Forcepoint Web Security Server Communication

Forcepoint Web Security server to server

Encryption of communication between Forcepoint Web Security services (for example, Policy Broker communicating with Policy Server) is accomplished using TLS with the best negotiated encryption algorithm from the following list:

  • Policy Broker: TLSv1.2+ECDSA:AES256-SHA:DH-RSA-AES256-SHA:DHE-RSA- AES256-SHA
  • Policy Server: TLSv1.2+ECDSA:AES256-SHA256

The Policy Broker cipher list is applied in inter-component communications such as Policy Broker with Policy Server and Policy Broker with Forcepoint Security Manager.

The Policy Server cipher list is applied in inter-component communications such as Policy Server with Filtering Service and Policy Server with Forcepoint Security Manager.

This communication occurs using the Forcepoint C Cryptographic Module and the Forcepoint Java Cryptographic Module.

Component to customer infrastructure communication

Forcepoint Web Security uses neither the Forcepoint C Cryptographic Module nor the Forcepoint Java Cryptographic Module for encrypting communication between Forcepoint components and the customer infrastructure.

Communication with customer components such as a network integration, a SIEM solution, a Directory Service, Remote Access Dial-in User Service (RADIUS), or ICAP does not use FIPS 140-2 certified cryptographic libraries. A customer-maintained VPN tunnel between Forcepoint

Web Security components and servers and customer infrastructure components should be considered.

By design, Decryption Port Mirroring (available when Content Gateway is deployed on an appliance) does not use FIPS 140-2 certified cryptographic libraries.

Forcepoint Web Security Server Storage

Forcepoint Web Security uses the Forcepoint Java Cryptographic Module for encrypting the data stored on the server.

The threat-related forensics data is stored on a disk and is encrypted in a forensics repository using AES-256 encryption. The corresponding threat data is stored in the SQL Server database.

A Forcepoint FIPS 140-2 certificate for Forcepoint Java Cryptographic Module version 3.0.1 is available.

The Policy Database, used to store configuration and policy data, is a PostgreSQL database. The Forcepoint deployment of PostgreSQL is not specifically configured to use FIPS certified libraries.