1. Manuals
  2. Brands
  3. Symantec Manuals
  4. Firewall
  5. SSL Visibility SV3800
  6. Manual

Symantec SV3800 Manual

Fips 140-2 non-proprietary security policy
Hide thumbs Also See for SV3800:
Table of Contents

Advertisement

Quick Links

Symantec Corporation
SSL Visibility Appliance
Models: SV3800, SV3800B, and SV3800B-20
Hardware Versions: 090-03064, 080-03563, 080-03679, 090-03550, 080-03782, 080-
03787, 090-03551, 080-03783, and 080-03788 with FIPS Kit: FIPS-LABELS-SV
Firmware Versions: 3.8.2F build 227, 3.8.4FC, 3.10 build 40
FIPS 140-2 Non-Proprietary Security Policy
FIPS Security Level: 2
Document Revision: 12/22/2016

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SV3800 and is the answer not in the manual?

Questions and answers

Related Manuals for Symantec SV3800

Summary of Contents for Symantec SV3800

  • Page 1 Symantec Corporation SSL Visibility Appliance Models: SV3800, SV3800B, and SV3800B-20 Hardware Versions: 090-03064, 080-03563, 080-03679, 090-03550, 080-03782, 080- 03787, 090-03551, 080-03783, and 080-03788 with FIPS Kit: FIPS-LABELS-SV Firmware Versions: 3.8.2F build 227, 3.8.4FC, 3.10 build 40 FIPS 140-2 Non-Proprietary Security Policy...
  • Page 2 Symantec Corporation or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Symantec or that Symantec has stopped using the trademark.

  • Page 3: Table Of Contents

    Introduction ..............................5 Purpose ...............................5 References ............................5 Document Organization ........................5 Definitions and Acronyms ........................7 2. SV3800, SV3800B, and SV3800B-20 .........................9 Overview .............................9 Module Specification ......................... 13 Module Interfaces ..........................18 Roles and Services ..........................22 2.4.1 Management Interfaces ......................23 2.4.2 Authentication Mechanisms .....................
  • Page 4 SV3800, SV3800B, and SV3800B-20 Security Policy...

  • Page 5: Introduction

    Submission Package contains: • Vendor Evidence • Finite State Machine • Other supporting documentation as additional references • Validation Submission Summary  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 6 Submission Package is proprietary to Symantec Corporation, and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Symantec Corporation.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 7: Definitions And Acronyms

    Intrusion Detection System iPass High density copper cable/connector for 10Gbps Ethernet link Intrusion Prevention System Known Answer Test Liquid Crystal Display  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 8 Secure Socket Layer Device providing a copy of traffic flowing through the network Transport Layer Security protocol TRNG True Random Number Generator  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 9: Sv3800, Sv3800B, And Sv3800B-20

    The SV3800/SV3800B/SV3800B-20 can be either “Inline,” or a TAP, which is connected to a network span or tap port. The following figures show these three modes of operation.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 10 IDS or Forensic appliance attached to the SV3800/SV3800B/SV3800B-20. This mode of operation supports both SSL Inspection and SSL policy control.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 11 TAP or SPAN port. This mode of operation supports SSL Inspection only and cannot act as an SSL policy control point.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 12 3240 contains 40 cores optimized for processing network traffic and provides significant acceleration and offload for the standard CPUs used on the SV3800/SV3800B/SV3800B-20 motherboards.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 13: Module Specification

     2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 14 CSPs or any FIPS relevant data. The Netmods and associated switch are therefore deemed to be outside the logical cryptographic boundary.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 15 ID button, power button, USB connector, LCD display and keypad. Figure 2-6 shows the front panel display area in detail.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 16 2 x GigE ports each with two built in LEDs – port 1 is used for management, port 2 is unused • Serial port (RJ45 connector)  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 17 SV3800B chassis with 2 x NFE acceleration card installed • 1 x Intel E5-2640 V3, 8 core CPU and 64GB of memory This configuration is model number SV3800B.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 18: Module Interfaces

    (CSP), or any FIPS relevant data, and are therefore deemed to be outside of the cryptographic boundary.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 19 The physical boundary is defined by the exterior surfaces of the appliance.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 20 Front Data output USB ports Back Control input/Status Keypad Front output Control input NMI button Front Control input Reset button Front  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 21 Table 2-4 shows the various system states that can be indicated by the system status LED on the front panel of the unit.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 22: Roles And Services

    Cannot set Manage PKI role for a user. Cannot install or reboot appliance without a Crypto Officer present to input the PIN.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 23: Management Interfaces

    The valid character set that can be used in passwords is: • lowercase alpha (26 characters) • uppercase alpha (26 characters) • numeric (10 characters)  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 24 1 in 1,000,000. minute is less than 1 in 1,000,000 Actual value 2 over a one minute period. Actual value 2 /10.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 25: Services And Csp Access

