Symantec SSL Visibility SV3800, Manual

Page 1: ...ware Versions 090 03064 080 03563 080 03679 090 03550 080 03782 080 03787 090 03551 080 03783 and 080 03788 with FIPSKit FIPS LABELS SV Firmware Versions 3 8 2F build 227 3 8 4FC 3 10 build 40 FIPS 14...

Page 2: ...hird parties are the property of their respective owners This document is for informational purposes only SYMANTEC MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS DOCUME...

Page 3: ...CSP Access 25 2 6 PhysicalSecurity 31 2 7 Non ModifiableOperationalEnvironment 32 2 8 Cryptographic KeyManagement 32 2 9 Self Tests 41 2 10 DesignAssurance 43 2 11 Mitigation of Other Attacks 43 3 Sec...

Page 4: ...SV3800 SV3800B and SV3800B 20 Security Policy 4...

Page 5: ...yptographic Module Validation Program CMVP website at http csrc nist gov groups STM cmvp index html In this document the SSL Visibility Appliance models SV3800 SV3800B and SV3800B 20 are referred to a...

Page 6: ...buted whole intact including this copyright notice 6 With the exception of this non proprietary Security Policy the FIPS 140 2 Submission Package is proprietary to Symantec Corporation and is releasab...

Page 7: ...Data Loss Prevention EMC ElectromagneticCompatibility FIPS Federal Information Processing Standard GigE Gigabit Ethernet interface HMAC Hash Message Authentication Code HTTPS HTTP over TLS iPass High...

Page 8: ...fication Number POST Power On Self Test PSU Power Supply Unit SHA Secure Hash Algorithm SSH Secure Shell TAP Device providing a copy of traffic flowing through the network TRNG True Random Number Gene...

Page 9: ...encrypted version of SSL TLS traffic to the associated appliances while maintaining an end to end SSL TLS connection between the client and server involved in the session There are three basic connect...

Page 10: ...of this type of deployment would be an IPS attached to the SV3800 SV3800B SV3800B 20 This mode of operation supports both SSL Inspection and SSL policy control In Passive Inline mode Figure 2 2 networ...

Page 11: ...e attached security appliance The SV3800 SV3800B SV3800B 20 receives a copy of traffic in the network from a TAP device and this traffic possibly decrypted is sent to the attached security appliance A...

Page 12: ...k security appliances can do their job even when the traffic is sent over SSL TLS connections Detecting intercepting decrypting and re encrypting SSL TLS traffic is a complex and computationally inten...

Page 13: ...ined policy control over what SSL TLS traffic is allowed in the network All SSL TLS traffic seen by the SV3800 SV3800B SV3800B 20 whether it is using approved or non approved algorithms will be proces...

Page 14: ...ware Appliance For each appliance model the hardware is the same for all appliance types The Crypto Officer and User services of the module are identical for all appliance types The SV3800 SV3800B SV3...

Page 15: ...hysically connected to each other in the event that the system is powered off or that a failure is detected Depending on how the network is connected to the SV3800 this allows network traffic to conti...

Page 16: ...Figure 2 7 and has the following elements going from left to right 2 x hot swappable power supply bays Serial port RJ45 connector VGA display connector 2 x USB 2 0 and 2 x USB 3 0 ports 2 x GigE ports...

Page 17: ...2 Tamper Evident Label Management and Application Instructions provides guidance on how and where tamper evident labels need to be applied to the SV3800 SV3800B SV3800B 20 Figure 2 8 SV3800 SV3800B SV...

Page 18: ...ic Interference ElectromagneticCompatibility 2 9 Self Tests 2 10 Design Assurance 3 11 Mitigation of Other Attacks Not applicable 2 3 Module Interfaces The logical cryptographic boundary of the module...

Page 19: ...ice 19 Note Netmods are NOT hot swappable Power off the system before you remove or install Netmod Figure 2 10 shows the physical cryptographic boundary as a yellow line with the module being everythi...

Page 20: ...raphicboundary As noted in Section 2 2 Module Specification the SV3800 SV3800B SV3800B 20 has a number of connectors located on the front and back panels These physical interfaces are listed below wit...

Page 21: ...Y Status output Ethernet 2 LEDsa Back Y Power input Power connections from removable PSUs Back Y a Ethernet 2 is disabled and cannot be used for management so these LEDs will never light up The front...

Page 22: ...LED on the rear panel to the left of the serial port to illuminate This LED is located behind the back panel so it is visible through the ventilation holes The purpose of this LED is to make it easier...

Page 23: ...Before accessing the module for administrative services administrators must authenticate using the methods specified in Section 2 4 2 Authentication Mechanisms The module offers the following managem...

Page 24: ...inimum of 8 characters The probability of a false positive for a random password guess is less than 1 in 1 000 000 Actual value 230 Passwords must be a minimum of 8 characters The probability of a fal...

Page 25: ...on policy state Y Y Y Y Export diagnostic information platform state Y Y Export diagnostic information SSL statistics Y Y Export diagnostic information host statistics NFP statistics Y Y Y Y Export di...

Page 26: ...e user accounts Y Assign remove Manage PKI Crypto Officer role Web UI Y Assign remove Manage PKI Crypto Officer role for CLD Y Y Y View user accounts Y Y View appliance settings alerts Y Backup policy...

Page 27: ...ead by the service Write W The CSP is established generated modified or zeroized by the service Execute X The CSP is used within an approved or allowed security function or authentication mechanism Ta...

Page 28: ...d certificates Object encryption keys WX Trusted certificate public keys W Y Import delete known keys and certificate Object encryption keys WX Known public keys W Known private keys W Y View PKI info...

