Symantec SSL Visibility SV3800 Скачать руководство пользователя | Manualshive

Страница: 11 / 57

background image



2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright

notice.

11

Figure 2

–2

Passive-Inline Configuration

In Passive-Tap mode (Figure 2-3), network traffic does not flow through the

SV3800/SV3800B/SV3800B-20 or the attached security appliance. The

SV3800/SV3800B/SV3800B-20 receives a copy of traffic in the network from a

TAP device and this traffic (possibly decrypted) is sent to the attached security

appliance. A typical example of this type of deployment would be an IDS or

Forensic appliance attached to the SV3800/SV3800B/SV3800B-20, which is in

turn attached to a TAP or SPAN port. This mode of operation supports SSL

Inspection only and cannot act as an SSL policy control point.

«
...
9
10
11
12
13
...
»

Содержание SSL Visibility SV3800

Страница 1: ...ware Versions 090 03064 080 03563 080 03679 090 03550 080 03782 080 03787 090 03551 080 03783 and 080 03788 with FIPSKit FIPS LABELS SV Firmware Versions 3 8 2F build 227 3 8 4FC 3 10 build 40 FIPS 14...

Страница 2: ...hird parties are the property of their respective owners This document is for informational purposes only SYMANTEC MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS DOCUME...

Страница 3: ...CSP Access 25 2 6 PhysicalSecurity 31 2 7 Non ModifiableOperationalEnvironment 32 2 8 Cryptographic KeyManagement 32 2 9 Self Tests 41 2 10 DesignAssurance 43 2 11 Mitigation of Other Attacks 43 3 Sec...

Страница 4: ...SV3800 SV3800B and SV3800B 20 Security Policy 4...

Страница 5: ...yptographic Module Validation Program CMVP website at http csrc nist gov groups STM cmvp index html In this document the SSL Visibility Appliance models SV3800 SV3800B and SV3800B 20 are referred to a...

Страница 6: ...buted whole intact including this copyright notice 6 With the exception of this non proprietary Security Policy the FIPS 140 2 Submission Package is proprietary to Symantec Corporation and is releasab...

Страница 7: ...Data Loss Prevention EMC ElectromagneticCompatibility FIPS Federal Information Processing Standard GigE Gigabit Ethernet interface HMAC Hash Message Authentication Code HTTPS HTTP over TLS iPass High...

Страница 8: ...fication Number POST Power On Self Test PSU Power Supply Unit SHA Secure Hash Algorithm SSH Secure Shell TAP Device providing a copy of traffic flowing through the network TRNG True Random Number Gene...

Страница 9: ...encrypted version of SSL TLS traffic to the associated appliances while maintaining an end to end SSL TLS connection between the client and server involved in the session There are three basic connect...

Страница 10: ...of this type of deployment would be an IPS attached to the SV3800 SV3800B SV3800B 20 This mode of operation supports both SSL Inspection and SSL policy control In Passive Inline mode Figure 2 2 networ...

Страница 11: ...e attached security appliance The SV3800 SV3800B SV3800B 20 receives a copy of traffic in the network from a TAP device and this traffic possibly decrypted is sent to the attached security appliance A...

Страница 12: ...k security appliances can do their job even when the traffic is sent over SSL TLS connections Detecting intercepting decrypting and re encrypting SSL TLS traffic is a complex and computationally inten...

Страница 13: ...ined policy control over what SSL TLS traffic is allowed in the network All SSL TLS traffic seen by the SV3800 SV3800B SV3800B 20 whether it is using approved or non approved algorithms will be proces...

Страница 14: ...ware Appliance For each appliance model the hardware is the same for all appliance types The Crypto Officer and User services of the module are identical for all appliance types The SV3800 SV3800B SV3...

Страница 15: ...hysically connected to each other in the event that the system is powered off or that a failure is detected Depending on how the network is connected to the SV3800 this allows network traffic to conti...

Страница 16: ...Figure 2 7 and has the following elements going from left to right 2 x hot swappable power supply bays Serial port RJ45 connector VGA display connector 2 x USB 2 0 and 2 x USB 3 0 ports 2 x GigE ports...

Страница 17: ...2 Tamper Evident Label Management and Application Instructions provides guidance on how and where tamper evident labels need to be applied to the SV3800 SV3800B SV3800B 20 Figure 2 8 SV3800 SV3800B SV...

Страница 18: ...ic Interference ElectromagneticCompatibility 2 9 Self Tests 2 10 Design Assurance 3 11 Mitigation of Other Attacks Not applicable 2 3 Module Interfaces The logical cryptographic boundary of the module...

