[Bro] branching Bro

Fernandez, Mark I mfernandez at mitre.org
Thu Feb 2 06:37:35 PST 2017

Erik, Justin -

You both have good points.  For Erik, I think you have solid ground on which to stand if you make the following distinctions:

	(a) Bro is capable of inspecting/monitoring/detecting FIPS non-compliant encryption; this is a valid and necessary capability for the defense and security of your network; and

	(b) Is Bro being used to PROTECT federal information (whether in transit or at rest)?  If not, then no worries, argument alleviated.  But if so, then is Bro able to implement a FIPS-compliant encryption to do so?

As long as Bro uses FIPS-compliant encryption to PROTECT information (or if you can come up with an appropriate mitigation), then I believe you can make a reasonable case to your certification and accreditation folks to allow Bro to also continue monitoring for non-compliance.

Mark Fernandez

-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Azoff, Justin S
Sent: Thursday, February 02, 2017 9:00 AM
To: erik clark <philosnef at gmail.com>
Cc: Bro-IDS <bro at bro.org>
Subject: Re: [Bro] branching Bro

> On Feb 2, 2017, at 8:53 AM, erik clark <philosnef at gmail.com> wrote:
> Sadly, in the federal world, FIPS compliance isn't meaningless. There is a real need for it. 

And handicapping the best tool you'd have to detect noncompliant certificates is extremely misguided and counterproductive.

It's like if you had a tool that could scan for use of 512bit key SSL certificates, and someone prevented you from using it because it "supports" 512bit certificates and 512bit certificates are not FIPS compliant.

- Justin Azoff

Bro mailing list
bro at bro-ids.org

More information about the Bro mailing list