WIXLIB

Symantec CorporationSecurity Analytics S500 AppliancesModels: SA-S500-10-CM, SA-S500-20-FA, SA-S500-30-FA, SA-S500-40-FAHardware Versions: 090-03645, 080-03938, 090-03646, 080-03939, 090-03648, 080-03940, 090-03649,and 080-03941FIPS Security Kit Version: HW-KIT-FIPS-500Firmware Version: 7.2.3FIPS 140-2 Non-Proprietary Security PolicyFIPS 140-2 Security Level: 2Document Version: 0.8 2017 Symantec Corporation1 of 44Updated 5 Jun 2017

COPYRIGHT NOTICE 2017 Symantec Corporation All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE,POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DSAPPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, theBlue Coat shield, K9, and Solera Networks logos and other Symantec logos are registeredtrademarks or trademarks of Symantec Corporation or its affiliates in the U.S. and certain other countries. This list maynot be complete, and the absence of a trademark from this list does not mean it is not a trademark of Symantec or thatSymantec has stopped using the trademark. All other trademarks mentioned in this document owned by third partiesare the property of their respective owners. This document is for informational purposes only.SYMANTEC MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION INTHIS DOCUMENT. SYMANTEC PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATAREFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS,REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS INOTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS ANDREQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES,PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFERIN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.Americas: Rest of the World:Symantec Corporation350 Ellis StreetMountain View, CA 94043This document may be freely reproduced and distributed whole and intact including this copyright notice. 2017 Symantec Corporation2 of 44Updated 5 Jun 2017

Table of Contents1.INTRODUCTION . 51.1 PURPOSE . 51.2 REFERENCES . 51.3 DOCUMENT ORGANIZATION . 52.SECURITY ANALYTICS S500 APPLIANCE . 62.1 OVERVIEW . 62.2 MODULE SPECIFICATION . 82.3 MODULE INTERFACES . 82.3.1 SA-S500-10-CM/20-FA/30-FA/40-FA Front Panel . 92.3.2 SA-S500-10-CM Rear Panel . 102.3.3 SA-S500-20-FA Rear Panel . 122.3.4 SA-S500-30-FA Rear Panel . 132.3.5 SA-S500-40-FA Rear Panel . 142.4 ROLES AND SERVICES . 152.4.1 Crypto-Officer Role . 162.4.2 User Role . 192.4.3 Authentication Mechanism . 212.5 PHYSICAL SECURITY . 252.6 NON-MODIFIABLE OPERATIONAL ENVIRONMENT . 252.7 CRYPTOGRAPHIC KEY MANAGEMENT . 252.8 SELF-TESTS . 342.8.1 Power-Up Self-Tests . 342.8.2 Conditional Self-Tests . 342.8.3 Critical Function Tests . 342.9 MITIGATION OF OTHER ATTACKS . 353.SECURE OPERATION. 363.1 INITIAL SETUP. 363.1.1 Label and Baffle Installation Instructions . 363.1.2 Shutter Installation . 373.1.3 Label Application . 383.2 SECURE MANAGEMENT . 403.2.1 Initialization . 403.2.2 Management. 413.2.3 Zeroization . 413.3 USER GUIDANCE. 423.4 NON-APPROVED MODE . 424.ACRONYMS . 43 2017 Symantec Corporation3 of 44Updated 5 Jun 2017

List of FiguresFIGURE 1 TYPICAL DEPLOYMENT DIAGRAM. 7FIGURE 2 CONNECTION PORTS AT THE FRONT OF THE SA-S500 APPLIANCES . 9FIGURE 3 REAR OF THE SA-S500 APPLIANCES . 11FIGURE 4 FIPS SECURITY KIT CONTENTS . 36FIGURE 5 SHUTTER DISASSEMBLY . 37FIGURE 6 LOWER SHUTTER INSTALLATION. 38FIGURE 7 UPPER SHUTTER INSTALLATION . 38FIGURE 8 LABELS SHOWING TAMPER EVIDENCE . 39List of TablesTABLE 1 SECURITY LEVEL PER FIPS 140-2 SECTION . 7TABLE 2 SECURITY ANALYTICS S500 APPLIANCE TESTED CONFIGURATIONS . 8TABLE 3 FIPS 140-2 LOGICAL INTERFACE MAPPINGS FOR THE FRONT OF THE SA-S500 APPLIANCES . 9TABLE 4 FRONT PANEL LED STATUS INDICATIONS FOR THE SA-S500 APPLIANCES . 10TABLE 5 FIPS 140-2 LOGICAL INTERFACE MAPPINGS FOR THE REAR OF THE SA-S500-10-CM APPLIANCE . 11TABLE 6 REAR PANEL LED STATUS INDICATIONS FOR THE SA-S500-10-CM APPLIANCE . 11TABLE 7 FIPS 140-2 LOGICAL INTERFACE MAPPINGS FOR THE REAR OF THE SA-S500-20-FA APPLIANCE . 12TABLE 8 REAR PANEL LED STATUS INDICATIONS FOR THE SA-S500-20-FA APPLIANCE . 13TABLE 9 FIPS 140-2 LOGICAL INTERFACE MAPPINGS FOR THE REAR OF THE SA-S500-30-FA APPLIANCE . 13TABLE 10 REAR PANEL LED STATUS INDICATIONS FOR THE SA-S500-30-FA APPLIANCE . 14TABLE 11 FIPS 140-2 LOGICAL INTERFACE MAPPINGS FOR THE REAR OF THE SA-S500-40-FA APPLIANCE . 14TABLE 12 REAR PANEL LED STATUS INDICATIONS FOR THE SA-S500-40-FA APPLIANCE . 15TABLE 13 FIPS AND SECURITY ANALYTICS S500 APPLIANCE ROLES . 16TABLE 14 CRYPTO OFFICER ROLE SERVICES AND CSP ACCESS . 16TABLE 15 USER SERVICES AND CSP ACCESS . 20TABLE 16 AUTHENTICATION MECHANISMS USED BY SECURITY ANALYTICS S500 APPLIANCE . 22TABLE 17 FIPS-APPROVED ALGORITHM I MPLEMENTATIONS . 25TABLE 18 LIST OF CRYPTOGRAPHIC KEYS, CRYPTOGRAPHIC KEY COMPONENTS, AND CSPS . 27TABLE 19 ACRONYMS . 43 2017 Symantec Corporation4 of 44Updated 5 Jun 2017

