McAfee, Inc. McAfee Web Gateway Virtual Appliance Software Version: 7.3.2.3.4 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 1 Document Version: 1.4 Prepared for: Prepared by: McAfee, Inc. Headquarters Corsec Security, Inc. 2821 Mission College Blvd. 13135 Lee Jackson Memorial Highway, Suite 220 Santa Clara, CA 95054 Fairfax, Virginia 22033 United States of America United States of America Phone: +1 (888) 847-8766 Phone: +1 (703) 267-6050 http://www.mcafee.com http://www.corsec.com/ Security Policy, Version 1.4 December 17, 2015 Table of Contents 1 INTRODUCTION ................................................................................................................... 3 1.1 PURPOSE ................................................................................................................................................................ 3 1.2 REFERENCES .......................................................................................................................................................... 3 1.3 DOCUMENT ORGANIZATION ............................................................................................................................ 3 2 MCAFEE WEB GATEWAY VIRTUAL APPLIANCE ........................................................... 4 2.1 OVERVIEW ............................................................................................................................................................. 4 2.2 MODULE SPECIFICATION..................................................................................................................................... 6 2.2.1 Physical Cryptographic Boundary ...................................................................................................................... 6 2.2.2 Logical Cryptographic Boundary ........................................................................................................................ 7 2.3 MODULE INTERFACES .......................................................................................................................................... 8 2.4 ROLES AND SERVICES ........................................................................................................................................... 9 2.4.1 Cryptographic Officer Role .................................................................................................................................. 9 2.4.2 User Role ................................................................................................................................................................... 9 2.4.3 Services ...................................................................................................................................................................... 9 2.4.4 Non-Security Relevant Services ....................................................................................................................... 12 2.4.5 Authentication Mechanisms ............................................................................................................................. 12 2.5 PHYSICAL SECURITY ...........................................................................................................................................13 2.6 OPERATIONAL ENVIRONMENT.........................................................................................................................14 2.7 CRYPTOGRAPHIC KEY MANAGEMENT ............................................................................................................14 2.8 SELF-TESTS ..........................................................................................................................................................19 2.8.1 Power-Up Self-Tests ............................................................................................................................................ 19 2.8.2 Conditional Self-Tests ......................................................................................................................................... 19 2.9 MITIGATION OF OTHER ATTACKS ..................................................................................................................19 3 SECURE OPERATION ......................................................................................................... 20 3.1 INITIAL SETUP......................................................................................................................................................20 3.1.1 Setting FIPS Environment .................................................................................................................................. 20 3.2 CRYPTO-OFFICER GUIDANCE ..........................................................................................................................20 3.2.1 Management ........................................................................................................................................................ 20 3.2.2 Zeroization ............................................................................................................................................................ 21 3.3 USER GUIDANCE ................................................................................................................................................21 4 ACRONYMS .......................................................................................................................... 