Data Sheet

Symantec® SSL Visibility Appliance

Remove Security Blind Spots Created by SSL/TLS Encryption

Overview Provides Visibility into Encrypted

 Provides unmatched visibility into encrypted traffic to Traffic to Improve Security
protect against advanced threats:
– Automatically identifies all SSL/TLS traffic, The SSL Visibility Appliance is an integral component to any
regardless of port number or application organization's traffic management strategy, providing
 Supports privacy and compliance initiatives: visibility into encrypted traffic that ensures attacks cannot
– Selectively decrypts traffic to meet data privacy and slip by undetected. Broadcom identifies and decrypts all
compliance requirements SSL connections and applications across all network ports
– Enforces acceptable use policies for encrypted traffic (even irregular ports). The decrypted feeds can be used by
 Integrates seamlessly with the existing security the existing security infrastructure to strengthen their ability
infrastructure: to detect and protect against advanced threats; by
– Preserves and extends the ROI of the infrastructure offloading process intensive decryption, the SSL Visibility
– Supports multiple network segments and can feed Appliance also helps improve the overall performance of the
active and passive security appliances organization's network and security infrastructure.
simultaneously and provide TLS offload for ProxySG
Figure 1: SSL Visibility Appliance Hardware
 Simplifies management and administration:
– Delivers detailed logs and alerts to easily spot trends
and potential issues with SSL use
– Integrates with Management Center for configuration
backup, scheduling and synchronization

Introduction
Supports Privacy and Compliance
Encryption protects the privacy and integrity of data, but
also creates a blind spot that attackers can exploit to evade
Initiatives
security controls. Considering over half of all Internet traffic
The SSL Visibility Appliance serves as an effective policy
today is encrypted, it creates a rather large gap in an
enforcement point to control SSL traffic throughout the
organization's security posture, leading to increased
enterprise, reducing risks posed by encrypted traffic, while
vulnerability and risk, as well as a damaged reputation. The
maintaining compliance with relevant privacy policies and
Symantec SSL Visibility Appliance, a key component of the
regulatory requirements. Using Host Categorization and
Encrypted Traffic Management solution set, enables
SSL traffic types for policies, organizations can easily create
organizations to cost-effectively eliminate blind spots within
and customize granular policies to selectively decrypt traffic
their environment and maximize the effectiveness of their
to meet their business needs (for example, do not decrypt
security infrastructure investments. With Symantec
financial or banking traffic going out of the business).
technology, organizations have the visibility and control they
Policies can easily be set to control obsolete or weak
need over encrypted traffic to ensure compliance with their
ciphers and standards, such as traffic using SSL v3.0.
privacy, regulatory and acceptable use policies.

Broadcom SSL-Visibility-DS100
May 3, 2021
Symantec SSL Visibility Appliance Data Sheet Remove Security Blind Spots Created by SSL/TLS Encryption

This enables organizations to focus on the communications that represent the highest risks effectively balancing security
with data privacy and compliance requirements. These policies also utilize Symantec market-leading Global Intelligence
Network to exchange and update SSL host categorization, threat and malware knowledge across the globe.

Delivers Unmatched Performance and Scale

The SSL Visibility Appliances operate at line-rate, providing visibility into encrypted traffic and potential threats, without
hindering device or network performance. The appliances provide:
 Line-rate Network Performance: port-to-port latency for non-SSL flows is less than 40 microseconds. Hardware
appliances support decryption of up to 25 Gb/s of SSL traffic for all SSL/ TLS versions and more than 100 cipher suites.
 High Connection Rate/Flow Count: inspecting up to 2,500,000 concurrent SSL sessions and supporting the setup and
teardown of up to new 24,000 RSA 4K sessions per second.
 High Availability: offering integrated fail-to-wire/fail-to-open hardware and configurable link state monitoring and
mirroring for guaranteed network availability and network security.

Figure 2: Symantec SSL Visibility Appliance Helps Centralize the Management of Encrypted Traffic

Internet

Gateway
Passive Devices
IDS, Forensics, Analytics, and so on.

Global Intelligence Network SSL Visibility Appliance Active Devices

85+ Policy categories IPS, NGFW, Anti-Malware,
ProxySG, and so on.

