Symantec SV1800-C Manual
  1. Manuals
  2. Brands
  3. Symantec Manuals
  4. Security System
  5. SV1800-C
  6. Manual

Symantec SV1800-C Manual

Ssl visibility appliance
Hide thumbs
Table of Contents

Advertisement

Quick Links

Symantec Corporation
SSL Visibility Appliance
Models: SV1800-C, SV1800B-C, SV1800-F, SV1800B-F, SV2800, SV2800B
Hardware Versions: 090-03061, 080-03560, 080-03676, 090-03547, 080-03779, 080-
03784, 090-03062, 080-03561, 080-03677, 090-03548, 080-03780, 080-03785, 090-
03063, 080-03562, 080-03678, 090-03549, 080-03781, 080-03786 with FIPS Kit:
FIPS-LABELS-SV
Firmware Versions: 3.8.2F build 227, 3.8.4FC, 3.10 build 40
FIPS 140-2 Non-Proprietary Security Policy
FIPS Security Level 2
Document Revision: 12/22/2016

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SV1800-C and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Symantec SV1800-C

Summary of Contents for Symantec SV1800-C

  • Page 1 Symantec Corporation SSL Visibility Appliance Models: SV1800-C, SV1800B-C, SV1800-F, SV1800B-F, SV2800, SV2800B Hardware Versions: 090-03061, 080-03560, 080-03676, 090-03547, 080-03779, 080- 03784, 090-03062, 080-03561, 080-03677, 090-03548, 080-03780, 080-03785, 090- 03063, 080-03562, 080-03678, 090-03549, 080-03781, 080-03786 with FIPS Kit: FIPS-LABELS-SV Firmware Versions: 3.8.2F build 227, 3.8.4FC, 3.10 build 40...
  • Page 2 U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Symantec or that Symantec has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners.

  • Page 3: Table Of Contents

    Introduction ..............................5 Purpose ...............................5 References ............................5 Document Organization ........................5 Definitions and Acronyms ........................7 2. SV1800-C, SV1800B-C, SV1800-F, SV1800B-F, SV2800, and SV2800B ................9 Overview .............................9 Module Specification ......................... 13 Module Interfaces ..........................20 Roles and Services ..........................25 2.4.1 Management Interfaces ......................26 2.4.2...
  • Page 4 SV1800-C, SV1800B-C, SV1800-F, SV1800B-F, SV2800, and SV2800B Security Policy...

  • Page 5: Introduction

    Submission Package contains: • Vendor Evidence • Finite State Machine • Other supporting documentation as additional references • Validation Submission Summary  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 6 Submission Package is proprietary to Symantec Corporation, and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Symantec Corporation.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 7: Definitions And Acronyms

    Intrusion Detection System iPass High density copper cable/connector for 10Gbps Ethernet link Intrusion Prevention System Known Answer Test Liquid Crystal Display  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 8 Secure Socket Layer Device providing a copy of traffic flowing through the network Transport Layer Security protocol TRNG True Random Number Generator  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 9: Sv1800-C, Sv1800B-C, Sv1800-F, Sv1800B-F, Sv2800, And Sv2800B

    The SSL Visibility Appliance can be either “Inline,” or a TAP, which is connected to a network span or tap port. The following figures show these three modes of operation.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 10 IDS or Forensic appliance attached to the SSL Visibility Appliance. This mode of operation supports both SSL Inspection and SSL policy control.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 11 SSL Visibility Appliance, which is in turn attached to a TAP or SPAN port. This mode of operation supports SSL Inspection only and cannot act as an SSL policy control point.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 12 Appliance policy engine determines what to do with the flow: • it can be inspected providing a decrypted version to the attached appliance(s)  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 13: Module Specification

