Chapter 4: Introducing The Asa 310-Fips; Hsm Overview - Avaya VPN Gateway User Manual

Vpn gateway

Hide thumbs

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

Table of Contents

Chapter 4: Introducing the ASA 310-FIPS

This section provides information about the ASA 310-FIPS model, which comes installed with the HSM

(Hardware Security Module) card. The HSM card complies with all the security requirements specified by

the Federal Information Processing Standard (FIPS) 140-1, Level 3 standards. Each ASA 310-FIPSASA

310-FIPS device is equipped with two identical HSM cards.

Note:

When using the ASA 310-FIPS device in a cluster, remember that all AVG devices in the cluster must

be of the ASA 310-FIPS ASA 310-FIPS model.

HSM Overview

The HSM card found on the ASA 310-FIPS model is an SSL accelerator, just like the ordinary

CryptoSwift card found on the regular ASA 410 model. In addition to cryptographic

acceleration, the HSM card brings extra security to sensitive operations and is designed to

withstand physical tampering.

• The HSM card provides a secure storage area for cryptographic key information. The

storage area is secured by a constantly monitored tamper detection circuit. If tampering

is detected, the battery backup power to memory circuits on the card is removed. Critical

security parameters, such as private keys that are in the storage area, will then be

destroyed and rendered useless to the intruder.

• Any sensitive information that is transferred between two HSM cards within the same ASA

310-FIPS, or between any number of HSM cards within a cluster of ASA 310-FIPS

devices, is encrypted using a shared secret stored (also known as a wrap key) on the

HSM card.

• Some user operations require a two-phase authentication, which involves using both

hardware tokens (called iKeys) and an associated password to provide an extra layer of

security. For example, if the ASA 310-FIPSASA 310-FIPS is power cycled (as in the case

of theft), no SSL traffic is processed until the operator logs in to the HSM card using both

an iKey and the correct password.

• All cryptographic requests, such as generating private keys or performing encryption, are

automatically routed to the HSM card by the AVG application and performed on the HSM

card only.

User Guide

April 2013

Table of Contents

This manual is also suitable for:

3050-vm Avg 3050-vm 3070-vm Avg 3070-vm 3090-vm Avg 3090-vm

Chapter 4: Introducing The Asa 310-Fips; Hsm Overview - Avaya VPN Gateway User Manual

Chapter 4: Introducing the ASA 310-FIPS

HSM Overview

Related Manuals for Avaya VPN Gateway

Related Content for Avaya VPN Gateway

This manual is also suitable for:

Table of Contents