FIPS mode

FIPS (Federal Information Processing Standards) is a set of standards developed by the United States Federal Government for use in computer systems. FIPS 140-2 is the subset of standards which defines approved encryption algorithms used for handling sensitive information.

If your Secure Email Gateway has been pre-configured to operate in FIPS mode, the cryptographic modules used by the Gateway and the underlying RedHat 9 OS are compliant with FIPS 140-2.

Features and options you will not be able to use in FIPS mode

In FIPS mode, you will not be able to:

• Use the following ciphers and cryptographic policies:

  Show

  • IKEv1

  • 3DES

  • RC4

  • DH (less than 2048 bit)

  • RSA (less than 2048 bit)

  • DSA

  • TLS 1.0 and TLS 1.1

  • TLS 1.2 connections without the Extended Master Secret (EMS) extension

  • SHA-1 digital signatures and certificates

  • CBC mode cyphers

  • Symmetric cyphers with keys less than 256 bits

• Use PGP encryption or decryption

• Set PGP endpoint defaults

• Import or extract PGP keys

• Apply password encryption

• View PGP or password encryption statistics

For more information on the system-wide FIPS security profile implemented in Red Hat 9, see the Red Hat Documentation.

Full-mode PMM in FIPS mode

When PMM (Personal Message Management) is configured in Full mode, it uses NTLM for authentication with Active Directory domain controllers. NTLM is not FIPS compliant.

Enable and Disable FIPS mode

Your Secure Email Gateway can only be configured to operate in FIPS mode during installation.

Once enabled, you cannot disable FIPS mode without reinstalling the Gateway.

Check if your Secure Email Gateway is operating in FIPS mode

From Cockpit

1. Log in to Cockpit and navigate to Terminal.

   To access the Cockpit administration user interface, open a supported web browser and enter the IP address of your Secure Email Gateway, on port 9090: https://<ip-address>:9090

2. Execute the following:

   fips-mode-setup --check

From the Gateway web user interface

1. Navigate to System > Monitoring & Control > Logs & Alarms.

2. Select the System Logs tab.

   If the Gateway is operating in FIPS mode, the FIPS Audit log is active. If not, the log is inactive and gray.

Alternatively:

1. Navigate to System > Encryption > Encryption/Decryption Defaults.

   If the Gateway is operating in FIPS mode, the following warning is displayed:

   While using Email Gateway in FIPS mode, you will be unable to use PGP or Password encryption methods as they use unsupported algorithms.

Tell me about...

• FIPS 140-2 and Secure Email Gateway

  Many organizations handle sensitive information on a regular basis. Government departments, financial institutions and other high security industries require a recognized level of security when exchanging information. FIPS 140-2 provides approved standards for message encryption and data handling, and is a key requirement for an increasing number of organizations. In FIPS mode, the Gateway is compliant with this requirement.

  FIPS mode provides confidence that the Gateway is handling sensitive and unclassified information to the FIPS 140-2 standard required by the US Federal Government.

• FIPS and the Peer Gateways

  A FIPS-enabled Gateway can be peered with other FIPS-enabled Gateways. However, FIPS compliance can not be extended to the Peer Gateways which are not FIPS enabled.

  You can add a FIPS-enabled Gateway as a peer to Secure Email Gateway. All subsequent peers must be FIPS enabled. Mixed compliance is not permitted for the Peer Gateways.

• Back up and restore FIPS configurations

  You can only restore FIPS configurations to a FIPS-enabled Gateway. This ensures FIPS compliance is maintained consistently on your Gateway or across your peers.

  You cannot restore a non-FIPS configuration to a FIPS-enabled Gateway. You cannot restore a FIPS configuration to a non-FIPS-enabled Gateway.

• Gateway services which operate in FIPS mode

  The following services use FIPS-approved cryptography:

  • SMTP mail services
  • SpamLogic
  • Policy Enforcement
  • Encryption

• FIPS mode and S/MIME Secure Multipurpose Internet Mail Extensions (S/MIME) is a specification for secure email messages that uses the X.509 format for digital certificates and uses various encryption algorithms such as 3DES. signatures

  If Secure Email Gateway is FIPS enabled, weaker S/MIME signatures (for example, signatures from a non-FIPS-enabled Gateway) will be identified as "Unknown".