Страница 19: ...ice 19 Note Netmods are NOT hot swappable Power off the system before you remove or install Netmod Figure 2 10 shows the physical cryptographic boundary as a yellow line with the module being everythi...

Страница 20: ...raphicboundary As noted in Section 2 2 Module Specification the SV3800 SV3800B SV3800B 20 has a number of connectors located on the front and back panels These physical interfaces are listed below wit...

Страница 21: ...Y Status output Ethernet 2 LEDsa Back Y Power input Power connections from removable PSUs Back Y a Ethernet 2 is disabled and cannot be used for management so these LEDs will never light up The front...

Страница 22: ...LED on the rear panel to the left of the serial port to illuminate This LED is located behind the back panel so it is visible through the ventilation holes The purpose of this LED is to make it easier...

Страница 23: ...Before accessing the module for administrative services administrators must authenticate using the methods specified in Section 2 4 2 Authentication Mechanisms The module offers the following managem...

Страница 24: ...inimum of 8 characters The probability of a false positive for a random password guess is less than 1 in 1 000 000 Actual value 230 Passwords must be a minimum of 8 characters The probability of a fal...

Страница 25: ...on policy state Y Y Y Y Export diagnostic information platform state Y Y Export diagnostic information SSL statistics Y Y Export diagnostic information host statistics NFP statistics Y Y Y Y Export di...

Страница 26: ...e user accounts Y Assign remove Manage PKI Crypto Officer role Web UI Y Assign remove Manage PKI Crypto Officer role for CLD Y Y Y View user accounts Y Y View appliance settings alerts Y Backup policy...

Страница 27: ...ead by the service Write W The CSP is established generated modified or zeroized by the service Execute X The CSP is used within an approved or allowed security function or authentication mechanism Ta...

Страница 28: ...d certificates Object encryption keys WX Trusted certificate public keys W Y Import delete known keys and certificate Object encryption keys WX Known public keys W Known private keys W Y View PKI info...

Страница 29: ...Firmware update key Y Y Edit grid size in WebUI none Y Configure TLS version for WebUI None A limited set of services can be initiated from the front panel keypad and or can display output on the fro...

Страница 30: ...signing CA public keys W Resigning CA private keys W Trusted certificate public keys W Known public keys W Known private keys W TLS SSH session keys W Integrity test public key W Operator password s W...

Страница 31: ...closes the module s internal components Ventilation holes provided in the case either do not provide visibility to areas within the cryptographic boundary or have mechanisms in place to obscure the vi...

Страница 32: ...eral purpose operating system nor does it allow operators to load software that is not cryptographically signed as being trusted The SV3800 SV3800B SV3800B 20 uses a proprietary non modifiable operati...

Страница 33: ...ion 5 4 PBKDF option 2a Vendor affirmed Not Implemented CVL SSH SNMP and TLS1 0 1 1 1 2 429 562 and 919 Not Implemented Note TLS SSH and SNMP protocols have not been reviewed or tested by the CAVP and...

Страница 34: ...ection Diffie Hellman public key size range 2048 15360 bits Diffie Hellman private key size range 112 512 bits Table 2 13b SV3800 SV3800B SV3800B 20 Non FIPS 140 2 Approved and non compliant Security...

Страница 35: ...key seen in the SSL TLS handshake The module does not control the size of the keys used by the SSL TLS endpoints for key exchange If SSL 3 0 TLS 1 0 TLS 1 1 TLS 1 2 flows using non approved algorithm...

Страница 36: ...using DRBG Never exits the module Encrypted using associated KEK2 and stored on main disk Encrypt data and other CSPs for storage RSA public key3 RSA 2048 and 3072 bits Internally generated using DRB...

Страница 37: ...crypted backup Encrypted with associated object encryption key and stored on internal disk Negotiating SSL TLS sessions during SSL TLS Interception Key exchange public key RSA 2048 3072 4096 8192 bits...

Страница 38: ...laintext or encrypted form PEM or PKCS12 or PKCS8 or from encrypted backup Exported in encrypted backup Encrypted with associated object encryption key and stored on internal disk Making policy decisi...

Страница 39: ...ive backup object key Backup object key AES CBC 256 bit key Derived from backup password using PBKDFv2 Never exits the module Stored in volatile memory Encrypting backup data PIN or master key passwor...

Страница 40: ...ssociated object encryption key and stored on internal disk Encrypting SNMPv3 packets SNMP Authentication Key HMAC SHA 1 Derived internally Exported in encrypted backup Encrypted with associated objec...