22 Table of Figures FIGURE 1 ­ TYPICAL DEPLOYMENT SCENARIO .....................................................................................................................5 FIGURE 2 ­ GPC BLOCK DIAGRAM ........................................................................................................................................7 FIGURE 3 ­ MCAFEE WEB GATEWAY LOGICAL CRYPTOGRAPHIC BOUNDARY ..............................................................8 List of Tables TABLE 1 ­ SECURITY LEVEL PER FIPS 140-2 SECTION .........................................................................................................5 TABLE 2 ­ FIPS 140-2 LOGICAL INTERFACE MAPPINGS ......................................................................................................9 TABLE 3 ­ AUTHENTICATED SERVICES ................................................................................................................................ 10 TABLE 4 ­ AUTHENTICATION MECHANISMS EMPLOYED BY THE MODULE .................................................................... 13 TABLE 5 ­ ALGORITHM CERTIFICATE NUMBERS FOR CRYPTOGRAPHIC LIBRARIES....................................................... 14 TABLE 6 ­ NETWORK PROTOCOL COMPONENT VALIDATION ...................................................................................... 15 TABLE 7 ­ CRYPTOGRAPHIC KEYS, CRYPTOGRAPHIC KEY COMPONENTS, AND CSPS............................................... 16 TABLE 8 ­ ACRONYMS .......................................................................................................................................................... 22 McAfee Web Gateway Virtual Appliance Page 2 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 1 Introduction 1.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the McAfee Web Gateway Virtual Appliance from McAfee, Inc. This Security Policy describes how the McAfee Web Gateway Virtual Appliance meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-2, which details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/groups/STM/cmvp. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the module. The McAfee Web Gateway Virtual Appliance is referred to in this document as McAfee Web Gateway, the virtual appliance, or the module. 1.2 References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the module from the following sources: The McAfee corporate website (http://www.mcafee.com) contains information on the full line of products from McAfee. The CMVP website (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) contains contact information for individuals to answer technical or sales-related questions for the module. 1.3 Document Organization The Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: Vendor Evidence document Finite State Model document Validation Submission Summary document Other supporting documentation as additional references This Security Policy and the other validation submission documentation were produced by Corsec Security, Inc. under contract to McAfee. With the exception of this Non-Proprietary Security Policy, the FIPS 140- 2 Submission Package is proprietary to McAfee and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact McAfee. McAfee Web Gateway Virtual Appliance Page 3 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 2 McAfee Web Gateway Virtual Appliance 2.1 Overview McAfee, Inc. is a global leader in Enterprise Security solutions. The company's comprehensive portfolio of network security products and solutions provides unmatched protection for the enterprise in the most mission-critical and sensitive environments. The McAfee Web Gateway Virtual Appliance is a high-performance, enterprise-strength proxy appliance that provides the caching, authentication, administration, and authorization controls required by today's most demanding enterprises. The McAfee Web Gateway Virtual Appliance delivers deployment flexibility and performance, along with scalability to easily support hundreds of thousands of users in a single environment. McAfee Web Gateway Virtual Appliance delivers comprehensive security for all aspects of Web 2.0 traffic. McAfee Web Gateway ensures comprehensive web security for networks. It protects networks against threats arising from the web, such as viruses and other malware, inappropriate content, data leaks, and related issues. It also ensures regulatory compliance and a productive work environment. The virtual appliance is installed as a gateway that connects a network to the web. Following the implemented web security rules, it filters the requests that users send to the web from within the network. Responses sent back from the web and embedded objects sent with requests or responses are also filtered. Malicious and inappropriate content is blocked, while useful content is allowed to pass through. Web filtering is accomplished via the following processes: Intercepting web traffic: this is achieved by the gateway functions of the virtual appliance, using different network protocols and services such as HTTP1, HTTPS2, FTP3, Yahoo, ICQ, Windows Live Messenger, and others. As a gateway, the virtual appliance can run in explicit proxy mode or in transparent bridge or router mode. Filtering web objects: special anti-virus and anti-malware functions on the virtual appliance scan and filter web traffic and block objects when they are infected. Other functions filter requested URLs4, using information from the global TrustedSource intelligence system, or do media type and HTML5 filtering. They are supported by functions that do not filter themselves, but do tasks such as counting user requests or indicating the progress made in downloading web objects. Filtering users: this is done by the authentication mechanisms provided by the virtual appliance, using information from internal and external databases and methods such as NTLM 6,7,8, LDAP9, RADIUS10, Kerberos, and others. In addition to filtering normal users, the virtual appliance also provides control over administrator rights and responsibilities. Monitoring the filtering process: the monitoring functions of the appliance allow administrators