Decrypted Traffic

Encrypted Traffic
Business Assets
Clients and Servers

Broadcom SSL-Visibility-DS100
2
Symantec SSL Visibility Appliance Data Sheet Remove Security Blind Spots Created by SSL/TLS Encryption

Integrates Seamlessly with Existing Infrastructure

The SSL Visibility Appliances are simple to deploy within your existing infrastructure; there is no need to duplicate security
appliances or re-architect the network infrastructure. Hardware and Virtual Appliances provide:
 Improved ROI of Infrastructure: enhancing the performance and existing capabilities of network and security
appliances, by offloading the decryption and providing visibility into formerly encrypted traffic to help uncover hidden
threats.
 Network Transparency: deploying the SSL Visibility Appliance is transparent to end systems and to intermediate
network elements. It does not require network reconfiguration, IP address or topology changes, or modifications to
client IP and web browser configurations.

Figure 3: Active Devices for Segment 1

IPS NGFW

Anti-Malware Anti-Malware

Copy Port

Passive Device
for Segment #2
(Security Analytics)

Network 1 In Network 2 Out

Network 1 Out Network 2 In

 Flexible Deployment Options: supporting multiple in-line or tap segments that feed one or more active or passive
attached appliances (the number of segments supported varies depending on model number).

Figure 4: Active Devices for Segment 2

Passive Devices:
Active Device: (for example, IDS, Analytics,
(for example, IPS, DLP)
NGFW, Anti-Malware)

Copy Ports

Network In Network Out

Broadcom SSL-Visibility-DS100
3
Symantec SSL Visibility Appliance Data Sheet Remove Security Blind Spots Created by SSL/TLS Encryption

 Copy Ports: the SSL Visibility Appliance can send copies out to many devices over the additional ports on the device.
This allows organizations to feed all traffic (decrypted and non- SSL) to additional passive devices on the network.
 Application Preservation: delivering decrypted plain-text to security appliances as a generated TCP stream, with the
packet headers as they were received. This allows applications and appliances, such as next-generation firewalls
(NGFW), intrusion detection/prevention systems (IDS/IPS), data loss prevention (DLP) systems and security analytics,
to expand their scope and provide protection from threats hiding in the previously encrypted traffic. This is done without
requiring any special software or capabilities in the attached security tools. When feeding ProxySG the SSL Visibility
Appliance must be running a 4.x or later software release and ProxySG must be running 6.7.2.x or later software.
 Comprehensive Support: delivering complete visibility into inbound and outbound SSL sessions; supporting networks
with asymmetric traffic routing; providing support for multiple re- signing Certificate Authorities (CA) when inspecting
outbound SSL flows; allowing the import of many server key/ cert pairs to inspect inbound SSL flows to enterprise SSL
servers.
 Input Aggregation: allowing the aggregation of traffic from multiple network taps onto a single passive-tap segment for
inspection.

Simplifies Management and Administration

The SSL Visibility Appliances are simple to configure and manage, providing:
 Single Device Management: offering a powerful, SSL-secured, simple-to-use, web-based user interface (UI) for
configuration and management with Role-based Access Control (RBAC).
 Centralized Management: allowing administration of multiple appliances to be administered by Symantec Management
Center for inventory and system performance monitoring, health monitoring, configuration backup and scheduling and
configuration synchronization. Management Center also supports RBAC.
 Email Alerting: configuring logs to trigger alerts that can be immediately forwarded via email or sent at intervals to
designated network administrators.
 SSL Session Identification: providing session logs that detail all SSL flows, inspected or not, allowing suspicious trends
or patterns of SSL use to be detected.
 Syslog Reporting: supporting up to 8 remote syslog servers to enable enhanced reporting and logging applications
within distributed environments.
 SNMP Support: Enables monitoring and management by 3rd party devices via the SNMP v3 standard.

