manualshive.com logo in svg

Symantec SSL Visibility SV3800, Manual

The Symantec SSL Visibility SV3800 product offers advanced security and visibility for encrypted network traffic. Easily access the user manual for free download on our website. Stay informed on how to maximize the benefits of this powerful solution. Visit manualshive.com to download your manual today.

Share
Download
background image

2016 Symantec Corporation  This document may be freely reproduced & distributed whole & intact including this copyright 

notice. 

 

 

 

1. Introduction

 

1.1 Purpose

 

This document is a non-proprietary Cryptographic Module Security Policy for the 

SSL Visibility Appliance models SV3800, SV3800B, and SV3800B-20. The SV3800 

should be  operated with the 3.8.2F, 3.8.4FC, or 3.10 firmware version. The 

SV3800B and SV3800B-20 require the latest 3.10 firmware version to operate. This 

policy was prepared as  part of the Level 2 FIPS 140-2 validation of the module, 

and may freely be  reproduced and distributed in its entirety (without 

modification). 
Federal Information Processing Standards (FIPS) 140-2, Security Requirements for 

Cryptographic Modules, specifies the U.S. and Canadian Governments’ 

requirements for cryptographic modules. The following pages describe how the 

SSL Visibility Appliance meets these requirements and how to operate  the device 

in a mode compliant with FIPS 140-2. 
More information about the FIPS 140-2 standard and validation program is 

available on the National Institute of Standards and Technology (NIST) 

Cryptographic Module Validation Program (CMVP) website at: 

http:// 

csrc.nist.gov/groups/STM/cmvp/index.html

In this document, the SSL Visibility Appliance models SV3800, SV3800B, and 

SV3800B-20 are referred  to as the SV3800, SV3800B, and SV3800B-20, the 

hardware module, the cryptographic module, or the module. 

 

1.2 References

 

This document only deals with the operation and capabilities of the SV3800, 

SV3800B, and SV3800B-20  within the technical terms of a FIPS 140-2 

cryptographic module security policy. More information on the SV3800, 

SV3800B, and SV3800B-20 is available from the following sources: 

 

The Symantec website, 

www.symantec.com

, contains information on 

the  full line of products from Blue Coat. 

 

The Symantec customer website, 

https://bto.bluecoat.com, 

contains 

product documentation, software downloads, and other information on 

the full line of products from Blue Coat. 

The CMVP website 

http://csrc.nist.gov/groups/STM/cmvp/index.html 

contains contact information for answers to technical or sales-related questions 

for the module. 

 

1.3 Document Organization

 

This Security Policy is one document in the FIPS 140-2 Submission Package. In 

addition to this document, the Submission Package contains: 

 

Vendor Evidence 

 

Finite State Machine 

 

Other supporting documentation as additional references 

 

Validation Submission Summary 

Summary of Contents for SSL Visibility SV3800

Page 1: ...ware Versions 090 03064 080 03563 080 03679 090 03550 080 03782 080 03787 090 03551 080 03783 and 080 03788 with FIPSKit FIPS LABELS SV Firmware Versions 3 8 2F build 227 3 8 4FC 3 10 build 40 FIPS 14...

Page 2: ...hird parties are the property of their respective owners This document is for informational purposes only SYMANTEC MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS DOCUME...

Page 3: ...CSP Access 25 2 6 PhysicalSecurity 31 2 7 Non ModifiableOperationalEnvironment 32 2 8 Cryptographic KeyManagement 32 2 9 Self Tests 41 2 10 DesignAssurance 43 2 11 Mitigation of Other Attacks 43 3 Sec...

Page 4: ...SV3800 SV3800B and SV3800B 20 Security Policy 4...

Page 5: ...yptographic Module Validation Program CMVP website at http csrc nist gov groups STM cmvp index html In this document the SSL Visibility Appliance models SV3800 SV3800B and SV3800B 20 are referred to a...

Page 6: ...buted whole intact including this copyright notice 6 With the exception of this non proprietary Security Policy the FIPS 140 2 Submission Package is proprietary to Symantec Corporation and is releasab...