a continuous overview of the filtering process. The monitoring functions include a dashboard, 1 HTTP ­ Hypertext Transfer Protocol 2 HTTPS ­ Secure Hypertext Transfer Protocol 3 FTP ­ File Transfer Protocol 4 URL ­ Uniform Resource Locator 5 HTML ­ Hypertext Markup Language 6 NTLM ­ Microsoft Windows NT LAN Manager 7 NT ­ New Technology 8 LAN ­ Local Area Network 9 LDAP ­ Lightweight Directory Access Protocol 10 RADIUS ­ Remote Authentication Dial-up User Service McAfee Web Gateway Virtual Appliance Page 4 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 which provides information on web usage, filtering activities, and system behavior. The dashboard also provides logging and tracing functions and options to forward data to an ePolicy Orchestrator. Event monitoring is provided by an SNMP11 agent. For user-initiated web requests, McAfee Web Gateway first enforces an organization's internet use policy. For all allowed traffic, it then uses local and global techniques to analyze the nature and intent of all content and active code entering the network via the requested web pages, providing immediate protection against malware and other hidden threats. Additionally, the SSL12 Scanner feature of McAfee Web Gateway can examine TLS13 traffic to provide in-depth protection against malicious code that might otherwise be disguised through encryption. To secure outbound traffic, McAfee Web Gateway scans user-generated content on all key web protocols, including HTTP, HTTPS, and FTP. As part of a fully-integrated McAfee data loss prevention solution, McAfee Web Gateway protects against loss of confidential information and other threats leaking from the organization through blogs, wikis, and online productivity tools such as organizers and calendars. The McAfee Web Gateway Virtual Appliance also provides administrators with the ability to monitor and troubleshoot the appliance. McAfee Web Gateway combines and integrates numerous protections that would otherwise require multiple stand-alone products. Web filtering, anti-virus, anti-spyware, SSL scanning, and content control filtering capabilities are combined into a single virtual appliance. A simplified management footprint means that a single compliance policy can be shared across protections and protocols. A sample deployment scenario is diagramed in Figure 1. Figure 1 ­ Typical Deployment Scenario The McAfee Web Gateway Virtual Appliance is validated at the FIPS 140-2 Section levels shown in Table 1 below. Table 1 ­ Security Level Per FIPS 140-2 Section Section Section Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 2 4 Finite State Model 1 11 SNMP ­ Simple Network Management Protocol 12 SSL ­ Secure Sockets Layer 13 TLS ­ Transport Layer Security McAfee Web Gateway Virtual Appliance Page 5 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 Section Section Title Level 5 Physical Security N/A14 6 Operational Environment 1 7 Cryptographic Key Management 1 15 8 EMI/EMC 1 9 Self-tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks N/A 2.2 Module Specification The McAfee Web Gateway Virtual Appliance is a multi-chip standalone cryptographic software module that meets overall Level 1 FIPS 140-2 requirements. The cryptographic boundary of McAfee Web Gateway consists of McAfee Web Gateway application software, a cryptographic library and McAfee's own McAfee Linux Operating System (MLOS) v2.2.3. The cryptographic boundary is shown by the red- colored, dotted line in Figure 2. It is designed to execute on a General Purpose Operating System running a VMware hypervisor. As a virtual appliance, McAfee Web Gateway must be installed on a supported virtual machine hypervisor. The module was tested and found compliant on an Intel SR2625URLX Server System running the ESXi hypervisor provided by VMware vSphere 5.0. 2.2.1 Physical Cryptographic Boundary As a software cryptographic module, there are no physical protection mechanisms implemented. Therefore, the module must rely on the physical characteristics of the host system. The physical boundary of the cryptographic module, running within a virtual environment, is defined by the hard enclosure of the host system on which it runs, as shown by the red-colored dotted line in Figure 2. The module supports the physical interfaces of the host device, which directly hosts the virtual environment the module has been installed on. These interfaces include the integrated circuits of the system board, processor, network adapters, RAM, hard disk, device case, power supply, and fans. See Figure 2 for a diagram of the typical host device. 14 N/A ­ Not Applicable 15 EMI/EMC ­ Electromagnetic Interference / Electromagnetic Compatibility McAfee Web Gateway Virtual Appliance Page 6 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 Hardware Network DVD RAM Management Interface HDD Clock SCSI/SATA Generator Controller LEDs/LCD CPU(s) Serial I/O Hub Audio Cache PCI/PCIe Slots USB BIOS Power Graphics PCI/PCIe Interface Controller Slots External Power Supply KEY: Plaintext data BIOS ­ Basic Input/Output System PCIe ­ PCI express Encrypted data CPU ­ Central Processing Unit HDD ­ Hard Disk Drive Control input SATA ­ Serial Advanced Technology Attachment DVD ­ Digital Video Disc Status output SCSI ­ Small Computer System Interface USB ­ Universal Serial Bus Crypto boundary PCI ­ Peripheral Component Interconnect RAM ­ Random Access Memory Figure 2 ­ GPC Block Diagram 2.2.2 Logical Cryptographic Boundary The module is considered to be a software cryptographic module. Therefore the module has a logical cryptographic boundary in addition to a physical cryptographic boundary. The logical cryptographic boundary of the module consists of the McAfee Web Gateway Virtual Appliance running MLOS v2.2.3. Figure 3 shows the logical block diagram (red-dotted line) of the module