Deployment Guidelines
Users must consider the following best practices for security and compliance when deploying SafeNet ProtectServer Network HSMs for their network/application environment:
>Secure Messaging System (SMS)
>Networking and Firewall Configuration
Secure Messaging System (SMS)
SafeNet ProtectServer HSMs store cryptographic keys and objects in tamper-resistant secure memory, which is erased when a tamper is detected. The stored keys are accessed through PKCS#11 calls from the client. Client calls to a Network HSM traverse the network layer (TCP/IP). In the default security mode, this communication channel between the HSM and the client is unencrypted. Configure the HSM security policy to improve this channel's security. Refer to Security Flags in the PTK-C Administration Guide for descriptions of the available flags and how they affect your implementation.
The Secure Messaging System (SMS) greatly enhances the security of the client-HSM channel. SMS provides an encrypted channel between the client and the HSM and authenticates messages on that channel using a Message Authentication Code (MAC) approved by the FIPS 140-2 standard. Refer to Secure Messaging in the PTK-C Administration Guide for a detailed description of SMS functionality.
NOTE SMS encrypts and authenticates messages between the client and HSM, but does not provide means for the HSM to authenticate client credentials or vice-versa.
The HSM supports the following SMS modes:
>HIMK
>ADH
>ADH2 (PTK 5.4 and above)
For secure deployment, use ADH or ADH2. Refer to Secure Messaging in the PTK-C Administration Guide for descriptions of the difference between these modes.
The SMS feature is flexible and can be configured to:
>Encrypt/decrypt all messages
>Sign/verify all messages
>Allow only FIPS-approved mechanisms
>Rotate signing and encryption keys after a specified number of packets or hours
>All of the above
For maximum security, enable all of the above features. See Security Flags in the PTK-C Administration Guide for flag descriptions and setup instructions.
NOTE Enabling FIPS mode will block all mechanisms that are not FIPS-approved. If you are using unapproved mechanisms and understand the implications, do not enable FIPS mode.
Networking and Firewall Configuration
There is no means to authenticate the client to the HSM or vice-versa. It is therefore recommended that the HSM and client are connected to the same secure network segment, to prevent sensitive data from traveling through insecure intermediate network(s). This configuration prevents Man-in-the-Middle and other malicious attacks. If possible, connect the HSM directly to the client using a cross-cable.
The SafeNet ProtectServer Network HSM includes two network ports, each of which can be connected to a different network. It is highly recommended that you keep the management network and the network running your applications isolated from each other at all times. Further restrictions on communication between network segments can be enforced by means of static routes. See Network Configuration for instructions on setting up static routes.
The SafeNet ProtectServer Network HSM supports an iptables-based firewall. The firewall must be configured with appropriate rules to restrict access to identified network resources only. See Network Configuration for details on setting iptables.
Separation of Roles
The SafeNet ProtectServer Network HSM has two role categories: Appliance and HSM users. For optimal security, maintain these roles and their credentials separately; do not share between users. Do not share the appliance management, HSM Administration, and User terminals.
Appliance Users
The following roles can log in to the PSE shell (PSESH) to configure and manage the appliance:
>admin
>pseoperator
>audit
See Using PSESH in the PSESH Command Reference Guide for the responsibilities of each role.
HSM Users
The following roles can log in to manage the HSM token and perform cryptographic operations:
>Administration Security Officer (ASO)
>Administrator
>Security Officer (SO)
>Token Owner (User)
See User Roles in the PTK-C Administration Guide for the responsibilities of each role.
