There’s something that’s really been bothering me, and I hope some of you out there can help sort it out. For a long time now Cisco has claimed that the ASA is FIPS compliant. No real argument there. But how compliant, actually? When you go to the ASA FIPS 140-2 Security Policy it states that the SSL mode of operation does not count. Just look at Page 15 under the section “Non-FIPS Approved Algorithms”. Seems clear enough, doesn’t it? The lack of SSL (HTTPS) support seems even more apparent when you look at the NIST certificate and see that SSL is not listed.
But wait! That is all related to the server. But what about the client (AnyConnect)? Might there be some hope there?
As it turns out, the AnyConnect client does seem to have a solid enough FIPS claim, as supported by the SAIC compliance letter. Specifically, the SAIC document states that ”All cryptographic services used for HTTPs connections on Windows XP, Windows Vista and Windows 7 are oftloaded to Windows XP Enhanced Cryptographic Provider, Microsoft Windows Vista Cryptographic Primitives Library or Microsoft Windows 7 Cryptographic Primitives Library, respectively”, “All cryptographic algorithms used for HTTPs connections on Red Hat Enterprise Linux v6, Ubuntu 1l.l0, and Mac OS X 10.6/10.7/10.8 are offloaded to the Cisco \SSL FIPS 140-2 validated FIPS canister (C3M)”, ”Bulk data encryption (via TLS and IPsec/lKEv2) for the established VPN connection uses CiscoSSL FIPS Object Module (C3M) on all platforms tested”.
So the bottom line is that it seem the various clients are covered well enough by the C3M FIPS validated canister, with the server itself not really capable. In other words, if you need end-to-end FIPS compliance without compromise, the Cisco solution would be to abandon SSL VPN connections and go back to IPSec.
I would love to hear from others though, especially if I’m missing something important that would allow the ASA to support FIPS.
The post Cisco ASA FIPS Compliant for SSL VPN? appeared first on SSL VPN Insider.