executing in memory and its interactions with the VMware vSphere hypervisor through the module's defined logical cryptographic boundary. The module interacts directly with the hypervisor, which runs directly on the host system. The hypervisor controls and directs all interactions between McAfee Web Gateway and the operator. McAfee Web Gateway Virtual Appliance Page 7 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 McAfee Virtual Web Gateway Virtual Appliance Cryptographic Provider Virtual Web Gateway Application Software (7.3.2.3.4) McAfee Linux Operating System v2.2.3 VMware vSphere Hypervisor 5.0 VMware Host Hardware Data Output Data Input Control Input Status Output Cryptographic Boundary Figure 3 ­ McAfee Web Gateway Logical Cryptographic Boundary 2.3 Module Interfaces The McAfee Web Gateway Virtual Appliance is a multi-chip standalone cryptographic module that meets overall Level 1 FIPS 140-2 requirements. Interfaces on the module can be categorized as the following FIPS 140-2 logical interfaces: Data Input Interface Data Output Interface Control Input interface Status Output Interface Power Interface As a software module, the virtual appliance has no physical characteristics. The module's physical and electrical characteristics, manual controls, and physical indicators are those of the host system. The VMware hypervisor provides virtualized ports and interfaces for the module. Interaction of with the virtual ports created by the hypervisor occurs through the host system's Ethernet port. Management, data, and status traffic must all flow through the Ethernet port. Direct interaction with the module via the host system is not possible. The mapping of the module's logical interfaces in the software to FIPS 140-2 logical interfaces is described in Table 2 below. McAfee Web Gateway Virtual Appliance Page 8 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 Table 2 ­ FIPS 140-2 Logical Interface Mappings Physical Logical Port/Interface FIPS 140-2 Interface Port/Interface Host System Ethernet Virtual Ethernet Ports, Data Input (10/100/1000) Ports Virtual USB Ports, Data Output Virtual Serial Ports Control Input Status Output Data input and output are the packets utilizing the services provided by the modules. These packets enter and exit the module through the Virtual Ethernet ports. Control input consists of Configuration or Administrative data entered into the modules. Status output consists of the status provided or displayed via the user interfaces (such as GUI or CLI) or available log information. 2.4 Roles and Services The module supports role-based authentication. There are two authorized roles in the module that an operator may assume: a Cryptographic Officer (Crypto-Officer, CO) role and a User role. 2.4.1 Cryptographic Officer Role The Crypto-Officer role performs administrative services on the module, such as initialization, configuration, and monitoring of the module. Before accessing the module for any administrative service, the operator must authenticate to the module. The module offers the following management interfaces to the CO: MWGUI16 SNMPv3 2.4.2 User Role A User of the module is any one of a set of clustered modules that share configuration information of the master McAfee Web Gateway Virtual Appliance. Users have to authenticate to the module with a valid certificate before they can access any of the user services. See section 2.4.5 below. 2.4.3 Services Services provided to authenticated operators are provided in Table 3 below. Please note that the keys and Critical Security Parameters (CSPs) listed indicate the type of access required: Read (R) : The CSP is read Write (W): The CSP is established, generated, modified, or zeroized Execute (X): The CSP is used within an Approved or Allowed security function or authentication mechanism 16 MWGUI ­ McAfee Web Gateway Graphical User Interface McAfee Web Gateway Virtual Appliance Page 9 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 Table 3 ­ Authenticated Services Operator Approved Service Description Algorithms Type of Access CO User Accessed Perform initial Configure the primary X N/A None configuration network interface, IP17 address, host name, and DNS18 server CO Login Crypto-Officer login X AES, Triple-DES, DH19 Establishment Public Key ­ RX; RSA, SHA, DH Establishment Private Key ­ RX; HMAC, SP 800- RSA20 Establishment Public Key ­ WRX; 90A DRBG RSA Establishment Private Key ­ WRX; TLS Session Key ­ RWX; MWGUI Public Key ­ RX; MWGUI Private Key ­ RX; CO password ­ RX Implement/modify a Create/modify web security X RSA Root CA21 Private Key ­ RW; web security policy* policy using rules and filter Root CA Public Key ­ RW; lists RADIUS shared secret ­ WX; LDAP account password ­ WX; NTLM machine account password ­ WX Import a license* Import a license X N/A None Modify configuration Modify virtual appliance X RSA MWGUI Public Key ­ WX; settings* configuration settings MWGUI Private Key ­ WX; Cluster CA Public Key ­ WX; Cluster server key ­ WX; Cluster client key ­ WX; WCCP22 authentication key ­ WX; SNMP v3 passwords ­ WX; NTLM machine account password ­ WX SWPS key ­ WX; Manage administrator Set up account for X N/A CO password ­ WX; account* administrator RADIUS shared secret ­ WX; NTLM machine account password ­ WX; SNMP v3 passwords ­ WX; 17 IP ­ Internet Protocol 18 DNS ­ Domain Name System 19 DH ­ Diffie Hellman 20 RSA ­ Rivest, Shamir, and Adleman 21 CA ­ Certificate Authority 22 WCCP ­ Web Cache Communication Protocol McAfee Web Gateway Virtual Appliance Page 10 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 Operator Approved Service Description Algorithms Type of Access CO User Accessed Backup appliance Store the virtual appliance's X RSA CO Password ­ X; configuration* configuration information SNMP v3 Password ­ X; (including