2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright
notice.
44
SV3800, SV3800B, and SV3800B-20 Security Policy
3. Secure Operation
The SV3800/SV3800B/SV3800B-20 conforms to FIPS 140-2 level 2 requirements.
This section contains details on how to place the SV3800 into a FIPS approved
mode of operation and how to maintain FIPS approved operation.
3.1 Cryptographic Officer Guidance
The Crypto Officer is responsible for initialization and management of the
security relevant configuration parameters within the
SV3800/SV3800B/SV3800B-20. The Crypto Officer can access the SV3800
remotely using TLS. When accessed using TLS, the system provides an HTTPS
graphical user interface (WebUI).
The Crypto Officer can import an RSA private key and certificate to be used by
the WebUI for establishing a TLS session. The Crypto Officer shall only import
RSA 2048 bit or larger keys. RSA keys less than 2048 bits are no longer approved
for use as of January 1, 2014. See NIST SP 800-131A for details.
The Crypto Officer must be allowed physical access to the
SV3800/SV3800B/SV3800B-20. Physical access to the module shall be limited to
the Crypto Officer and the Manage Appliance administrators.
Full details on how to configure and manage the SV3800 series are contained in
the Blue Coat Systems SSL Visibility Appliance Administration and Deployment Guide
v3.8.2F, 3.8.4FC, or 3.10. This guide can be downloaded from the Symantec
customer support site (
https:/
/bto.bluecoat.com)
.
3.2 Tamper Evident Label Management and Application Instructions
The Crypto Officer shall verify that all tamper evident labels are in place and
undamaged. If a label is damaged or has been removed (in order to conduct
system maintenance for example), then the Crypto Officer must ensure that the
damaged or missing label is replaced, and a factory default reset must be
performed on the SV3800/SV3800B/SV3800B-20 before proceeding.
A total of four tamper evident labels must be fitted to the module. In the event
that the tamper evident labels require replacement, a pack of new labels can be
purchased (P/N: FIPS-LABELS-SV).
The Crypto Officer shall be responsible for the secure storage of any label kits. The
Crypto Officer shall be present whenever tamper evident labels are removed or
installed to ensure security is maintained and that the module is returned to a
FIPS approved state.
Figure 3-11 shows a tamper evident label that has been tampered with. If the
“VOID” image is visible or there is other physical damage to the label, the device
should not be placed into operation.
The tamper evident seals shall be installed for the module to operate in a FIPS
Approved mode of operation.
The details below show the location of all tamper evident labels and also detail
how to remove and replace a label if this is required.