1. Introduction1.1PurposeThis is a Non-Proprietary Cryptographic Module Security Policy for the Security Analytics S500 Appliance(090-03645, 080-03938, 090-03646, 080-03939, 090-03648, 080-03940, 090-03649, and 080-03941;7.2.3) from Symantec Corporation. This Non-Proprietary Security Policy describes how the SecurityAnalytics S500 Appliance meets the security requirements of Federal Information Processing Standards(FIPS) Publication 140-2, which details the U.S. and Canadian Government requirements for cryptographicmodules. More information about the FIPS 140-2 standard and validation program is available on theNational Institute of Standards and Technology (NIST) and the Communications Security Establishment(CSE) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/groups/STM/cmvp.This document also describes how to run the appliance in the Approved mode of operation. This policy wasprepared as part of the 2 validation of the module. The Security Analytics S500 Appliance is referred to inthis document as SA S500 Appliance, crypto module, or module.1.2ReferencesThis document deals only with operations and capabilities of the module in the technical terms of a FIPS140-2 cryptographic module security policy. More information is available on the module from the followingsources: 1.3The Symantec website (www.symantec.com) contains information on the full line of products fromSymantec.The CMVP website 0-1/140val-all.htm)contains contact information for individuals to answer technical or sales-related questions for themodule.Document OrganizationThe Non-Proprietary Security Policy document is one document in a FIPS 140-2 Submission Package. Inaddition to this document, the Submission Package contains: Vendor Evidence documentFinite State Model documentSubmission Summary documentOther supporting documentation as additional referencesWith the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Submission Package isproprietary to Symantec and is releasable only under appropriate non-disclosure agreements. For accessto these documents, please contact Symantec. 2017 Symantec Corporation5 of 44Updated 5 Jun 2017

2. Security Analytics S500 Appliance2.1OverviewThe Security Analytics Appliances (SA-S500-10-CM, SA-S500-20-FA, SA-S500-30-FA, and SA-S500-40FA) are part of Symantec’s Security Platform’s Incident Response and Forensics solutions. The turnkey,pre-configured appliances harness the Security Analytics software to capture, index and classify all networktraffic (including full packets) in real time. This data is stored in an optimized file system for rapid analysis,instant retrieval and complete reconstruction to support all your incident response activities. The appliancescan be deployed anywhere in the network: at the perimeter, in the core, in a 10 GbE backbone, or at aremote link to deliver clear, actionable intelligence for swift incident response and resolution and real-timenetwork forensics.Security Analytics helps you visualize and analyze network data and uncover specific network activity –without requiring specific knowledge of networking protocols and packet analysis methods. Its powerfulfeatures let you locate and reconstruct specific communication flows, as well as network and user activities,within seconds. The platform does this by classifying captured network traffic packets and identifyingmeaningful data flows. A flow is the collection of packets that comprises a single communication betweentwo specific network entities. Within a particular data flow, you can then identify and examine networkartifacts such as image files, Word documents, emails, and video, as well as executable files, HTML files,and more. Security Analytics also allows you to reconstruct HTML pages, emails, and instant messagingconversations.Security Analytics also provides the ability to do real-time, policy-based artifact extraction, and is not limitedto any specific operating system (OS) environment. Extracted artifacts can be automatically placed incentralized network repositories for analysis by superior forensics tools within Security Analytics. Theseartifacts are hashed and stored for future retrospection on newly discovered malware variants and providea method to understand relatedness to preexisting hashes. The Central Manager Appliance (SA-S500-10CM) facilitates federated queries on hundreds of Security Analytics Forensic Appliances (SA-S500-20-FA,SA-S500-30-FA, and SA-S500-40-FA) to provide a 360-degree view of activity across the entire enterprisenetwork including perimeter, data centers, and remote offices.In a typical deployment, the Security Analytics Forensic Appliance receives mirrored traffic from a SPANport or network tap. The traffic enters the appliance through one or more Ethernet ports, also known ascapture interfaces. The Forensic Appliances can be integrated with leading security network and endpointsolutions for a full network-to-endpoint view of any malicious activity, delivering prompt and precise attackresolution. The Central Manager Platform is a dedicated appliance that sits on the network alongside theForensic Appliances to provide an aggregated view of data across multiple Forensic Appliances, aninterface for Forensic Appliance management, and centralized Forensic Appliance software upgrades.Please see Figure 1 below for a typical deployment diagram of the Security Analytics appliances. 2017 Symantec Corporation6 of 44Updated 5 Jun 2017

Figure 1 Typical Deployment DiagramThe Security Analytics S500 Appliances are validated at the following FIPS 140-2 Section levels in Table1.Table 1 Security Level per FIPS 140-2 SectionSectionSection TitleLevel1Cryptographic Module Specification22Cryptographic Module Ports and Interfaces23Roles, Services, and Authentication24Finite State Model25Physical Security26Operational EnvironmentN/A7Cryptographic Key Management28Electromagnetic Interference/Electromagnetic Compatibility29Self-tests210Design Assurance311Mitigation of Other AttacksN/A 2017 Symantec Corporation7 of 44Updated 5 Jun 2017