Connector Encryption 1

Summary:

This technical note outlines encryption and security measures for ArcSight Connectors version 4.8.2.5516 or later, including secure data storage and transmission between connectors and various devices like Logger Appliances, Loggers, and ArcSight Managers. Key features include: 1. Encrypted Communication: Data transmitted is encrypted using negotiated cipher suites based on allowed protocols by both sender and receiver. FIPS mode compliance ensures use of FIPS-compliant ciphers if enabled in receivers. 2. User Password for Connector Management: A unique password is required for managing the connector, stored securely according to least privilege access principles. 3. Third Party Device Credentials: Passwords and other credentials are handled cautiously to prevent unauthorized access through insecure methods. 4. Digests in HTTP Posting: Event data posted via HTTP to ArcSight Manager is protected using digests to maintain event integrity during transmission. 5. Event Integrity Algorithms: Specific algorithms ensure event data integrity, customizable according to organizational security needs without compromising performance or confidentiality. 6. General Encryption Practices: Emphasizes the importance of encryption for protecting sensitive information in transit and at rest within the connector infrastructure. The note is intended for HP ArcSight Professional Services staff, aiming to ensure effective implementation of data integrity, confidentiality, and security protocols across various versions of the product. The document also details encryption protocols and cipher suites used in different modes for various components of a system: TLS/SSL ciphersuites, password hashing, third-party device credentials, hash functions for data obfuscation and integrity checks, and compliance with FIPS mode or default settings.

Details:

This technical note outlines encryption and security measures for ArcSight Connectors in version 4.8.2.5516 or later, focusing on secure data storage and transmission between connectors and various devices such as Logger Appliances, Loggers, and ArcSight Managers. Key points include: 1. **Encrypted Communication**: Data transmitted between the connector and target devices (Logger, Connector Appliance, ArcSight Manager) is encrypted using negotiated cipher suites based on allowed protocols by both sender and receiver. If FIPS mode is enabled in receivers, connectors will use FIPS-compliant ciphers even when sending to non-FIPS destinations. 2. **User Password for Connector Management**: A unique password is required for managing the connector, which should be stored securely according to least privilege access principles. 3. **Third Party Device Credentials**: Passwords and other credentials used for authentication with third-party devices are handled cautiously, ensuring they are not accessible by unauthorized personnel through insecure means such as command line interface history or browser cache. 4. **Digests in HTTP Posting**: Event data posted to ArcSight Manager using HTTP is protected via digests to maintain the integrity of the events during transmission. 5. **Event Integrity Algorithms**: Specific algorithms are employed to ensure event data integrity, which can be adjusted according to organizational security needs and standards without compromising system performance or confidentiality. 6. **General Encryption Practices**: The document emphasizes the importance of encryption for protecting sensitive information in transit and at rest within the connector infrastructure. This includes secure handling of passwords, credentials, and adherence to FIPS compliance where applicable. The note is intended for HP ArcSight Professional Services staff, aiming to ensure that data integrity, confidentiality, and security protocols are effectively implemented across various versions of the product. The document provides information about encryption protocols and cipher suites used in different modes for various components of a system. Key points are summarized below: 1. **ArcSight Manager**:

• In FIPS mode, encrypted communications use TLSv1 with specific cipher suites such as TLS_RSA_WITH_AES_128_CBC_SHA or SSL_RSA_WITH_3DES_EDE_CBC_SHA.

• In non-FIPS (default) mode, the protocol can be either TLSv1 or SSLv3, also using the mentioned cipher suites.

2. **Logger**:

• Similar to ArcSight Manager, in FIPS mode, encrypted communications use TLSv1 with the same cipher suites.

• In non-FIPS (default) mode, the protocol can be either TLSv1 or SSLv3, using the specified cipher suites.

3. **Connector Appliance**:

• In FIPS mode, encrypted communications use TLSv1 with specific cipher suites similar to those used by ArcSight Manager and Logger.

• In non-FIPS (default) mode, the protocol can be either TLSv1 or SSLv3, using the specified cipher suites.

4. **Third Party Devices**:

• For encrypted communications with third party devices like Cisco IPS, Sourcefire, etc., in FIPS mode, TLSv1 is used with specific cipher suites similar to other components.

• In non-FIPS (default) mode, the protocol can be either TLSv1 or SSLv3, using the specified cipher suites.

These summaries highlight the encryption protocols and supported cipher suites for different scenarios including FIPS compliance and default settings across various system components. This document discusses the encryption methods and security measures used in the ArcSight Connector, including TLS/SSL ciphersuites, password hashing, third-party device credentials, hash functions for data obfuscation and integrity checks, and compliance with FIPS mode or default settings. This document outlines that commercial computer software, documentation, and technical data are licensed to the U.S. Government under a vendor's standard commercial license. It states that the information contained within may change without notice, and HP provides only express warranty statements for their products and services. The warranties do not extend beyond those stated, and HP cannot be held liable for errors or omissions in technical or editorial content. A complete statement of copyrights and acknowledgements can be accessed via a provided link: http://www.hpenterprisesecurity.com/copyright. Additionally, the document cautions that any network information used in examples (such as IP addresses and hostnames) is for illustrative purposes only. Finally, it declares that this document is confidential and dated June 14, 2013.