0

We have a partner that is requiring us to get a HSM for a web application that we host for them. This is something new for us, we've always installed our SSL certificates on our web servers and never needed a hardware device. We currently have 2 Cisco ASA 5510 firewalls in an active/standby configuration. Both ASAs have a ASA-SSM-10 security module installed in them.

The web application is a standard HTTPS webpage with no authentication required. I was wondering if we could use our Cisco ASAs to meet this requirement or if we'll have to buy another device. I was doing some searching and read about Cisco's clientless webvpn feature. It sounds like it might work, but I'm not sure. We basically want the ASA to handle the SSL and proxy the connection to our web servers. We do not want to prompt for a username or password to connect or show any portals, just display the web page.

If the ASA cannot do this, does any one have any recommendations for network attached hardware security modules? We are using VMware vCenter, so we'd rather have an external device attached to the network, rather than buying HSM cards for every ESXi host.

Thanks,

Derek

Derek Ivey
  • 1
  • 3

2 Answers2

1

The ASA won't do what your after as far as I know. Typically I have installed the SSL cert on the web server its self.

If you can't do that it might be a better option to use apache as a reverse proxy and have it present the https and certificate.

George
  • 11
  • 1
0

We need a little more detail as to why the customer is requesting an HSM. If they are just looking to reduce load on the web-server, you could take a look at the Cisco Application Control Engine product. It can provide SSL proxying as well as load balancing, and a host of other very powerful features.

Here is a link to get started with:

http://www.cisco.com/en/US/products/ps8361/index.html

If the customer is looking to meet PCI, Bank, or more complex regulatory or secuirty requirements things get a lot more complicated and expensive and I'm afraid I don't have much insight in that space. Wikipedia has a high level overview of some of the purposes of an HSM (outside of simple SSL acceleration) and explains a few different software and hardware options.

http://en.wikipedia.org/wiki/Hardware_security_module

Jason Seemann
  • 1,120
  • 6
  • 9
  • Thanks for those links. They require a HSM as part of their security policy. They may or may not be required to meet certain security requirements, that is something I need to find out. – Derek Ivey Mar 21 '11 at 04:57