Hardware Security Module (HSM)

Why Use an HSM?

Hardware Security Module (HSM) is a device that is used to store cryptographic keys.

HSM adds an extra layer of security to the network. HSM is designed to provide dedicated cryptographic functionality.

When Check Point Security Gateway uses an HSM, the HSM holds these objects for outbound HTTPS Inspection:

  1. The Certificate Authority (CA) certificate (the certificate buffer and the key pair).

    The administrator creates the CA certificate and the key pair before configuring the Security Gateway to work with an HSM.

  2. Two to three RSA key pairs for fake certificates.

    These keys are created during the initialization of the HTTPS Inspection daemon on the Security Gateway with 1024-bit, 2048-bit, or 4096-bit length.

You can use these HSM solutions to work with the Check Point Security Gateway:

Note - For other HSM vendors that use PKCS#11 API, contact Check Point Solution Center through a local Check Point Office.

The Check Point Environment with an HSM

Item

Description

1

Internal computers that connect to HTTPS web sites through the Check Point Security Gateway.

2

Check Point Security Gateway with HTTPS Inspection enabled.

3

HTTPS web sites on the Internet.

4

Check Point Security Management Server that manages the Check Point Security Gateway.

5

Interconnecting Network.

6

HSM Server that stores and serves the SSL keys and certificates to the Check Point Security Gateway.

7

HSM Client workstation used to create a Certificate Authority (CA) certificate on the HSM Server.

Note - Check Point Security Gateway uses the HSM Server only for outbound HTTPS Inspection.