Symantec Sv1800-c User manual

Symantec Corporation

SSL Visibility Appliance

Models: SV1800-C, SV1800B-C, SV1800-F, SV1800B-F, SV2800, SV2800B

Hardware Versions: 090-03061,080-03560, 080-03676,090-03547,080-03779,080-

03784,090-03062,080-03561, 080-03677, 090-03548,080-03780,080-03785, 090-

03063, 080-03562, 080-03678, 090-03549,080-03781, 080-03786 with FIPS Kit:

FIPS-LABELS-SV

Firmware Versions: 3.8.2Fbuild 227, 3.8.4FC, 3.10 build 40

FIPS 140-2 Non-Proprietary Security Policy

FIPS Security Level 2

Document Revision: 12/22/2016

INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE,

POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE,

SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9,

and Solera Networks logos and other Symantec logos are registered trademarks or trademarks of Symantec Corporation

or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from

this list does not mean it is not a trademark of Symantec or that Symantec has stopped using the trademark. All other

trademarks mentioned in this document owned by third parties are the property of their respective owners. This

document is for informational purposes only.

SYMANTEC MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS

DOCUMENT. SYMANTEC PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA

REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS,

REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER

COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS,

AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER

APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT

AFTER DELIVERY TO YOU.

Americas:

Rest of the World

Symantec Corporation

384 Santa Trinita Ave.

3a Route des Arsenaux

Sunnyvale, CA 94085

1700 Fribourg, Switzerland

This document may be freely reproduced and distributed whole and intact including this copyright

notice.

Document Revision: 12/22/2016

Introduction................................................................................................................................................5

1.1

Purpose...............................................................................................................................................5

1.2

References ..........................................................................................................................................5

1.3

DocumentOrganization .......................................................................................................................5

1.4

Definitions and Acronyms ....................................................................................................................7

2. SV1800-C,SV1800B-C,SV1800-F, SV1800B-F,SV2800, and SV2800B ...........................................................................9

2.1

Overview.............................................................................................................................................9

2.2

ModuleSpecification .........................................................................................................................13

2.3

ModuleInterfaces .............................................................................................................................20

2.4

Roles and Services .............................................................................................................................25

2.4.1 Management Interfaces............................................................................................................26

2.4.2 Authentication Mechanisms .....................................................................................................26

2.5

Services and CSP Access.....................................................................................................................28

2.6

Physical Security ................................................................................................................................36

2.7

Non-Modifiable Operational Environment ..........................................................................................36

2.8

Cryptographic Key Management ........................................................................................................36

2.9

Self Tests............................................................................................................................................45

2.10

Design Assurance...............................................................................................................................47

2.11

Mitigation of Other Attacks................................................................................................................47

SecureOperation ......................................................................................................................................48

3.1

Cryptographic Officer Guidance .........................................................................................................48

3.2

Tamper Evident Label Management and Application Instructions........................................................48

3.2.1 General Label Information ........................................................................................................49

3.2.2 Supplied Labels .........................................................................................................................49

3.2.3 SV2800/SV2800B Label Application ..........................................................................................50

3.2.4 SV1800-C/SV1800B-C/SV1800-F/SV1800B-F Label Application .................................................52

3.2.5 Label Inspection ........................................................................................................................54

3.3

Module Initialization..........................................................................................................................62

3.4

ModuleManagement ........................................................................................................................64

3.5

ModuleZeroization............................................................................................................................64

SV1800-C, SV1800B-C, SV1800-F, SV1800B-F, SV2800, and SV2800B Security Policy

2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright

notice.

Introduction

1.1

Purpose

This document is a non-proprietary Cryptographic Module Security Policy for the

SSL Visibility Appliance models SV1800-C, SV1800B-C, SV1800-F, SV1800B-F,

SV2800, and SV2800B. The non-B models can

operate with the 3.8.2F, 3.8.4FC, or

3.10 firmware version. The B-models require the 3.10 firmware version to operate.

This policy was prepared as

part of the Level 2 FIPS 140-2 validation of the

module, and may freely be

reproduced and distributed in its entirety (without

modification).