Page 7: ...Data Loss Prevention EMC ElectromagneticCompatibility FIPS Federal Information Processing Standard GigE Gigabit Ethernet interface HMAC Hash Message Authentication Code HTTPS HTTP over TLS iPass High...

Page 8: ...fication Number POST Power On Self Test PSU Power Supply Unit SHA Secure Hash Algorithm SSH Secure Shell TAP Device providing a copy of traffic flowing through the network TRNG True Random Number Gene...

Page 9: ...encrypted version of SSL TLS traffic to the associated appliances while maintaining an end to end SSL TLS connection between the client and server involved in the session There are three basic connect...

Page 10: ...of this type of deployment would be an IPS attached to the SV3800 SV3800B SV3800B 20 This mode of operation supports both SSL Inspection and SSL policy control In Passive Inline mode Figure 2 2 networ...

Page 11: ...e attached security appliance The SV3800 SV3800B SV3800B 20 receives a copy of traffic in the network from a TAP device and this traffic possibly decrypted is sent to the attached security appliance A...

Page 12: ...k security appliances can do their job even when the traffic is sent over SSL TLS connections Detecting intercepting decrypting and re encrypting SSL TLS traffic is a complex and computationally inten...

Page 13: ...ined policy control over what SSL TLS traffic is allowed in the network All SSL TLS traffic seen by the SV3800 SV3800B SV3800B 20 whether it is using approved or non approved algorithms will be proces...

Page 14: ...ware Appliance For each appliance model the hardware is the same for all appliance types The Crypto Officer and User services of the module are identical for all appliance types The SV3800 SV3800B SV3...

Page 15: ...hysically connected to each other in the event that the system is powered off or that a failure is detected Depending on how the network is connected to the SV3800 this allows network traffic to conti...

Page 16: ...Figure 2 7 and has the following elements going from left to right 2 x hot swappable power supply bays Serial port RJ45 connector VGA display connector 2 x USB 2 0 and 2 x USB 3 0 ports 2 x GigE ports...

Page 17: ...2 Tamper Evident Label Management and Application Instructions provides guidance on how and where tamper evident labels need to be applied to the SV3800 SV3800B SV3800B 20 Figure 2 8 SV3800 SV3800B SV...

Page 18: ...ic Interference ElectromagneticCompatibility 2 9 Self Tests 2 10 Design Assurance 3 11 Mitigation of Other Attacks Not applicable 2 3 Module Interfaces The logical cryptographic boundary of the module...

Page 19: ...ice 19 Note Netmods are NOT hot swappable Power off the system before you remove or install Netmod Figure 2 10 shows the physical cryptographic boundary as a yellow line with the module being everythi...

Page 20: ...raphicboundary As noted in Section 2 2 Module Specification the SV3800 SV3800B SV3800B 20 has a number of connectors located on the front and back panels These physical interfaces are listed below wit...

Page 21: ...Y Status output Ethernet 2 LEDsa Back Y Power input Power connections from removable PSUs Back Y a Ethernet 2 is disabled and cannot be used for management so these LEDs will never light up The front...

Page 22: ...LED on the rear panel to the left of the serial port to illuminate This LED is located behind the back panel so it is visible through the ventilation holes The purpose of this LED is to make it easier...

Page 23: ...Before accessing the module for administrative services administrators must authenticate using the methods specified in Section 2 4 2 Authentication Mechanisms The module offers the following managem...

Page 24: ...inimum of 8 characters The probability of a false positive for a random password guess is less than 1 in 1 000 000 Actual value 230 Passwords must be a minimum of 8 characters The probability of a fal...

Page 25: ...on policy state Y Y Y Y Export diagnostic information platform state Y Y Export diagnostic information SSL statistics Y Y Export diagnostic information host statistics NFP statistics Y Y Y Y Export di...

Page 26: ...e user accounts Y Assign remove Manage PKI Crypto Officer role Web UI Y Assign remove Manage PKI Crypto Officer role for CLD Y Y Y View user accounts Y Y View appliance settings alerts Y Backup policy...

