FIPS 140-2 Mode

Technical Library | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Security > FIPS 140-2 Mode

FIPS 140-2 Mode

Help | Content Gateway | Version 7.8.x

FIPS (Federal Information Processing Standard) 140-2 is a U.S. government security standard for hardware and software cryptography modules. Modules validated against the standard assure government and other users that the cryptography in the system meets the standard.

The cryptographic libraries used in version 7.8 of Websense Web Security Gateway (Anywhere), including the Content Gateway component, have passed FIPS 140-2 validation. To see a listing of the validation, go to the 2012 list of Validated FIPS 140 1 and FIPS 140-2 Cryptographic Modules and search for "Websense". For more information about the NIST FIPS 140-2 program, see Cryptographic Module Validation Program (CMVP) validation page.

By default, Content Gateway does not operate in FIPS 140-2 mode. Content Gateway still uses the FIPS-validated libraries, but it also allows cryptographic algorithms that are not supported by the FIPS 140-2 standard.

You can configure Content Gateway to enforce FIPS 140-2 on HTTPS connections.

When FIPS is enabled:

HTTPS connections use TLSv1

HTTPS connections use FIPS 140-2 approved algorithms

Content Gateway generates SHA-256 certificates in response to origin server certificate requests


	Warning Once the FIPS 140-2 option is enabled, you cannot disable it without a complete reinstall of Content Gateway. If Content Gateway is on an appliance, the appliance must be reimaged.

Important

Where Web Security Gateway interfaces with some TRITON Enterprise components, there may be a FIPS 140-2 boundary. These include:

In Web Security Gateway Anywhere, traffic that flows through the cloud does not use FIPS 140-2.

ThreatScope traffic does not use FIPS 140-2.

Websense Data Security does not use FIPS 140-2.

TRITON Mobile Security does not use FIPS 140-2.

When RSA SecurID is configured for the TRITON console logon, the connection to RSA SecurID is not FIPS 140-2.


	Important Due to a system limitation, FIPS 140-2 mode cannot be used with IWA fallback to NTLM or Legacy NTLM user authentication.

To enable FIPS 140-2 on HTTPS connections:

1.

In the Content Gateway manager go to Configure > Security > FIPS Security.

2.

Review the warning, select Enabled, and click Apply.

3.

If you are sure that you want to enable FIPS, restart Content Gateway.

4.

If you do not want to enable FIPS, select Disable and click Apply.


	Note Even after FIPS 140-2 mode is enabled, by default SHA-1 certificates continue to be used for logon to TRITON management consoles. To learn about how to create and install stronger SHA certificates, see: How do I create a stronger SHA certificate for Websense management consoles?

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Security > FIPS 140-2 Mode

Copyright 2016 Forcepoint LLC. All rights reserved.