Components of a Hardware Security Module Solution

HSM Agent

The HSM Agent runs as a daemon within the Secure Web Gateway appliance system. This agent enables the handling of the Hardware Security Module.

Depending on the solution that is implemented, the agent addresses the component that provides the module functions, for example, a module card or a remote server.

The agent provides a command line interface for performing activities on the module, such as generating, storing, or unlocking keys.

Module card

A module card can be installed as a hardware component on a Secure Web Gateway appliance to provide the functions of a Hardware Security Module.

The module card that is available for use with Secure Web Gateway is the nShield Solo HSM card. It is provided by a Skyhigh Security partner (Entrust).

When the module card is installed, you can access it by logging on to the appliance from a system console.

For more information, see the documentation of the Skyhigh Security partner (Entrust).

Appliance

The functions of a Hardware Security Module can be provided on a Secure Web Gateway appliance using an additional appliance. The appliance that is used within this solution is the nShield Connect appliance. It is provided by a Skyhigh Security partner (Entrust).

For more information, see the documentation of the Skyhigh Security partner (Entrust).

Remote server

The functions of a Hardware Security Module can be provided on a Secure Web Gateway appliance using a remote server. The remote server that is used within this solution is the Luna Network HSM server. It is provided by a Skyhigh Security partner (Thales).

When the remote server has been set up and connected to the appliance, you can access the module by logging on to the appliance from a system console.

For more information, see the documentation of the Skyhigh Security partner (Thales).

Emulation

An emulation can be run on Secure Web Gateway, which provides the functions of a Hardware Security Module using OpenSSL.

As this solution does not include a module card, additional appliance, or remote server for storing private keys, you must store these keys manually in a directory of the Secure Web Gateway appliance system.

This solution is not considered as secure as the module card solution. When implemented on a standalone Secure Web Gateway appliance, however, it compares to the remote server solution with regard to security. An emulation is preferably used for demos, tests, and training.

Client-server model for multiple appliances

When multiple Secure Web Gateway appliances are part of an HSM solution, they can be configured to follow the client-server model.

This means, for example, that you need not install a module card on every Secure Web Gateway appliance in your network to use the functions of a Hardware Security Module. Appliances that have no HSM solution of their own implemented can connect to an appliance with this solution to use its functions.

The appliance that has an HSM solution implemented then takes the server role towards the other appliances, which connect to it as clients.

The client-server model can be configured for Secure Web Gateway appliances regardless of the particular solution (module card, appliance, remote server, or emulation) that is implemented on one of them.

Secure Web Gateway as client of a remote server (Thales)

When the HSM solution on a Secure Web Gateway appliance uses the remote server that is provided by a Skyhigh Security partner (Thales), the client-server model also applies. The Secure Web Gateway  appliance then connects as client to the remote server.

When a Secure Web Gateway appliance has the HSM solution implemented that uses a remote server (Thales) and other appliances connect to it to use the functions of this solution, this Secure Web Gateway appliance takes both the roles of a client and a server.

The appliance then acts as a client towards the remote server (Thales) and as a server towards the other appliances.