Important notes to consider before configuring SEP for FIPS 140-2 compliance mode
search cancel

Important notes to consider before configuring SEP for FIPS 140-2 compliance mode

book

Article ID: 152964

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

For previous releases of Symantec Endpoint Protection, Symantec recommended that customers use the Microsoft FIPS modules to protect Symantec Endpoint Protection client and server communication for compliance with the FIPS 140-2 standard.

Symantec Endpoint Protection provides the Java Cryptography Extension (JCE) and RSA BSAFE cryptography library modules to protect its server-to-server communication and console-to-server communication. You can deploy Symantec Endpoint Protection and protect its key command and control communications with NIST FIPS-validated security modules.

 

Resolution

SEP does not currently support FIPS because it depends on modules whose certs have expired and won't be renewed and for some use cases are no longer even using FIPS-capable crypto libraries. Following these instructions will not cause any problems, but neither will they provide FIPS compliance. Full FIPS compliance, including SEPM-to-database communications, is expected to be available in SEP 14.3 RU7. This article will be updated as new information becomes available.

If you have configured your SEP environment to be FIPS 140-2 compatible, please remember to mention it to Technical Support personnel in case you need support which requires running the Management Server Configuration Wizard.

If you are running the SEP Linux agent 14.3 RU3 or earlier and want to enable FIPS mode, you must upgrade the SEP Linux agent to 14.3 RU4 before you enable FIPS mode.  

If you install for the first time, be sure to run the Management Server Configuration Wizard to complete the configuration of the Symantec Endpoint Protection Manager.  Using the Management Server Configuration Wizard for configuration before you deploy and enable the FIPS-compliant Java libraries can help to avoid certificate problems.

WARNING: If you need to run the Management Server Configuration Wizard after you deploy and enable the FIPS-compliant Java libraries, you should disable the libraries beforehand.

Deploying and using FIPS-compliant mode
You can use a Symantec-supplied script to deploy, enable, disable, and reapply FIPS-compliant mode. You can double-click the script to check the current FIPS state, on or off. You can also use the script's -reapply flag to check the current FIPS state or to repair FIPS mode after an upgrade or after other changes.

To deploy and enable the FIPS-compliant Java libraries

1. Change folder to the drive:\installation_folder\bin folder. By default, this folder is the drive:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin folder.
2. Double-click the FIPSMode-Enable.bat file.


To disable the FIPS-compliant Java libraries

1. Change folder to the drive:\installation_folder\bin folder. By default, this folder is the drive:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin folder.
2. Double-click the FIPSMode-Disable.bat file.


To reapply the FIPS-compliant Java libraries
Open a command window and type the following command:

.\bin\FIPSMode.vbs -reapply

 

 


Limitations on Symantec Endpoint Protection features
FIPS compliancy imposes some limitations on the following Symantec Endpoint Protection features:

- For Remote Management, Symantec recommends that you use the Webconsole or a connection that uses RDP to access the console locally on the server.
- Because of the increased load that TLS places on performance, Symantec recommends that you have the Symantec Endpoint Protection Manager manage a limited number of clients.
- Although you can connect Symantec Endpoint Protection Mac clients to your FIPS-mode server network, the Mac clients have not yet been upgraded to use a FIPS-validated client TLS encryption module.


Not supported features when you run Symantec Endpoint Protection in a FIPS-compliant manner
The following Symantec Endpoint Protection features have not been analyzed or tested for use in a Symantec Endpoint Protection-based FIPS-compatible deployment at this time:

- Group Update Providers
- Quarantine servers

As a best practice, do not use these Symantec Endpoint Protection features if you want to ensure that you maintain a FIPS-protected environment.

 

For further information please read the following documentation:

Symantec™ Endpoint Protection FIPS 140-2 Deployment Guide