    Create/delete/export/import internal CA keys and certificates used for re-signing Delete/import external CA certificates Delete/import CRLs Import/delete trusted certificates Import/delete known keys and certificates  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 26 Update the BIOS Update the Firmware Configure license Clear screen in CLI Edit grid size in WebUI Configure TLS version for WebUI  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 27 Export diagnostic information: none SSL statistics Export diagnostic information: none platform interfaces and platform status statistics View debug information: SSL none statistics  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 28 Resigning CA private keys - R Trusted certificate public keys - R Known public keys - R Known private keys - R  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 29 Tests are run automatically at power Integrity test public key - RX test on/restart. Error and status notifications are displayed on LCD.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 30 PIN. Power off appliance Front panel button can be used to none power of the appliance.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 31: Physical Security

    Devices, Class A. The physical security of the module should be checked on a regular basis, as detailed in Table 2-11.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 32: Non-Modifiable Operational Environment

    Not Implemented RSA (186-2 Legacy Testing) signature verification – 1625, 1794, and 2222 Not Implemented 1024, 1536, 2048, 3072, and 4096-bit  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 33 Key wrapping; key establishment methodologies provide between 112 and 256 bits of encryption strength. HMAC-SHA-1 uses keys of at least 112-bits of security strength.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 34 Used for SSL/TLS sessions during SSL inspection. Key sizes: 128, 256 bit keys Mode: CBC Used for SSL/TLS sessions during SSL inspection. Mode: CBC  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 35 PBKDFv2 – Password-Based Key Derivation Function 2 is published in Internet Engineering Task Force Request for Comments (RFC) 2898 and maps to PBKDF defined in NIST SP 800-132.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 36 The Crypto Officer shall only import RSA 2048 bit or larger keys.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 37 (PEM 8192 bits can in an or PKCS12 or be imported encrypted PKCS8) or backup plaintext, or from encrypted backup  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 38 PKCS12 or defined B, K, and stored on PKCS8), or P curves 224 internal disk from an bits and encrypted higher backup  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 39 SSH supports only AES CBC keys. SSH supports HMAC-SHA-1, -256 and -512 only. TLS does not support HMAC-SHA-512  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 40 If the option is not chosen, KEK1 is derived from the PIN directly and no KEK0 is created.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 41: Self Tests

    RSA known answer tests (KAT) on both NFPs hardware signature operations (sign and verify) using the following digests (2048 bit) • SHA-1 (verify only) • SHA-224  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 42 If an error is encountered in the self tests, the appliance will enter the error state. Error messages are output to the system log file and to the front panel LCD.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 43: Design Assurance

    2.11 Mitigation of Other Attacks The module does not claim to mitigate any attacks beyond those defined in the FIPS 140-2 Level 2 requirements.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 44: Secure Operation

    The details below show the location of all tamper evident labels and also detail how to remove and replace a label if this is required.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 45: General Label Information

    Once a label is applied, it should not be touched for 2-4 hours to allow the adhesive to cure. • Apply labels at a temperature of 65F (18C) or above.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 46: Supplied Labels

    The entire label packet must be rejected if the large or small labels are not identical, or if the colors are not white with blue ink.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 47: Label Application

    2. Place the alignment line along the top left edge of the chassis such that the label is centered on the seam. The markings should be oriented so that the text is “up.”  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 48 The label cannot hang over the edge of the tab.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 49: Label Inspection

    Figure 3-13.1 shows the location of the tamper evident label that should be fitted to the rear of the SV3800. The label is applied over the top of the screw that secures  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright...
  • Page 50 For the SV3800, Figure 3-14 shows the rear panel without the label fitted. The label is affixed to the solid panel around the screw, and folds over to adhere to the top  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 51 The module must also be factory default reset and reinstalled in FIPS approved mode. Figure 3-16 shows the location of the top, side and rear labels on the SV3800/SV3800B/SV3800B-20.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 52 The corresponding labels should be applied in exactly the same manner to the left side of the SV3800/SV3800B/SV3800B-20. Figure 3–17 Right Side Label Location  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 53 Figure 3-19 shows the location of the tamper evident label that should be fitted to the top side of the SV3800/SV3800B/SV3800B-20. Figure 3–19 Top Side Label Location  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 54: Module Initialization

    Re-input the PIN. As part of initial setup, the web GUI will appear as in Figure 3-21.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 55 Manage Appliance role can create additional users but cannot give these users the Manage PKI role. Only a user with the Manage PKI role can give this role to a user.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

  • Page 56: Module Management

    This prevents an attacker from influencing the zeroization procedure.  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.
  • Page 57  2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright notice.

This manual is also suitable for:

Sv3800bSv3800b-20

Table of Contents