Page 27: ...ead by the service Write W The CSP is established generated modified or zeroized by the service Execute X The CSP is used within an approved or allowed security function or authentication mechanism Ta...

Page 28: ...d certificates Object encryption keys WX Trusted certificate public keys W Y Import delete known keys and certificate Object encryption keys WX Known public keys W Known private keys W Y View PKI info...

Page 29: ...Firmware update key Y Y Edit grid size in WebUI none Y Configure TLS version for WebUI None A limited set of services can be initiated from the front panel keypad and or can display output on the fro...

Page 30: ...signing CA public keys W Resigning CA private keys W Trusted certificate public keys W Known public keys W Known private keys W TLS SSH session keys W Integrity test public key W Operator password s W...

Page 31: ...closes the module s internal components Ventilation holes provided in the case either do not provide visibility to areas within the cryptographic boundary or have mechanisms in place to obscure the vi...

Page 32: ...eral purpose operating system nor does it allow operators to load software that is not cryptographically signed as being trusted The SV3800 SV3800B SV3800B 20 uses a proprietary non modifiable operati...

Page 33: ...ion 5 4 PBKDF option 2a Vendor affirmed Not Implemented CVL SSH SNMP and TLS1 0 1 1 1 2 429 562 and 919 Not Implemented Note TLS SSH and SNMP protocols have not been reviewed or tested by the CAVP and...

Page 34: ...ection Diffie Hellman public key size range 2048 15360 bits Diffie Hellman private key size range 112 512 bits Table 2 13b SV3800 SV3800B SV3800B 20 Non FIPS 140 2 Approved and non compliant Security...

Page 35: ...key seen in the SSL TLS handshake The module does not control the size of the keys used by the SSL TLS endpoints for key exchange If SSL 3 0 TLS 1 0 TLS 1 1 TLS 1 2 flows using non approved algorithm...

Page 36: ...using DRBG Never exits the module Encrypted using associated KEK2 and stored on main disk Encrypt data and other CSPs for storage RSA public key3 RSA 2048 and 3072 bits Internally generated using DRB...

Page 37: ...crypted backup Encrypted with associated object encryption key and stored on internal disk Negotiating SSL TLS sessions during SSL TLS Interception Key exchange public key RSA 2048 3072 4096 8192 bits...

Page 38: ...laintext or encrypted form PEM or PKCS12 or PKCS8 or from encrypted backup Exported in encrypted backup Encrypted with associated object encryption key and stored on internal disk Making policy decisi...

Page 39: ...ive backup object key Backup object key AES CBC 256 bit key Derived from backup password using PBKDFv2 Never exits the module Stored in volatile memory Encrypting backup data PIN or master key passwor...

Page 40: ...ssociated object encryption key and stored on internal disk Encrypting SNMPv3 packets SNMP Authentication Key HMAC SHA 1 Derived internally Exported in encrypted backup Encrypted with associated objec...

Page 41: ...ed with KEK1 and stored internally The master keys are used to encrypt AES 256 bit object keys Object keys are created using the internal DRBG and are used to encrypt data and keys for storage Object...

Page 42: ...an error state and powers off The firmware integrity test outputs an error message to the VGA console serial console and front panel LCD Error messages for all other POSTs are output to the system lo...

Page 43: ...In the event that the system enters an error state Crypto Officer attention is required to clear the error state 2 10 Design Assurance Symantec uses Git for software configuration management Cmake and...

Page 44: ...the Blue Coat Systems SSL Visibility Appliance Administration and Deployment Guide v3 8 2F 3 8 4FC or 3 10 This guide can be downloaded from the Symantec customer support site https bto bluecoat com 3...

Page 45: ...ignated label areas with isopropyl alcohol and make sure it is thoroughly dry Apply a small amount of alcohol to a clean lint free cloth Rub the area to be cleaned for several seconds Dry the area wit...

Page 46: ...r each plane the label will be in Each label goes around an edge and secures two planes The supplied label kit should be inspected as follows If the labels do not have matching number or if the bag ha...