Page 29: ...Firmware update key Y Y Edit grid size in WebUI none Y Configure TLS version for WebUI None A limited set of services can be initiated from the front panel keypad and or can display output on the fro...

Page 30: ...signing CA public keys W Resigning CA private keys W Trusted certificate public keys W Known public keys W Known private keys W TLS SSH session keys W Integrity test public key W Operator password s W...

Page 31: ...closes the module s internal components Ventilation holes provided in the case either do not provide visibility to areas within the cryptographic boundary or have mechanisms in place to obscure the vi...

Page 32: ...eral purpose operating system nor does it allow operators to load software that is not cryptographically signed as being trusted The SV3800 SV3800B SV3800B 20 uses a proprietary non modifiable operati...

Page 33: ...ion 5 4 PBKDF option 2a Vendor affirmed Not Implemented CVL SSH SNMP and TLS1 0 1 1 1 2 429 562 and 919 Not Implemented Note TLS SSH and SNMP protocols have not been reviewed or tested by the CAVP and...

Page 34: ...ection Diffie Hellman public key size range 2048 15360 bits Diffie Hellman private key size range 112 512 bits Table 2 13b SV3800 SV3800B SV3800B 20 Non FIPS 140 2 Approved and non compliant Security...

Page 35: ...key seen in the SSL TLS handshake The module does not control the size of the keys used by the SSL TLS endpoints for key exchange If SSL 3 0 TLS 1 0 TLS 1 1 TLS 1 2 flows using non approved algorithm...

Page 36: ...using DRBG Never exits the module Encrypted using associated KEK2 and stored on main disk Encrypt data and other CSPs for storage RSA public key3 RSA 2048 and 3072 bits Internally generated using DRB...

Page 37: ...crypted backup Encrypted with associated object encryption key and stored on internal disk Negotiating SSL TLS sessions during SSL TLS Interception Key exchange public key RSA 2048 3072 4096 8192 bits...

Page 38: ...laintext or encrypted form PEM or PKCS12 or PKCS8 or from encrypted backup Exported in encrypted backup Encrypted with associated object encryption key and stored on internal disk Making policy decisi...

Page 39: ...ive backup object key Backup object key AES CBC 256 bit key Derived from backup password using PBKDFv2 Never exits the module Stored in volatile memory Encrypting backup data PIN or master key passwor...

Page 40: ...ssociated object encryption key and stored on internal disk Encrypting SNMPv3 packets SNMP Authentication Key HMAC SHA 1 Derived internally Exported in encrypted backup Encrypted with associated objec...

Page 41: ...ed with KEK1 and stored internally The master keys are used to encrypt AES 256 bit object keys Object keys are created using the internal DRBG and are used to encrypt data and keys for storage Object...

Page 42: ...an error state and powers off The firmware integrity test outputs an error message to the VGA console serial console and front panel LCD Error messages for all other POSTs are output to the system lo...

Page 43: ...In the event that the system enters an error state Crypto Officer attention is required to clear the error state 2 10 Design Assurance Symantec uses Git for software configuration management Cmake and...

Page 44: ...the Blue Coat Systems SSL Visibility Appliance Administration and Deployment Guide v3 8 2F 3 8 4FC or 3 10 This guide can be downloaded from the Symantec customer support site https bto bluecoat com 3...

Page 45: ...ignated label areas with isopropyl alcohol and make sure it is thoroughly dry Apply a small amount of alcohol to a clean lint free cloth Rub the area to be cleaned for several seconds Dry the area wit...

Page 46: ...r each plane the label will be in Each label goes around an edge and secures two planes The supplied label kit should be inspected as follows If the labels do not have matching number or if the bag ha...

Page 47: ...s 1 Power off the unit 2 Disconnect all cabling 3 Provide a clean work surface for applying the labels 4 Remove the two screws that optionally hold the front of the unit to the rack rails These may no...

Page 48: ...ntinuing the application of the label will cause the screw on the right side of the rear cover panel to be fully covered Also the top rivet and rear indentation should be fully covered by the label 4...

Page 49: ...the top center between the front and middle top covers of the chassis The shorter section goes on the front top cover and the longer section goes on the middle top cover 4 Starting at the edge press o...

Page 50: ...he SV3800 Figure 3 13 2 shows the location of the tamper evident label that should be fitted to the rear of the SV3800B and SV3800B 20 The label is applied over the top of the screw that secures the t...

Page 51: ...top panel of the SV3800B and SV3800B 20 Figure 3 15 Rear Panel without Label Fitted for the SV3800B The remaining three labels are applied to the top left and right sides of the SV3800 and prevent the...

Page 52: ...SV3800 SV3800B SV3800B 20 The label is applied over the top of the screw that secures the top panel to the rest of the unit and in such a way that it is impossible to remove the screw or to remove the...

Page 53: ...stributed whole intact including this copyright notice 53 Figure 3 18 Right Side without Label Fitted Figure 3 19 shows the location of the tamper evident label that should be fitted to the top side o...

Page 54: ...tting Started Guide v3 8 2F 3 8 4FC or 3 10 During bootstrap mode the WebUI needs to be accessed By default the SV3800 SV3800B SV3800B 20 will be using DHCP to acquire an IP address The SV3800 SV3800B...

Page 55: ...ontrol of the USB drive If the option is not chosen only the PIN if setup needs to be entered when the module is power cycled or restarted The final stage of the bootstrap process is user setup At lea...

Page 56: ...case the module s power is lost and then restored the key used for the AES GCM encryption decryption shall be re distributed 3 5 Module Zeroization Whenever the module is being taken out of service re...

Page 57: ...2016 Symantec Corporation This document may be freely reproduced distributed whole intact including this copyright notice 57...