Deployment guidelines
Users must consider the best practices described in this section for security and compliance when deploying the ProtectServer 3+ External for their network/application environment.
Secure Messaging System (SMS)
ProtectServer 3 HSMs store cryptographic keys and objects in tamper-resistant secure memory, which is erased when a tamper is detected. The stored keys are accessed through PKCS#11 calls from the client. Client calls to a ProtectServer 3+ External HSM traverse the network layer (TCP/IP). In the default security mode, this communication channel between the HSM and the client is unencrypted. Configure the HSM security policy to improve this channel's security. Refer to Security flags for descriptions of the available flags and how they affect your implementation.
The Secure Messaging System (SMS) enhances the security of the client-HSM channel. SMS provides an encrypted channel between the client and the HSM and authenticates messages on that channel using a Message Authentication Code (MAC) that is FIPS-approved. Refer to Secure messaging for a detailed description of SMS functionality.
Note
SMS encrypts and authenticates messages between the client and HSM, and allows the client to authenticate the HSM credentials.
This flag requires a valid ProtectServer Identity Key/Certificate on the HSM. See ProtectServer owner and identity certificates for details and procedures.
The SMS feature is flexible and can be configured to:
-
Encrypt/decrypt all messages
-
Sign/verify all messages
For maximum security, enable all of the above features. Refer to Security flags for flag descriptions and setup instructions.
Note
Enabling FIPS Mode will automatically enable SMS and block all mechanisms that are not FIPS-approved. If you are using unapproved mechanisms and understand the implications, do not enable FIPS Mode.
Networking and firewall configuration
PTK authenticates the ProtectServer 3 HSM using its ProtectServer Identity Certificate (PIC). There is no means to authenticate the client to the HSM. It is therefore recommended that the HSM and client are connected to the same secure network segment, to prevent sensitive data from traveling through insecure intermediate network(s). Always verify that the received certificate matches the expected value (HSM SN, date generated, etc.). This configuration prevents Man-in-the-Middle and other malicious attacks. If possible, connect the HSM directly to the client using a cross-cable.
The ProtectServer 3+ External includes two network ports, each of which can be connected to a different network. It is highly recommended that you keep the management network and the network running your applications isolated from each other at all times. Further restrictions on communication between network segments can be enforced by means of static routes. See Network configuration for instructions on setting up static routes.
The ProtectServer 3+ External supports an iptables-based firewall. The firewall must be configured with appropriate rules to restrict access to identified network resources only. See Network configuration for details on setting iptables.
Separation of roles
The ProtectServer 3+ External has two role categories: Appliance and HSM users. For optimal security, maintain these roles and their credentials separately; do not share between users. Do not share the appliance management, HSM Administration, and User terminals.
Appliance users
The following roles can log on to the PSE shell (PSESH) to configure and manage the appliance:
-
admin
-
pseoperator
-
audit
See Using PSESH for the responsibilities of each role.
HSM users
The following roles can log on to manage the HSM token and perform cryptographic operations:
-
Administration Security Officer (ASO)
-
Administrator
-
Security Officer (SO)
-
Token Owner (User)
See User roles for the responsibilities of each role.