Allan-
EAS typically runs over SSL (Port 443) connection security is a function of the IIS Server, not EAS. There are registry settings to disable non-FIPS compliant
algorithms in Exchange Server 2010 SP1. http://blogs.technet.com/b/exchange/archive/2010/08/30/exchange-2010-sp1-and-support-for-fips-compliant-algorithms.aspx
The FIPS compliance/certification comes from the OS layer (CAPI) and its behaviors.
http://technet.microsoft.com/en-us/library/cc750357.aspx
So, I’m saying we can force EAS into FIPS Compliant mode and the data connection will be FIPS Compliant.
The rub with web browsers is the security of the connection is dependent on the remote end and what it requires. If you implement a web server and don’t exclude
the NULL Cypher, you can have non-encrypted SSL sessions. In fact, you can choose what encryption to enable in your web server. This means that the browser needs a wide range of algorithms for maximum compatibility. So while you could certify that FIPS compliant
algorithms work as needed, I’m not sure how much good that provides when you have to also provide non-FIPS for compatibility. (Remember, Apple didn’t create a BlackBerry where we can force the issue with a security setting.)
Lee
Lee Neely, CISSP, CISM, CCUV
Lawrence Livermore National Laboratory
Cyber Security Program
7000 East Ave L-315
Livermore, CA, 94551
(
Phone: +1 (925) 422-0140
* email@hidden
From: fed-talk-bounces+neely1=email@hidden [mailto:fed-talk-bounces+neely1=email@hidden]
On Behalf Of Marcus, Allan B
Sent: Friday, May 24, 2013 7:54 AM
To: email@hidden Talk
Subject: [Fed-Talk] iOS 6, FIPS, and Data in transit?
If using Apple Mail on an iOS device, say with Active Sync to an enterprise Exchange server, if the data in transit (e.g., the network connection to the exchange
server) FIPS 140.2 L1 validated (assuming Apple gets the both the FIPS validations it is seeking)?
Also, is Mobile Safari's SSL FIPS validated (or will be when the second validation comes through)?
Los Alamos National Laboratory