    Appliance Type Hardware Version SV2800 Hardware Appliance 090-03063 SV2800 Try-and-Buy 080-03562 Appliance SV2800 Cold Standby 080-03678 Appliance SV2800B Hardware Appliance 090-03549  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 14 The Crypto Officer and User services of the module are identical for all appliance types.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 15 Netmods. Figure 2–4.1 SV2800/SV2800B, Front View with Netmods Installed Figure 2-4.2 shows the SV2800/SV2800B with all Netmods removed.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 16 Figure 2–6.1 SV1800-C, SV1800B-C, SV1800-F, and SV1800B-F Front Panel Controls and Display The combination of Netmods installed in an SV2800/SV2800B is not important for  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 17 1 sets of 2 x USB 2.0 ports • VGA display connector • Serial port • 2 x hot swappable power supply bays  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 18 SV1800-C, SV1800B-C, SV1800-F, SV1800B-F, SV2800, and SV2800B.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 19 Cryptographic Module Ports and Interfaces Roles, Services and Authentication Finite State Model Physical Security Operational Environment Not applicable Cryptographic Key Management  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 20: Module Interfaces

    Figures 2-10.1 and 2-10.2 show the cryptographic boundary for the SV1800-C/SV1800B-C and SV1800-F/SV1800B-F, as the exterior surfaces of the appliances.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 21 Figure 2–10 SV2800/SV2800B Cryptographic Boundary Definition Figure 2–10.1 SV1800-C/SV1800B-C Cryptographic Boundary Definition Figure 2–10.2 SV1800-F/SV1800B-F Cryptographic Boundary Definition  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 22 These physical interfaces are listed below with details of the FIPS 140-2 logical interfaces to which they correspond.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 23 Front output Control input/Status Serial port Back output Control input/Status VGA display connector Back output Control input/Status USB port Back output  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 24 Fatal Alarm – system has failed and shut down Amber Blink Non-Fatal Alarm – system likely to fail – voltage/temp warnings  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 25: Roles And Services

    Crypto Officer may have both Manage PKI and Manage Policy roles. For the purposes of FIPS 140-2, any user with the Manage PKI role should be  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 26: Management Interfaces

    16 characters. The characters permitted are all uppercase characters, all lowercase characters, and space. Symantec  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 27 600 attempts per minute is less than 1 in 1,000,000 Actual value 2 over a one minute period. Actual value 2 /10.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 28: Services And Csp Access

    Create/delete/export/import internal CA keys and certificates used for re-signing Delete/import external CA certificates Delete/import CRLs Import/delete trusted certificates Import/delete known keys and certificates  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 29 Configure NTP Server Configure HSM Update the BIOS Update the Firmware Configure license Clear screen in CLI Edit grid size in WebUI  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 30 SV1800-C, SV1800B-C, SV1800-F, SV1800B-F, SV2800, and SV2800B Security Policy Auditor Manage Manage Manage PKI Authorized Service (User) Appliance Policy (Crypto Officer) Configure TLS version for WebUI  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 31 Export diagnostic information: None SSL statistics Export diagnostic information: None platform interfaces and platform status statistics View debug information: SSL None statistics  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 32 Object encryption keys - X (Crypto Officer) role View user accounts Object encryption keys - X View appliance settings: alerts Object encryption keys - X  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 33 Physical access should be limited to the Crypto Officer and the Manage Appliance roles. The available services are described in Table 2-10.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 34 Restarting the appliance includes validating the firmware. It does not include unlocking the secure store with the PIN.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 35 Resigning CA public keys - W Resigning CA private keys – W Trusted certificate public keys – W Operator password(s) – W  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 36: Physical Security

