|
Home > |
|---|
The SafeNet SafeNet Network HSM is an Ethernet-attached HSM (Hardware Security Module) Server designed to protect critical cryptographic keys and to accelerate sensitive cryptographic operations across a wide range of security applications. SafeNet Network HSM includes many features that increase security, connectivity, and ease-of-administration in dedicated and shared security applications.
SafeNet Network HSM comes in one of two model families, according to the level of authentication and access control. Your SafeNet Network HSM was factory configured to operate as either:
•a Password Authenticated version, equivalent to FIPS 140-2 level 2, using passwords, only, for authentication and access control
•a PED (Trusted Path) Authenticated version, equivalent to FIPS 140-2 level 3, that requires SafeNet PED and PED Keys for authentication and access control.
The standard appliance is the 1U-high, rack-mount device:
Here are some of the important physical features of the SafeNet Network HSM appliance.
First, the front; this illustration shows the appliance with its snap-on decorative bezel removed...
| Item | Name | Description |
|---|---|---|
| a | LCD system status screen | Shows IP info and scrolls through system status messages |
| b | Serial (console) port | Local connection for initial setup, and for admin account reset (local-only action for security reasons) |
| c | Ventilation-fan filter cover | Removable bracket allows cleaning of air filter |
| d | Fan filter cover retaining screw | A captive thumb-screw (no tool needed). |
| e | Mounts for removable front bezel | The decorative/protective front bezel mounts on the appliance front panel. Spring clips behind the bezel engage the mounting posts at the left and right ends of the appliance front panel. |
| f | Rack-mount tabs (removable) | Use these on the front, and the sliding tabs toward the rear to support your SafeNet appliance in a compatible equipment rack |
| g | Securing screw for fan bay | Torx screw secures the fan bay; opening to swap fan modules triggers a tamper event on the appliance |
| h | USB port | Use to connect SafeNet Remote Backup HSM (for backup of your HSM partition contents), SafeNet USB HSM, or SafeNet DOCK 2 (for PKI and for migration of cryptographic material from older backup token HSMs); same as USB port on back panel |
| i | PED port | Attach SafeNet PED 2, Pin Entry Device, reads the hardware (iKey) authentication devices for Trusted Path (FIPS 140 level 3) access control |
| Item | Name | Description |
|---|---|---|
| a | Kensington Security Slot | Attach an industry-standard locking cable for additional physical security. |
| b | Ethernet ports | For network connection of your SafeNet appliance. |
| c | Decommissioning button | Recessed for safety; renders HSM contents unusable. |
| d | Power supply release tab | Press tab to release the catch, and slide the power supply out. |
| e | Removable power supply | One of two redundant power supplies. |
| f | Second removable power supply | The other of two redundant power supplies. |
| g | Start/stop switch | Use to stop the system if the command-line shutdown is not available; use to restart the system if it has been switched off. |
| h | USB ports | Use to connect SafeNet Remote Backup HSM (for backup of your HSM partition contents), SafeNet USB HSM, or SafeNet DOCK 2 (for PKI and for migration of cryptographic material from older backup token HSMs); same as USB port on front panel. |
| i, j | Unused ports | These ports are not used for SafeNet Network HSM; we recommend that you do not remove the covers that were installed at the factory. |
At any given time, a FIPS-validated version is available (except for newly introduced products that have not had time to go through the year-long evaluation and validation process), and a newer not-yet-validated version might also be available. The usual practice is to ship units pre-loaded with the firmware and software at the FIPS-validated level by default, while providing the option to update the Client software, Appliance software, and HSM firmware to the newer version. This allows customers who need FIPS validation to have that configuration from the factory, and customers who need newer features (and do not need FIPS validation) to upgrade by simply installing the newer software and following the upgrade procedure.
To check the progress of HSM versions that are submitted for FIPS 140-2 validation visit the NIST site at:
( http://csrc.nist.gov/groups/STM/cmvp/validation.html ).
Similarly, some versions of product are submitted for Common Criteria EAL evaluation.
You can also check SafeNet Sales or SafeNet Customer Support to inquire about certification status of SafeNet HSM products. If FIPS validation or CC EAL certification are not requirements for you, then the newest version is normally the preferred option.
The SafeNet HSM's integrated SafeNet-Luna Cryptographic Engine is used to perform cryptographic operations and provide secure storage for sensitive cryptographic keys.
The SafeNet Cryptographic Engine enables the SafeNet Network HSM functionality by providing:
•secure cryptographic storage,
•cryptographic acceleration (up to 7000 1024-bit RSA signings per second),
•administrative access control and
•policy management.
The SafeNet Cryptographic Engine can also be used in conjunction with the optional Trusted Path Authentication feature to provide FIPS 140-2 Level 3 validated HSM operation. That option is factory-configured and not subject to change in the field.
HSMs, in general, are designed to provide dedicated cryptographic functionality, including key generation, key storage, and digital signing, on a one-to-one basis to their host applications. For example, a database server using an HSM would require one HSM, while a secure website using SSL on the same network would require a second, separate HSM. As the number of secure applications requiring an HSM grows, so does the number of ordinary HSMs deployed.
SafeNet Network HSM bypasses this limitation by implementing multiple virtual HSMs, or HSM Partitions on a single HSM server. Partitions are accessed via a Network Trust Link.
The following block diagram is a conceptual overview of the SafeNet Network HSM Server depicting internal systems, communications, and interaction with application servers.
SafeNet Network HSM operations encompass seven major elements. Some of these elements are optional configuration items, and might not be present in your system:
(* The Secure Backup HSM, and SafeNet PED (Trusted Path Authentication and Access Control) are options that might not be included with your system.)