Federal Information Processing Standards (FIPS) 140-2, Security Requirements for

Cryptographic Modules, specifies the U.S. and Canadian Governments’

requirements for cryptographic modules. The following pages describe how the

SSL Visibility Appliance meets these requirements and how to operate

the device

in a mode compliant with FIPS 140-2.

More information about the FIPS 140-2 standard and validation program is

available on the National Institute of Standards and Technology (NIST)

Cryptographic Module Validation Program (CMVP) website at: http://

csrc.nist.gov/groups/STM/cmvp/index.html.

In this document, the SSL Visibility Appliance models SV1800-C, SV1800B-C,

SV1800-F, SV1800B-F, SV2800, and SV2800B are referred

to as the hardware

modules, the cryptographic modules, or the modules.

1.2

References

This document only deals with the operation and capabilities of the SV1800-C,

SV1800B-C, SV1800-F, SV1800B-F, SV2800, and SV2800B

within the technical

terms of a FIPS 140-2 cryptographic module security policy.

More information on

the SV1800-C, SV1800B-C, SV1800-F, SV1800B-F, SV2800, and SV2800B is

available from the following sources:

•

The Symantec website, www.symantec.com, contains information on

the

full line of products from Blue Coat.

•

The Symantec customer website, https://bto.bluecoat.com, contains

product documentation, software downloads, and other information on

the full line of products from Symantec.

The CMVP website http://csrc.nist.gov/groups/STM/cmvp/index.html

contains contact information for answers to technical or sales-related questions

for the module.

1.3

DocumentOrganization

This Security Policy is one document in the FIPS 140-2 Submission Package. In

addition to this document, the Submission Package contains:

•

Vendor Evidence

•

Finite State Machine

•

Other supporting documentation as additional references

•

Validation Submission Summary

2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright

notice.

SV1800-C, SV1800B-C, SV1800-F, SV1800B-F, SV2800, and SV2800B Security Policy

With the exception of this non-proprietary Security Policy, the FIPS 140-2

Submission Package is proprietary to Symantec Corporation, and is releasable

only under appropriate non-disclosure agreements. For access to these

documents, please contact Symantec Corporation.

2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright

notice.

1.4

Definitions and Acronyms

Table1–1 Definition of Terms and Acronyms

Term / Acronym Definition

Active-Inline An active security appliance processes traffic from the SSL Visibility

Appliance and returns it to the SSL Visibility Appliance

ANSI

American National Standards Institute

Certificate Authority

CLI

Command line interface

Crypto Officer Crypto Officer as defined in FIPS 140-2

DES

Data Encryption Standard

DLP

Data Loss Prevention

EMC

ElectromagneticCompatibility

FIPS

Federal Information Processing Standard

GigE

Gigabit Ethernet interface.

HMAC

Hash Message Authentication Code

HTTPS

HTTP over TLS

iPass

High density copper cable/connector for 10Gbps Ethernet link

KAT

Known Answer Test

10Gig

10 Gigabit Ethernet interface

AES

Advanced Encryption Standard

BTO

Blue Touch Online

CBC

Cipher Block Chaining

CMVP

Cryptographic Module Validation Program

CSP

Critical Security Parameter

Diffie-Hellman

DPI

Deep Packet Inspection

EMI

Electromagnetic Interference

FTW

Fail To Wire –hardware network cut through

GUI

Graphical User Interface

HTTP

Hypertext Transfer Protocol

IDS

Intrusion Detection System

IPS

Intrusion Prevention System

LCD

Liquid Crystal Display

2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright

notice.

SV1800-C, SV1800B-C, SV1800-F, SV1800B-F, SV2800, and SV2800B Security Policy

Table1–1 Definition of Terms and Acronyms

Term / Acronym Definition

LED

Light Emitting Diodes

MD5

MessageDigest #5

Netmod

Network I/O Module –plug-able –defines network interface

used

NFP

Netronome Flow Processor

NMI

Non Maskable Interrupt

NSM

Netronome SSL Module

Passive-Inline

Inline module acting as a tap for a passive security appliance

Personal Identification Number

POST

Power On Self Test

PSU

Power Supply Unit

SHA

Secure Hash Algorithm

SSH

Secure Shell

TAP

Device providing a copy of traffic flowing through the network

TRNG

True Random Number Generator

MAC

Message Authentication Code

NDRNG

Non-deterministic Random Number Generator

NFE

Netronome Flow Engine

NIST

National Institute of Standards and Technology

NPU

Network Processing Unit

Operating System

Module connected to a network tap acting as a tap for a

passive

security appliance

PKCS

Public Key Cryptography Standard

DRBG

Pseudo Random Number Generator

Rivest Cipher 4

SPAN port

A switch port providing a copy of traffic flowing through the

network

SSL

Secure Socket Layer

TLS

Transport Layer Security protocol

2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright

notice.