Page 47: ...s 1 Power off the unit 2 Disconnect all cabling 3 Provide a clean work surface for applying the labels 4 Remove the two screws that optionally hold the front of the unit to the rack rails These may no...

Page 48: ...ntinuing the application of the label will cause the screw on the right side of the rear cover panel to be fully covered Also the top rivet and rear indentation should be fully covered by the label 4...

Page 49: ...the top center between the front and middle top covers of the chassis The shorter section goes on the front top cover and the longer section goes on the middle top cover 4 Starting at the edge press o...

Page 50: ...he SV3800 Figure 3 13 2 shows the location of the tamper evident label that should be fitted to the rear of the SV3800B and SV3800B 20 The label is applied over the top of the screw that secures the t...

Page 51: ...top panel of the SV3800B and SV3800B 20 Figure 3 15 Rear Panel without Label Fitted for the SV3800B The remaining three labels are applied to the top left and right sides of the SV3800 and prevent the...

Page 52: ...SV3800 SV3800B SV3800B 20 The label is applied over the top of the screw that secures the top panel to the rest of the unit and in such a way that it is impossible to remove the screw or to remove the...

Page 53: ...stributed whole intact including this copyright notice 53 Figure 3 18 Right Side without Label Fitted Figure 3 19 shows the location of the tamper evident label that should be fitted to the top side o...

Page 54: ...tting Started Guide v3 8 2F 3 8 4FC or 3 10 During bootstrap mode the WebUI needs to be accessed By default the SV3800 SV3800B SV3800B 20 will be using DHCP to acquire an IP address The SV3800 SV3800B...

Page 55: ...ontrol of the USB drive If the option is not chosen only the PIN if setup needs to be entered when the module is power cycled or restarted The final stage of the bootstrap process is user setup At lea...

Page 56: ...case the module s power is lost and then restored the key used for the AES GCM encryption decryption shall be re distributed 3 5 Module Zeroization Whenever the module is being taken out of service re...

Page 57: ...2016 Symantec Corporation This document may be freely reproduced distributed whole intact including this copyright notice 57...

Reviews:

No comments

Related manuals for SSL Visibility SV3800

SAINT-GOBAIN SageGlass 300-1194-001 Product Sheet preview
SageGlass 300-1194-001
Brand: SAINT-GOBAIN Pages: 2
H3C SecPath F5000-AK Series Command Reference Manual preview
SecPath F5000-AK Series
Brand: H3C Pages: 39
Fortinet FortiMail-2000 Quick Start Manual preview
FortiMail-2000
Brand: Fortinet Pages: 2
Huawei Quidway Eudemon 200 Quick Start Manual preview
Quidway Eudemon 200
Brand: Huawei Pages: 18
Huawei NIP6830 Quick Start Manual preview
NIP6830
Brand: Huawei Pages: 19
Huawei Quidway Eudemon 200 Installation Manual preview
Quidway Eudemon 200
Brand: Huawei Pages: 87
Huawei USG6000 Series Hardware Manual preview
USG6000 Series
Brand: Huawei Pages: 415
IBM 1G User Manual preview
1G
Brand: IBM Pages: 52
Fortinet FortiGate 1U Quick Start Manual preview
FortiGate 1U
Brand: Fortinet Pages: 272
McAfee Manager Appliance Quick Start Manual preview
Manager Appliance
Brand: McAfee Pages: 12
Cisco Cisco ASA 5500 Series Datasheet preview
Cisco ASA 5500 Series
Brand: Cisco Pages: 20
Stonesoft StoneGate SG-200 Quick Start Manual preview
StoneGate SG-200
Brand: Stonesoft Pages: 25
Stonesoft FW-1030 Appliance Installation Manual preview
FW-1030
Brand: Stonesoft Pages: 27
Stonesoft StoneGate FW-5105 Installation Manual preview
StoneGate FW-5105
Brand: Stonesoft Pages: 35
Freedom9 freeGuard 100 Command Line Interface Manual preview
freeGuard 100
Brand: Freedom9 Pages: 310

Brands by name

Popular brands

Load more brands