rules, lists, settings, RADIUS shared secret ­ X; and administrator accounts) LDAP account password ­ X; in a backup file MWGUI Public Key ­ X; MWGUI Private Key ­ X; Root CA Private Key ­ RW; Root CA Public Key ­ RW; WCCP key ­ R Restore appliance Restore the virtual X RSA CO Password, SNMP v3 Password, configuration* appliance's configuration RADIUS shared secret, LDAP account information from a backup password, MWGUI Public Key, file MWGUI Private Key, Root CA Private key, Root CA Public key, WCCP key ­ WX Monitor system Monitor how the virtual X N/A None functions* appliance executes its filtering functions Monitor status on Monitors non security X N/A SNMP v3 Password -RX SNMP relevant status of the module via SNMPv3 Perform self-tests* Run self-tests on demand (via X N/A None MWGUI) Perform self-tests Run self-tests on demand (via X N/A None power cycle) Show status* Allows Crypto-Officer to X N/A None check module status Zeroize Zeroizes the module to the X N/A All Keys and CSPs ­ W factory default state Configure cluster CA* Services required to X RSA Cluster CA Public Key ­ W; communicate with each Cluster server key ­ W; other in multi-appliance Cluster client key ­ W configurations Management over Shutdown or restart the X N/A CO Password ­ X REST23 * virtual machine; view log files; flush the cache; create configuration backup Note: The `*' above indicates the `CO Login' service is required. 23 REST ­ Representational State Transfer McAfee Web Gateway Virtual Appliance Page 11 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 Operator Approved Service Description Algorithms Type of Access CO User Accessed Configuration sharing Clustered instances share the X AES, Triple-DES, DH Establishment Keys ­ RWX; configuration information of RSA, SHA, Cluster CA Public Key ­ RX; the McAfee Web Gateway HMAC, SP 800- Cluster server key ­ RX; master 90A DRBG Cluster client key ­ RX; TLS session key ­ WX; CO Password, SNMP v3 Password, RADIUS shared secret, LDAP account password, MWGUI Public Key, MWGUI Private Key , Root CA Private Key, Root CA Public Key, WCCP ­ WR (depending on originator) 2.4.4 Non-Security Relevant Services In addition to the services listed in Table 3, the modules provide non-security relevant services. All services provided by the modules are provided in the modules' product guide: McAfee Web Gateway 7.3.2: Product Guide; Revision A (2013). The document is publicly available for download at: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD 24502/en_US/mwg_732_pg_product_a_en-us.pdf. 2.4.5 Authentication Mechanisms Crypto-Officers may authenticate to the module over the MWGUI with a combination of username and password or with a client certificate. Users may authenticate to the module using one of the following configurable methods: NTLM NTLM-Agent LDAP RADIUS SWPS24 Kerberos The modules supports role-based authentication. An operator explicitly assumes either a Crypto-Officer role or a User role based on the authentication credentials. Please refer to the Table 4 for the authentication methods used by operators to authenticate to the module and assume an authorized role. 24 SWPS ­ Secure Web Protection Service McAfee Web Gateway Virtual Appliance Page 12 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 Table 4 ­ Authentication Mechanisms Employed by the Module Role Type of Authentication Authentication Strength Crypto-Officer Password Passwords are required to be at least 8 characters long. The password requirement is enforced by the Security Policy. The maximum password length is 1,000 characters. The password must contain the following: At least one lower case letter. At least one upper case letter. At least one numeric or special character. Starting with all 8-character strings: 958 Then remove all passwords with no lowercase (698), all passwords with no uppercase (698), and all passwords with no digits/specials (528). But then you removed some passwords twice. You must add back all passwords with: no lowercase and no uppercase: 438 no lowercase and no digits/specials: 268 no uppercase and no digits/specials: 268 958 -698 -698 -528 +438 +268 +268 = 5,565,253,689,908,6405.565×1015 passwords The chance of a random attempt falsely succeeding is 1: 5.565x1015. Crypto-Officer/ RSA Public Key Certificate The module supports RSA digital certificate User authentication during TLS sessions. Using conservative estimates and equating a 2048-bit RSA key to an 112-bit symmetric key, the probability for a random attempt to succeed is 1:2112. Crypto-Officer One Time Password When enabled, a one-time password is sent to the CO after successfully authenticating with an RSA digital certificate. The CO must type in the received password in order to authenticate to the module. The use of a one-time password acts as a two-factor authentication method, which greatly increases the overall strength of CO's password. 2.5 Physical Security McAfee Web Gateway Virtual Appliance is a software module, which FIPS defines as a multi-chip standalone cryptographic module. As such, it does not include physical security mechanisms. Thus, the FIPS 140-2 requirements for physical security are not applicable. McAfee Web Gateway Virtual Appliance Page 13 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 2.6 Operational Environment The operational environment for the module consists of MLOS v2.2.3 and the VMware hypervisor. The module was tested and found to be compliant with FIPS 140-2 requirements on hypervisors provided by VMware vSphere 5.0 running on an Intel SR2625URLX Server System. All cryptographic keys and CSPs are under the control of MLOS v2.2.3 and the hypervisor, which protect the CSPs against unauthorized disclosure, modification, and substitution. 