Страница 41: ...ed with KEK1 and stored internally The master keys are used to encrypt AES 256 bit object keys Object keys are created using the internal DRBG and are used to encrypt data and keys for storage Object...

Страница 42: ...an error state and powers off The firmware integrity test outputs an error message to the VGA console serial console and front panel LCD Error messages for all other POSTs are output to the system lo...

Страница 43: ...In the event that the system enters an error state Crypto Officer attention is required to clear the error state 2 10 Design Assurance Symantec uses Git for software configuration management Cmake and...

Страница 44: ...the Blue Coat Systems SSL Visibility Appliance Administration and Deployment Guide v3 8 2F 3 8 4FC or 3 10 This guide can be downloaded from the Symantec customer support site https bto bluecoat com 3...

Страница 45: ...ignated label areas with isopropyl alcohol and make sure it is thoroughly dry Apply a small amount of alcohol to a clean lint free cloth Rub the area to be cleaned for several seconds Dry the area wit...

Страница 46: ...r each plane the label will be in Each label goes around an edge and secures two planes The supplied label kit should be inspected as follows If the labels do not have matching number or if the bag ha...

Страница 47: ...s 1 Power off the unit 2 Disconnect all cabling 3 Provide a clean work surface for applying the labels 4 Remove the two screws that optionally hold the front of the unit to the rack rails These may no...

Страница 48: ...ntinuing the application of the label will cause the screw on the right side of the rear cover panel to be fully covered Also the top rivet and rear indentation should be fully covered by the label 4...

Страница 49: ...the top center between the front and middle top covers of the chassis The shorter section goes on the front top cover and the longer section goes on the middle top cover 4 Starting at the edge press o...

Страница 50: ...he SV3800 Figure 3 13 2 shows the location of the tamper evident label that should be fitted to the rear of the SV3800B and SV3800B 20 The label is applied over the top of the screw that secures the t...

Страница 51: ...top panel of the SV3800B and SV3800B 20 Figure 3 15 Rear Panel without Label Fitted for the SV3800B The remaining three labels are applied to the top left and right sides of the SV3800 and prevent the...

Страница 52: ...SV3800 SV3800B SV3800B 20 The label is applied over the top of the screw that secures the top panel to the rest of the unit and in such a way that it is impossible to remove the screw or to remove the...

Страница 53: ...stributed whole intact including this copyright notice 53 Figure 3 18 Right Side without Label Fitted Figure 3 19 shows the location of the tamper evident label that should be fitted to the top side o...

Страница 54: ...tting Started Guide v3 8 2F 3 8 4FC or 3 10 During bootstrap mode the WebUI needs to be accessed By default the SV3800 SV3800B SV3800B 20 will be using DHCP to acquire an IP address The SV3800 SV3800B...

Страница 55: ...ontrol of the USB drive If the option is not chosen only the PIN if setup needs to be entered when the module is power cycled or restarted The final stage of the bootstrap process is user setup At lea...

Страница 56: ...case the module s power is lost and then restored the key used for the AES GCM encryption decryption shall be re distributed 3 5 Module Zeroization Whenever the module is being taken out of service re...

Страница 57: ...2016 Symantec Corporation This document may be freely reproduced distributed whole intact including this copyright notice 57...

Отзывы:

Нет отзывов

Похожие инструкции для SSL Visibility SV3800

Control Box 1000 Serie

Бренд: Kerio Tech Страницы: 24

DIR-330 - Wireless G VPN Router

Бренд: D-Link Страницы: 112

Бренд: D-Link Страницы: 16

DFL-700 - Security Appliance

Бренд: D-Link Страницы: 12

DFL-800 - Security Appliance

Бренд: D-Link Страницы: 23

DFL-800 - Security Appliance

Бренд: D-Link Страницы: 32

DFL-700 - Security Appliance

Бренд: D-Link Страницы: 138

Бренд: D-Link Страницы: 147

Бренд: D-Link Страницы: 948

Бренд: D-Link Страницы: 4

Бренд: D-Link Страницы: 131

Бренд: Dojo Страницы: 34

ZyXEL Prestige 310

Бренд: ZyXEL Communications Страницы: 199

FortiDDoS 1000B

Бренд: Fortinet Страницы: 44

Бренд: H3C Страницы: 64

Бренд: Bandura Cyber Страницы: 93

SURFboard SVG2500

Бренд: Motorola Страницы: 32

Бренд: ZyXEL Communications Страницы: 705

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды