: Is pfsense FIPS 140-2 complainant
« Reply #1 on: December 03, 2017, 05:50:34 pm »
I don't believe it is compliant out of the box (feel free to correct me if I'm wrong on that), but it can be configured that way.

As I understand it you require a validated build to match the certification (it must be a specific version built with specific options.)

pfSense is based on FreeBSD and uses OpenSSL which does have FIPS 140-2 certifications that can be found at csrc.nist.gov searching on openssl as the vendor.

Offline Harvy66

  • Hero Member
  • *****
  • Posts: 2219
  • Karma: +204/-12
    • View Profile
Re: Is pfsense FIPS 140-2 complainant
« Reply #2 on: December 05, 2017, 07:03:02 am »
Doing a quick wiki, FIPS 140-2 is about physical security.

Quote
Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access.

It's logically impossible for software to comply with this.

FIPS 140 seems to be about cryptographic modules. pfSense/FreeBSD may use some cryptographic modules, but are not themselves cryptographic modules.

Offline Stewart

  • Full Member
  • ***
  • Posts: 255
  • Karma: +16/-2
    • View Profile
Re: Is pfsense FIPS 140-2 complainant
« Reply #3 on: December 05, 2017, 11:48:58 am »
Doing a quick wiki, FIPS 140-2 is about physical security.

Quote
Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access.

It's logically impossible for software to comply with this.

FIPS 140 seems to be about cryptographic modules. pfSense/FreeBSD may use some cryptographic modules, but are not themselves cryptographic modules.

@jridings:  Perhaps a better question would be are "Netgate pfSense Security Gateway Appliances" FIPS 140-2 compliant?  Looking over the wiki it appears that any device could be compliant as long as it had a special certified encryption board.  It that case it is just about the physical hardware being certified and no off-the-shelf components will work.  Maybe if you installed a certified board into your build for it to do the cryptography work that would pass?  But finding one that has BSD drivers and getting it to work with pfSense could be a challenge.  I don't see anything that says the entire device must be certified, only the hardware responsible for encrypting but I'm not really sure on that.