2

I've never had to place an HSM on a network before so I want to ask this question to get a consensus on best practice for this.

The HSM will reside on an internal network which will look like this;

internet <-> boundary firewall <-> DMZ <-> inside FW <-> IPS <-> internal network

The inside firewall will also have a secondary connection to our corporate WAN and the internal network will be used for Dev/Pre-Prod etc.

Obviously I will be segmenting the internal network into different confidentiality/security levels, therefore the HSM will reside in it's own subnet. Would it be best to place a further FW at the ingress/egress point of the subnet for the HSM? should I have an IPS.

Any pointers from someone who has implemented an HSM on a network would be appreciated.

Cheers

gkw1975
  • 23
  • 2
  • A HSM gets used for a specific task within a specific attack scenario. Also, since nothing is 100% secure some risk still remains and the question is what is acceptable. All of this is relevant in planning on how to protect the HSM and all of these information are missing. Therefore I consider this as too broad. Also, there are no "FW" or "IPS". There are specific implementation/products with a specific configuration and both is relevant for the security they offer. – Steffen Ullrich Aug 15 '17 at 11:13
  • I got the answer from Sas3 - cheers – gkw1975 Aug 16 '17 at 12:29

1 Answers1

0

As Steffen mentioned, an HSM is a very special purpose device. It is usually not placed for "convenience of access for most systems".

In fact, when you first deploy an HSM, there is usually just one system that needs access to the HSM - and it is usually the system performs your IDAM roles. In many cases, it remains the only system that needs HSM for a long time.

Therefore, I always recommend that the IDAM server (or whichever system needs access to HSM) use a dedicated network adapter to connect to the HSM - making it a private segment of the network with a dedicated switch.

---IDAM-NIC-1-app-access----[IDAM Server]---IDAM-NIC-2-private----[HSM]

You could connect more servers on this switch when the need arises.

I'm not sure what applications might need a more "general purpose access" to the HSM, but if/when you do need that, you could connect it to a separate protected network/segment on your firewall (most firewalls these days support multiple NICs/segments/zones) and put in place relevant security policies.

Sas3
  • 2,638
  • 9
  • 20
  • 1
    Many thanks Sas3. we can't connect it directly to the IDAM Server but we can definitely connect it to the firewall and create a separate protected subnet.. Cheers – gkw1975 Aug 15 '17 at 12:22