Network Attached HSMs on Each CA

With the introduction of network-attached HSMs, it is now possible for an organization to deploy a single HSM for the entire network or at each location that hosts CA computers, sharing the HSM among multiple CAs. One possible deployment scenario is to connect the HSM to a corporate network. (See Figure 7-7.)

Figure 7-7 Implementing a network-attached HSM for all CAs in the hierarchy

When you implement a network-attached HSM for all CAs in the CA hierarchy, the HSM and all of the CAs in the hierarchy are connected to the corporate network.

The obvious advantage of implementing a single network-attached HSM is that you reduce the hardware costs associated with HSMs. You are able to deploy a single HSM for all CAs in the hierarchy, subject to the licensing requirements of the HSM vendor. The disadvantage is that you must connect the offline CA computers to the corporate network when they have to connect to the HSM.

Some companies choose to temporarily disconnect the HSM from the corporate network and connect the offline CA computer directly to the HSM with a crossover cable. While temporarily connecting the HSM to the offline CA secures communications with the HSM, it also prevents the online CA computers from communicating with the HSM, blocking access to the online CA's private key.

To prevent loss of communications to an online CA when accessing the HSM from an offline CA, you can deploy the network-attached HSM on a private network rather than the corporate network. (See Figure 7-8.)

Hsm Location Network
Figure 7-8 Implementing the network-attached HSM on a private network

Note The CAs do not have to be on the same subnet as the HSM. As long as packets are able to pass freely between the CAs and the HSM and through any routers or firewalls in between, connectivity can take place between multiple network segments.

When you implement a network-attached HSM on a private network, the network-attached HSM, offline CAs, and online CAs have connectivity on a dedicated private network. To allow communications with the corporate network, the issuing CA is dual-homed with network connectivity to both the private network and the corporate network.

The advantage of this configuration is that communication with the HSM is only possible by computers on the private network. When access to an offline CA computer is required, the offline CA computer can be connected to the private network without fear of network-based attacks from the corporate network.

Note Additional security measures are required at the issuing CA to prevent attacks from the corporate network. The online CAs must prevent IP routing to stop attackers from routing packets to the private network through the online CAs. In addition, your organization can choose to prevent remote desktop connectivity to the offline CAs from the online CA computer. This can be accomplished through either Group Policy configuration or Internet Protocol Security (IPSec) filters that prevent connectivity on all ports from the online CAs to the offline CAs.

Another advantage of implementing a private network for the network-attached HSM is that all traffic between the CAs and the network-attached HSM is relegated to the private network, which allows the offline CAs to be attached to the network. Implementing a private network also allows changing the corporate network IP addressing scheme with limited configuration changes to the CAs and the HSM. This is because the IP addressing used to connect the CAs to the HSM is on the private network addressing where the IP addresses are not changed. The only drawback is that an organization's security policy must be modified to allow network connectivity of offline CAs.

+1 0

Post a comment