2.7 Cryptographic Key Management The module's cryptographic functionality is provided by a software library that offers secure networking protocols and cryptographic functionalities. Security functions offered by the module map to the certificates listed in Table 5. Table 5 ­ Algorithm Certificate Numbers for Cryptographic Libraries Approved Security Function CVL Certificate Number Symmetric Key Algorithm AES25: 128-, 192-, 256-bit in CBC26 mode 3117 Triple-DES27 : 168-bit in CBC mode 1788 Secure Hashing Algorithm (SHA) SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 2573 Message Authentication Code (MAC) Function HMAC28 using SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 1954 Deterministic Random Bit Generator (DRBG) SP800-90A CTR_DRBG 628 Asymmetric Key Algorithm RSA29 Key Pair Generation (FIPS 186-4) with 2048- bit keys 1588 30 RSA PKCS #1 v1.5 Signature Generation (FIPS 186-4) with 2048-bit keys 1588 RSA PKCS #1 v1.5 Signature Verification (FIPS 186-2) with 1024-, 1536-, 1588 2048-, 3072-, 4096-bit keys Digital Signature Algorithm (DSA) signature verification: 1024-bit 901 Additional information concerning SHA-1, RSA key signatures, and specific guidance on transitions to the use of stronger cryptographic keys and more robust algorithms is contained in NIST Special Publication 800-131A. The cryptographic module implements the TLS and SNMP secure networking protocols. Each protocol implements a Key Derivation Function (KDF) listed in NIST SP 800-135rev1 and has been validated by 25 AES ­ Advanced Encryption Standard 26 CBC ­ Cipher-Block Chaining 27 DES ­ Data Encryption Standard 28 HMAC ­ (Keyed-) Hash Message Authentication Code 29 RSA ­ Rivest, Shamir, Adleman 30 PKCS ­ Public Key Cryptography Standards McAfee Web Gateway Virtual Appliance Page 14 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 the CMVP. There certificate numbers are provided in Table 6. The complete protocol implementations have not been reviewed or tested by the CAVP 31 and CMVP. Table 6 ­ Network Protocol Component Validation Certificate Algorithm Number TLS 1.0/1.1 and TLS 1.2 KDF32 using SHA 256 and SHA 384 379 SNMP KDF using SHA-1 379 The module implements the following non-compliant key establishment methodologies: Diffie-Hellman: 2048-bit key (key agreement; key establishment methodology provides 112 bits of encryption strength) RSA: 2048-bit keys (key wrapping; key establishment methodology provides 112 bits of encryption strength) The module employs a non-Approved Non-Deterministic Random Number Generator (NDRNG), which is used as an entropy source for seeding the Approved DRBG listed in Table 5. Its use is allowed per FIPS 140-2 Implementation Guidance 7.11. 31 CAVP ­ Cryptographic Algorithm Validation Program 32 KDF ­ Key Derivation Function McAfee Web Gateway Virtual Appliance Page 15 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 The module supports the CSPs listed below in Table 7. Table 7 ­ Cryptographic Keys, Cryptographic Key Components, and CSPs Key/CSP Key/CSP Generation / Output Storage Zeroization Use Type Input Crypto-Officer Password Set via MWGUI Configuration Stored as Overwritten Authentication Password or imported sharing or backup SHA256 by another of ­ encrypted hash in the password or administrators configuration when (Crypto- on hard disk appliance is Officers) re-imaged SNMP v3 Password Set via MWGUI Configuration Stored as Overwritten Used with SHA- Password or imported sharing or backup USM33 hash by another 1 and AES for ­ encrypted (rfc3414) in password or authentication the when of SNMP configuration appliance is requests on hard disk re-imaged RADIUS Shared Password Set via MWGUI Configuration Stored in Overwritten Authenticate Secret or imported sharing or backup plain text in by another RADIUS ­ encrypted the password or messages configuration when on hard disk appliance is re-imaged NTLM Account Password Internally Never leaves the Stored on Overwritten Authenticate at Password generated by FIPS module hard disk in by another Domain approved DRBG plain text password or when appliance is re-imaged LDAP Account Password Set via MWGUI Configuration Stored on Overwritten Authenticate at Password or imported sharing or backup hard disk in by another LDAP ­ encrypted plain text in password or the when configuration appliance is re-imaged Kerberos Password Set via MWGUI Configuration Stored in Overwritten Authenticate Password or imported sharing or backup plain text in by another Kerberos ­ encrypted the password or messages configuration when virtual on hard disk machine is reinstalled Cluster CA X509 / Preinstalled and Leaves the module Stored on Overwritten Verification of Public Key RSA >= later changed via in plaintext hard disk in via MWGUI other cluster 2048 bits MWGUI plain text or when member and appliance is issuing of a re-imaged cluster client certificate 33 USM ­ User-based Security Model McAfee Web Gateway Virtual Appliance Page 16 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 Key/CSP Key/CSP Generation / Output Storage Zeroization Use Type Input SWPS Key Pre-shared Set via MWGUI Configuration Stored in Overwritten End User key or imported sharing or backup plain text in via MWGUI authentication ­ encrypted the or when over encrypted configuration appliance is channel on hard disk re-imaged Cluster RSA Internally Private key will not Stored on Appliance re- Client / Server Communication private key generated by FIPS leave the module hard disk in image or authentication Private Key with 2048 approved DRBG plain text reissuing due for Transport bits to Cluster CA Layer Security change cluster communication Cluster X509 / Internally Leaves the module Stored on Appliance re- Client / Server Communication RSA public generated by in plaintext hard disk in image or authentication Public Key key with following FIPS plain text reissuing due for TLS cluster 2048 bits 186-4 to Cluster