    The SV1800-C, SV1800B-C, SV1800-F, SV1800B-F, SV2800, and SV2800B implement the FIPS-Approved algorithms listed in Table 2–12. Non-FIPS-Approved algorithms are listed in Table 2–13.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 37 CMVP. See NIST SP 800-131A for more information, as some algorithms may be classified as deprecated, restricted, or legacy-use in the upcoming algorithm transition. HMAC-SHA-1 uses keys of at least 112-bits of security strength.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 38 All NIST defined B, K, and P curves Curve25519 (128 bits of encryption strength) Used for SSL/TLS sessions during SSL inspection.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 39 PBKDF2 – Password-Based Key Derivation Function 2 - PBKDF2 is published in Internet Engineering Task Force Request for Comments (RFC) 2898 and maps to PBKDF defined in NIST SP 800-132.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 40 DRBG or can be internal disk sessions imported in plaintext The Crypto Officer shall only import RSA 2048 bit or larger keys.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 41 Imported from internal disk an encrypted ECDSA and backup ECDH all NIST defined B, K, and P curves 224 bits and higher  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 42 PKCS12 or defined B, K, and stored on PKCS8), or P curves 224 internal disk from an bits and encrypted higher backup  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 43 KEK1 if USB is not used. SSH supports only AES CBC keys. SSH supports HMAC-SHA-1, -256 and -512 only. TLS does not support HMAC-SHA-512  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 44 HMAC-SHA- Exported in Encrypted with Authenticating internally Authentication encrypted associated SNMPv3 packets backup object encryption key and stored on internal disk  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 45: Self Tests

    AES encrypt/decrypt known answer tests (KAT) on software bulk ciphers (128 bit, GCM mode) • AES encrypt/decrypt known answer tests (KAT) on software bulk ciphers (128 bit, CFB128 mode)  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 46 VGA console, serial console, and front panel LCD. Error messages for all other POSTs are output to the system log file and to the front panel LCD.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 47: Design Assurance

    2.11 Mitigation of Other Attacks The module does not claim to mitigate any attacks beyond those defined in the FIPS 140-2 Level 2 requirements.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 48: Secure Operation

    The details below show the location of all tamper evident labels and also detail how to remove and replace a label if this is required.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 49: General Label Information

    Crypto Officer using a label kit obtained from Symantec Corporation. Labels are supplied in a kit that includes four labels in a bag and one label on the  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 50: Sv2800/Sv2800B Label Application

    Note: Warning. Removal of the unit may require two people and should  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 51 The right side label (the second larger one which is white, with blue ink) is applied between the middle and rear top covers, this is denoted label 2. It  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 52: Sv1800-C/Sv1800B-C/Sv1800-F/Sv1800B-F Label Application

    The labels must be applied to the unit without the slide rail kit attached. This can be done before installation or by removing the unit from the rack.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 53 2. It indicates tampering if either of these pieces is removed. Installation involves the following steps:  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 54: Label Inspection

    Following the above guidelines, tamper evident labels at three locations on the SV1800-C, SV1800B-C, S1800-F, SV1800B-F, SV2800, and SV2800B should be  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 55 Figure 3-16 shows the rear panel of the SV2800 without the label fitted. The label is affixed to the solid panel around the screw, and folds over to adhere to the top  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 56 The module must also be factory default reset and reinstalled in FIPS approved mode. Figure 3-18 shows the location of the side and rear labels on the SV2800/SV2800B.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 57 SV2800/SV2800B. The corresponding labels should be applied in exactly the same manner to the left side of the SV2800/SV2800B.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 58  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 59 FIPS approved mode. Figure 3-24 shows the location of the side and rear labels on the SV1800-C and SV1800B-C.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 60 The corresponding labels should be applied in exactly the same manner to the left side of the SV1800-C, SV1800B-C, SV1800-F, and SV1800B-F.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 61 Figure 3–27 SV18 00 -C, SV18 0 0B -C, SV18 0 0- F, an d SV1 80 0 B- F Right Side without Label Fitted  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 62: Module Initialization

    3.8.4FC, or 3.10 for more information. Note: If a USB memory stick is being used for additional security, always insert it before inputting the PIN.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 63 After creating the necessary user(s) the normal system login screen will appear allowing the user to login, at which point they will have access to the full WebUI  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 64: Module Management

    This prevents an attacker from influencing the zeroization procedure.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 65  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

This manual is also suitable for:

Sv1800b-cSv1800-fSv1800b-fSv2800Sv2800b

Table of Contents