Last time I checked, Wireguard's crypto is grossly inefficient for US NIST FIPS compliance, and forces specific ciphers for speed. OpenVPN allows the administrators to choose ciphers, and this includes being Linux kernel FIPS mode compatible.**
In the US, even commercially, US NIST Cybersecurity Maturity Model Certification (CMMC) v2.0, along with existing US NIST 800-171 (especially updated revision 2), are hitting hard. And outside of US NIST, many entities (internationally) also follow US DISA Security Technical Implementation Guides (STIGs), which also enable FIPS. I can also go into VISA et al. compliance, like DSS PCI. So ... while I'm not saying US NIST FIPS, CMMC 2.0 and other compliance should eliminate something from consideration ... it should bolster considerations to not drop something, in favor of something else that is not compliant. - bjs **P.S. For those unaware, when you put the Linux kernel in FIPS mode, which is a boot-time setting (can check run-time here /proc/sys/crypto/fips_enabled), it's not that libraries are disabled. No, the kernel itself stomps on any insecure crypto call, even if the library is enabled. It's the one thing that most people are unaware of when they first run into it. I even, recently called nVidia out for this for ignoring it for nearly the past four (4) years with countlessly forum posts (over 100) and several tickets, when it comes to some of their CUDA userspace packages. RE: https://www.linkedin.com/feed/update/urn:li:activity:7118774386890866688/ On Tue, Oct 24, 2023 at 9:10 AM Simone Piccardi via lpi-examdev < [email protected]> wrote: > On 23/10/23 19:43, Fabian Thorns via lpi-examdev wrote: > > - Objective 212.5 now covers VPN in a more generic fashion and Wireguard > > instead of OpenVPN > > > > Why remove OpenVPN? At least in my experience is more common used (as > supported from more firewall appliance) than Wireguard to connect > clients to remote networks. > > Simone > -- > Simone Piccardi Truelite Srl > [email protected] (email/jabber) Via Monferrato, 6 > Tel. +39-347-1032433 50142 Firenze > http://www.truelite.it Tel. +39-055-7879597 > > _______________________________________________ > lpi-examdev mailing list > [email protected] > https://list.lpi.org/mailman/listinfo/lpi-examdev -- -- Bryan J Smith - http://www.linkedin.com/in/bjsmith E-mail: b.j.smith at ieee.org or me at bjsmith.me
_______________________________________________ lpi-examdev mailing list [email protected] https://list.lpi.org/mailman/listinfo/lpi-examdev