CA communication change MWGUI RSA Set via MWGUI Configuration Stored in Overwritten Serve TLS Private Key private key or imported sharing or backup plain text in via MWGUI connection to with 2048 ­ encrypted the or when the MWGUI bits configuration appliance is on hard disk re-imaged MWGUI Public X509, RSA Set via MWGUI Configuration Stored in Overwritten Serve TLS Key public key or imported sharing or backup plain text in via MWGUI connection to with 2048 ­ encrypted; the or when the MWGUI bits Leaves the module configuration appliance is in plaintext on hard disk re-imaged Root CA RSA Set via MWGUI Configuration Stored in Overwritten SSL-Scanner: Private Key private key or imported sharing or backup plain text in via MWGUI Issuing server with 2048 ­ encrypted the or when certificates bits configuration appliance is file on hard re-imaged disk Root CA Public X509, RSA Set via MWGUI Configuration Stored in Overwritten SSL-Scanner: Key public key or imported sharing or backup plain text in via MWGUI Verification of with 2048 ­ encrypted; the or when TLS bits Leaves the module configuration appliance is connections in plaintext on hard disk re-imaged DH Diffie- Internally Never leaves the Stored in By power TLS Establishment Hellman generated by FIPS module plain text on cycle or connections for Private Key private key approved DRBG hard disk session cluster 224-bit termination communication, configuration, signature updates and SSL Scanner functions McAfee Web Gateway Virtual Appliance Page 17 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 Key/CSP Key/CSP Generation / Output Storage Zeroization Use Type Input DH Diffie- Generated Leaves the module Stored in By power TLS Establishment Hellman externally; in plaintext plain text on cycle or connections for Public Key Public key Preinstalled hard disk session cluster 2048-bit termination communication, configuration, signature updates and SSL Scanner functions RSA Key RSA Internally Never leaves the Stored in By power TLS Establishment private key generated by module plain text on cycle or connections for Private Key 2048-bit following FIPS hard disk session MWGUI or SSL 186-4 termination Scanner RSA Key RSA public Internally Leaves the module Stored in By power TLS Establishment key 2048- generated by in plaintext plain text on cycle or connections for Public Key bit following FIPS hard disk session MWGUI or SSL 186-4 termination Scanner TLS Session Triple-DES, Internally Output in Volatile By power TLS Key AES 128, generated by the encrypted form memory in cycle or connections for AES 256 TLS KDF during TLS plain text session cluster handshake termination communication, Configuration, signature updates and SSL Scanner functions DRBG Seed Random Internally Never Not By power Seeding material data Generated persistently cycle; for SP 800-90A stored by DRBG DRBG the module uninstantiation DRBG Entropy Random Internally Never Not By power Entropy data (512 - Generated persistently cycle; material for SP 75203 stored by DRBG 800-90A DRBG Bytes) the module uninstantiation DRBG `V' Value Internal Internally Never Not By power Secret, internal state value Generated persistently cycle; value for the stored by DRBG CTR_DRBG the module uninstantiation DRBG `Key' Internal Internally Never Not By power Key used for Value state value Generated persistently cycle; generating stored by DRBG random the module uninstantiation material by the CTR_DRBG McAfee Web Gateway Virtual Appliance Page 18 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 Key/CSP Key/CSP Generation / Output Storage Zeroization Use Type Input WCCP Password Set via MWGUI Configuration Stored in Overwritten Authentication Authentication or imported sharing or backup plain text in by another (MD5) for Key ­ encrypted the password or WCCP UDP34 configuration when control packets on hard disk appliance is re-imaged 2.8 Self-Tests McAfee Web Gateway performs power-up and conditional self-tests as stated in the sections below. 2.8.1 Power-Up Self-Tests McAfee Web Gateway performs the following self-tests at power-up: Software integrity check using a HMAC-SHA-256 hash Known Answer Tests (KAT) o AES Encrypt KAT o AES Decrypt KAT o Triple-DES Encrypt KAT o Triple-DES Decrypt KAT o SHA-1 KAT o HMAC KAT with SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 o RSA Signature Generation KAT o RSA Signature Verification KAT o RSA Key Wrap KAT o RSA Key Unwrap KAT o SP 800-90A CTR_DRBG KAT DSA Pairwise Consistency Test (verify operation) If any of the tests listed above fail to perform successfully, the module enters a critical error state where all cryptographic operations and output of any data is prohibited. Operators can reboot the virtual appliance to clear the error and resume normal operation. 2.8.2 Conditional Self-Tests The module performs the following conditional self-tests: Continuous Random Number Generator Test (CRNGT) for SP 800-90A CTR_DRBG Continuous RNG Tests for NDRNG RSA pairwise consistency test (for sign and verify operations) If any of the tests listed above fail to perform successfully, the module enters a critical error state where all cryptographic operations and output of any data is prohibited. Operators can reboot the virtual appliance to clear the error and resume normal operation. 2.9 Mitigation of Other Attacks This section is not applicable. The module does not claim to mitigate any attacks beyond the FIPS 140-2 Level 1 requirements for this validation. 34 UDP ­ User Datagram Protocol McAfee Web Gateway Virtual Appliance Page 19 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 3 Secure Operation The McAfee Web Gateway Virtual Appliance meets Level 1 requirements for FIPS 140-2. The sections below describe how to place and keep the module in operation. 