2. SV1800-C,SV1800B-C,SV1800-F,SV1800B-F,SV2800,andSV2800B

2.1

Overview

SSL Visibility Appliance products provide two main functions when

deployed

within a network:

•

They enable other security appliances to see a non encrypted version of

SSL/TLS traffic that is crossing the network. This is called SSL Inspection.

•

They can act as a policy control point enabling explicit control over what

SSL/TLS traffic is and is not allowed across the network.

The SSL Visibility Appliance is designed to work alongside existing security

devices such as Intrusion Prevention Systems (IPS), Intrusion Detection Systems

(IDS), Data Loss Prevention systems (DLP), Network Forensic appliance and

others. It provides a non-encrypted version of SSL/TLS traffic to the associated

appliances while maintaining an end-to-end SSL/TLS connection between the

client and server involved in the session.

There are three basic connectivity modes that define how the SSL Visibility

Appliance and the

associated security appliance are connected to each other

and to the network.

These modes are identified as:

•

Active-Inline

•

Passive-Inline

•

Passive-Tap

The Active/Passive designation refers to the associated security appliance and

how it behaves while the Inline/Tap designation refers to how the SSL Visibility

Appliance is

connected to the network. An “Active” associated appliance

processes traffic from

the SSL Visibility Appliance and then returns the traffic to

the SSL Visibility Appliance, while a “Passive” appliance

simply consumes traffic

from the SSL Visibility Appliance.

The SSL Visibility Appliance can be either “Inline,” or a TAP, which is connected

to a network span

or tap port. The following figures show these three modes of

operation.

2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright

notice.

SV1800-C, SV1800B-C, SV1800-F, SV1800B-F, SV2800, and SV2800B Security Policy

Figure 2–1 Active-Inline Configuration

In Active-Inline mode (Figure 2-1) network traffic flows through both the SSL

Visibility Appliance

and the attached security appliance. A typical example of this

type of deployment

would be an IPS attached to the SSL Visibility Appliance.

This mode of operation supports both

SSL Inspection and SSL policy control.

In Passive-Inline mode (Figure 2-2), network traffic flows through the SSL

Visibility Appliance

only, a copy of the network traffic (some of which may be

decrypted) is sent to the

attached security appliance. A typical example of this

type of deployment would

be an IDS or Forensic appliance attached to the SSL

Visibility Appliance. This mode of operation

supports both SSL Inspection and

SSL policy control.

This manual suits for next models

Table of contents

Other Symantec Security System manuals

Symantec

Symantec SIEM 9700 Series Installation and operating manual

Popular Security System manuals by other brands

Polon-Alfa

Polon-Alfa 4000 Installation and maintenance manual

Nexcom

Nexcom NViS 14162 Series user manual

Eminent

Eminent EM8670 Quick install

urmet domus

urmet domus alpha 1060 INSTALLATION AND USE BOOKLET

SmartPool

SmartPool YardGuard YG03 manual

DSC

DSC PC5964 Mounting instructions

Secure

Secure USAB-1 operating instructions

B&B

B&B 480 SERIES Operation & maintenance manual

ADEMCO

ADEMCO VISTA-20P Series Installation and setup guide

Inner Range

Inner Range Concept 2000 user manual

Johnson Controls

Johnson Controls PENN Connected PC10 Install and Commissioning Guide

Aeotec

Aeotec Siren Gen5 quick start guide

Swann

Swann SW-P-MC2 Specifications

Ecolink

Ecolink Siren+Chime user manual

EDM

EDM Solution 6+6 Wireless-AE installation manual

Siren

Siren LED GSM operating manual

Detection Systems

Detection Systems 7090i Installation and programming manual

FRIEDLAND

FRIEDLAND MA10 Installation and operating instructions

Symantec SV1800-C User manual

Popular Security System manuals by other brands