Forum Discussion

LuisPuma_134788's avatar
LuisPuma_134788
Icon for Altostratus rankAltostratus
Oct 01, 2013

F5 ADC+GTM already deployed, but need HSM

Hello all,

 

I am really in a trouble. Please, help me. I'll appreciate it.

 

I have already deployed a BIG IP 4000s ADC+GTM to get inbound/outbound load balancing and VPN SSL functionalities. But, the regulatory law "forces" me to fulfill FIPS 140-2 standard. My boss does not want to buy a Thales HSM even thought I told to him that there is an alliance between F5 and Thales. He says that I have to find a solution with F5 appliances in order to avoid troubles about hardware/software incompatibilities by preserving the current (4000s) appliance. So, I am thinking of a 6900 appliance to be deployed behind the 4000s. The link http://www.f5.com/pdf/products/big-ip-platforms-datasheet.pdf says that 6900 appliances support FIPS. In such case, do i need to get a LTM license to deploy the 6900 appliance? What about getting an ASM (I also need a WAF) license instead of a LTM due to I already have LTM in the 4000s? Is such configuration possible? If possible, which one will perform SSL Offload? It is supposed that LTM in the 4000s will continue doing that, but I need to store the certificate/key pairs in the HSM of the 6900.

 

After all this huge paragraph, does F5 have an additional hardware to be installed as a HSM on the 4000s?

 

I'll thank so much for your help

 

Regards

 

Luis

 

design
security
storage

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 01, 2013

    The platform must be purchased with the hardware security module. It's part of the system hardware and cannot be upgraded after the fact. The FIPS HSM is also platform-specific, not module-specific. Further, because the FIPS HSM is managing the private keys used in SSL negotiations, this device should be in front of any other devices - it needs to be the one to terminate the SSL.

     

  • LuisPuma_134788's avatar
    LuisPuma_134788
    Icon for Altostratus rankAltostratus
    Oct 01, 2013

    Hi Kevin,

     

    Thanks for your answer. So, what could you suggest? Is buying a Thales HSM the unique solution for this environment?

     

    Regards

     

    Luis

     

  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Oct 01, 2013

    Luis,

     

    I've been through a discovery with Thales recently regarding this very topic. One factor that Thales brings is the ability to use the HSM with other systems on the network, ie: Oracle products, as well as pretty much anything you can write plugins for. It's worth talking to their sales staff in my opinion.

     

    The combined solution should meet your regulatory requirements.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 01, 2013

    If you need FIPS, then your options are purchasing an F5 platform that supports internal HSMs (6900, 8900, etc.), or purchase a network HSM that can run on any platform that can at least run TMOS v11.2.1. The NetHSM option is obviously the cheaper method, but it comes at the price of significantly lower throughput than internal HSMs.