3.1 Initial Setup The following sections provide step-by-step instructions necessary to configure the module for operation. For any questions or issues that arise at any point during the installation and configuration of the virtual appliance, contact the McAfee support team at http://www.mcafee.com/us/support.aspx. Documents mentioned in these instructions are freely available at the following web address: http://kc.mcafee.com. 3.1.1 Setting FIPS Environment In order to setup the virtual appliance in the validated configuration, the following steps will need to be performed by the Crypto-Officer: 1. Obtain version 7.3.2.3.4 installation image from McAfee's Content & Cloud Security Portal. 2. Open a virtual machine management client and create a new virtual machine on the hypervisor. a. Please refer to the McAfee Web Gateway 7.3.2 Product Guide for minimum environmental requirements 3. When asked to provide an *.iso35 file, provide the image obtained in step one. 4. Start the virtual machine. 5. When presented with the Installer interface, select option #5 ­ "Install Appliance in FIPS mode" 6. Follow the procedures included in the Installation Guide to complete installation using the installation wizard. The module will reboot. 7. After successful installation, please ensure that the following features are turned off: 1) The log file encryption and/or anonymization feature must be turned off a) Confirm the "Encrypt the log file" flag under the Policy>Settings>File System Logging>Access Denied Log Configuration tab is not enabled b) Confirm that nothing appears when searching for the "FileSystemLogging.MakeAnonymous" property 8. Reboot the module. The appliance is now considered to be in its validated configuration. 3.2 Crypto-Officer Guidance The Crypto-Officer is responsible for initializing the module, performing security-relevant configuration, and monitoring the module. During initial set up, the CO shall change the default admin password, MWGUI server certificate, and the cluster CA. Additionally, the CO shall ensure that the log file encryption and/or anonymization feature is turned off when the module is being operated. The Crypto-Officer can initiate the execution of self-tests, and can access the module's status reporting capability. Self-tests can be initiated at any time by restarting the virtual appliance. 3.2.1 Management The Crypto-Officer is responsible for maintaining and monitoring the status of the module. Please refer to Section 3.1 above for guidance that the Crypto-Officer must follow. To obtain the current FIPS status of the module, the CO should access the module via the MWGUI. On the upper, left-hand corner of the GUI, the CO will see "FIPS 140-2" when the module has been properly configured. 35 ISO ­ International Organization for Standardization McAfee Web Gateway Virtual Appliance Page 20 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 For details regarding the management of the module, please refer to the McAfee Web Gateway Installation Guide. 3.2.2 Zeroization Session keys are zeroized at the termination of the session, and are also cleared when the module is power- cycled. Zeroizartion also includes the SP 800-90A CTR_DRBG seed, entropy, and key values. All other CSPs may be zeroized by reinstalling the virtual appliance. The Crypto-Officer must wait until the module has successfully rebooted in order to verify that zeroization has completed. 3.3 User Guidance The User does not have the ability to configure sensitive information on the module. McAfee Web Gateway Virtual Appliance Page 21 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 4 Acronyms Table 8 in this section describes the acronyms used throughout the document. Table 8 ­ Acronyms Acronym Definition AES Advanced Encryption Standard CAVP Cryptographic Algorithm Validation Program CBC Cipher-Block Chaining CLI Command Line Interface CMVP Cryptographic Module Validation Program CO Crypto-Officer CRNGT Continuous Random Number Generator Test CSE Communications Security Establishment CSP Critical Security Parameter DES Digital Encryption Standard DNS Domain Name System DSA Digital Signature Algorithm ECB Electronic Codebook EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standard FTP File Transfer Protocol GUI Graphical User Interface ISO International Organization for Standardization MD Message Digest HMAC (Keyed-) Hash Message Authentication Code HTML Hypertext Markup Language HTTP Hypertext Transfer Protocol HTTPS Secure Hypertext Transfer Protocol IP Internet Protocol KAT Known Answer Test KDF Key Derivation Function LAN Local Area Network LDAP Lightweight Directory Access Protocol MD Message Digest McAfee Web Gateway Virtual Appliance Page 22 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.4 December 17, 2015 Acronym Definition MLOS McAfee Linux Operating System MWGUI McAfee Web Gateway Graphical User Interface NDRNG Non-Deterministic Random Number Generator NIST National Institute of Standards and Technology NT New Technology NTLM Microsoft Windows NT LAN Manager OS Operating System PKCS Public Key Cryptography Standard RADIUS Remote Authentication Dial-In User Service RC Rivest Cipher REST Representational State Transfer RSA Rivest Shamir and Adleman SHA Secure Hash Algorithm SNMP Simple Network Management Protocol SSH Secure Shell SSL Secure Sockets Layer SWPS Secure Web Protection Service TLS Transport Layer Security UDP User Datagram Protocol URL Uniform Resource Locator USM User-based Security Model UUID Universally Unique Identifier WCCP Web Cache Communication Protocol McAfee Web Gateway Virtual Appliance Page 23 of 24 © 2015 McAfee, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Prepared by: Corsec Security, Inc. 13135 Lee Jackson Memorial Highway, Suite 220 Fairfax, VA 22033 United States of America Phone: +1 (703) 267-6050 Email: info@corsec.com http://www.corsec.com