Table 1: SSLV Performance in Classic (Non-ProxySG) Mode Only

Software Version 4.5.x 5.2.x

Product Model SV1800B-C/F SV2800B SV3800B SV3800B-20 SV-S550-20
Total Packet Processing Capacity (Gb/s) 8 20 40 40 100
Classic segment Inspection capacity (Gb/s) 2.0 4.5 7.5 9.0 20
Concurrent SSL Flow States 100,000 200,000 500,000 900,000 2,500,000
New Full Handshake RSA 2048 bit 4,500 6,000 9,000 12,000 28,000
New Full Handshake RSA 4096 bit Not Tested Not Tested Not Tested 600 24,000
New Full Handshake ECDHE 256 4,000 6,000 8,000 14,000 25,000
SSL Session Log Entries 32,000,000 32,000,000 32,000,000 32,000,000 250,000,000

Broadcom SSL-Visibility-DS100
4
Symantec SSL Visibility Appliance Data Sheet Remove Security Blind Spots Created by SSL/TLS Encryption

Table 2: SSLV Performance for ProxySG Segment

4.5.x 5.2.x
Software Version SGOS 6.7.4.4 SGOS 7.2.3.2

Product Model SV1800B-C/F SV2800B SV3800B SV3800B-20 SV-S550-20

Total Packet Processing Capacity (Gb/s) 8 20 40 40 100
Proxy segment Inspection capacity (Gb/s) 1.8 3.5 4.4 7.0 9.0
Chained Segment Capacity A + B (Gb/s) NA 2.2 2.6 4.0 NA
Concurrent SSL Flow States 50,000 100,000 250,000 450,000 2,500,000
New Full Handshake RSA 2048 bit 4,500 6,000 9,000 12,000 28,000
New Full Handshake ECDHE 256 4,000 6,000 8,000 14,000 25,000
SSL Session Log Entries 32,000,000 32,000,000 32,000,000 32,000,000 250,000,000

Table 3: SSLV Specifications

Specification SV1800B-C/F SV2800B SV3800B SV3800B-20 SV-S550-20

Configurations Network Network Interfaces: Network Interfaces: Network Interfaces: Network Interfaces:
Interfaces: Fixed Fixed 8 x 1 Gb/s Fixed 8 x 1 Gb/s 3 Netmod Slots - 7 Netmod Slots -
8 x 1 Gb/s Copper Copper or 8 x Various 1 Gb/s and Various 1 Gb/s and
Copper 1 Gb/s Fiber (SX) 10 Gb/s Interface 10 Gb/s Interface
Options Options
Power Supplies 1 x 150W 1 x 150W 1+1 Redundant 1+1 Redundant 1+1 Redundant
450W 750W 750W
Management Interfaces 1x RJ-45 1x RJ-45 1x RJ-45 1 x RJ-45 1 x RJ-45
Manageability Display SNMP v1, v2c GETs and TRAPs Supported across SETs supported only LCD 16 x 2 Char.
and v3 supported multiple Symantec for the System Display
supported LCD 16 x 2 Char. MIBs Group
LCD 16 x 2 Char. Display LCD 16 x 2 Char. LCD 16 x 2 Char.
Display Display Display
Operating Temperature 5°C to 40°C 5°C to 40°C 5°C to 40°C 10°C to 35°C 10°C to 35°C
Storage Temperature –10°C to 60°C –10°C to 60°C –10°C to 60°C –10°C to 60°C –10°C to 60°C
Dimensions (in.) H x W x D 1.75 x 8 x 12.75 1.75 x 8 x 12.75 1.75 x 17 x 20 1.75 x 17.5 x 29 3.5 x 17.5 x 29
Regulatory and Environmental CE (EN55022, EN55024, EN60950), FCC part 15 class A, UL60950-1
Standards/Compliance EN 62368-1:2014 / IEC 62368-1:2014 (Second Edition), UL62368
Modes of Operation (per Passive-Inline, Active-Inline Fail to Network (FTN) and Fail to Appliance (FTA), ProxySG segment (4.x
network segment) only)
Encryption TLS 1.3 (RFC 8446), TLS 1.2, TLS 1.1, TLS 1.0, SSLv3, partial SSLv2
Symmetrical Key Algorithms AES, AES-GCM, AES-CCM, 3DES, DES, RC4, ChaCha20-Poly1305,Camellia
RSA Keys 512 to 4096 bits
Software Licensing A Symantec License is required for inspection activation for each appliance. Please refer to the Licensing
section within the Symantec Support portal.
Host Categorization is an optional, subscription-based service that requires an additional license per
appliance.

Broadcom SSL-Visibility-DS100
5
Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom.

Copyright © 2021 Broadcom. All Rights Reserved.

The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,
function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does
not assume any liability arising out of the application or use of this information, nor the application or use of any product or
circuit described herein, neither does it convey any license under its patent rights nor the rights of others.