1:23 PM
admin
Thales nShield Connect, part of the nCipher product line, is a network-attached, general-purpose hardware security module (HSM) that protects up to 100 clients by safeguarding their encryption and digital signing keys and processing sensitive data on the trusted appliance.
nShield Connect enables enterprises to add hardware protection to critical applications such as public key infrastructures (PKIs), databases, web and application servers. Using standard cryptographic interfaces, nShield Connect integrates readily with Microsoft Certificate Services (PKI), Entrust Authority Security Manager, RSA Certificate Manager, Oracle Database, Microsoft SQL Server, and many other applications. Its unique dual, hot-swap power supplies and redundant, field-replaceable fans make nShield Connect fault tolerant. Providing high availability, scalability and remote management, it enables organizations to build reliable, future-proof cryptographic services.
Its security boundary is validated for FIPS 140-2 Level 3 and Common Criteria EAL4+.
nShield Connect replaces netHSM, the previous model of network-attached HSMs from the nCipher product line.
BENEFITS : BENEFITS
- Enhances security for critical applications
- Reduces cost of compliance
- Simplifies encryption and signing key management
- CodeSafe option enables secure execution of custom applications within the security boundary to protect data in use
- Helps ensure business continuity and minimize downtime with unique dual, hot-swap power supplies and redundant, field-serviceable fans
- Compatible with nShield Solo and netHSM
- Offers exceptional scalability with unsurpassed performance for up to 100 clients
- Delivers FIPS and Common Criteria
FEATURES:
Hardware security for applications
nShield Connect enables enterprises to add hardware protection to critical applications such as public key infrastructures (PKIs), databases, web and application servers. Using standard cryptographic interfaces, nShield Connect integrates readily with Microsoft Certificate Services (PKI), Entrust Authority Security Manager, RSA Certificate Manager, Oracle Database, Microsoft SQL Server, and many other applications. nShield Connect features tamper-responsive, rack-mountable hardware, which generates application keys in independently certified, secure hardware boundary. The CodeSafe option enables secure execution of custom applications within the security boundary to protect data in use against insider and Trojan attacks.
High availability features to ensure business continuityDesigned for business continuity, nShield Connect is the world’s only general-purpose HSM with dual, hot-swap power supplies. This enables organizations to connect the HSM to two power sources, safeguarding against the possibility of a blackout of one source. The power supplies can be replaced one at a time without having to power down the unit, in other words without using downtime. Because the power supplies are field-replaceable, operators can replace them on site rather than sending them to a service center.
nShield Connect features redundant fans. Should one of the fans fail, the remaining fans still provide enough cooling for the appliance. The fan tray can be replaced on-site during scheduled maintenance hours, minimizing impact on the business and without having to send the unit to a service center. To further increase availability, several HSMs can be clustered and load balanced. SNMP support enables remote monitoring of power supplies, temperature, fan speeds, and other parameters.
Remote management reduces costsIn situations where nShield Solo or nShield Connect HSMs are deployed at a remote site or in a lights-out data center, Remote Operator can be used with an nShield Solo card in the operator's machine to remotely provide credentials. This accelerates security administration and reduces travel costs.
Security World management lowers TCO The Security World management software centrally manages nShield Connect, nShield Solo and netHSM to reduce setup and administration time. Security World securely supports remote operation of HSMs in lights-out data centers, disaster recovery even for total hardware replacements, and key sharing across HSMs and geographies. Keys and meta information can be automatically backed up without requiring additional hardware as the system, reducing the total cost of operations.
The operational and cost advantages of Security World become apparent when contrasting it with the approach of legacy HSMs which are still widely used:
| Legacy HSM approach | Thales Security World | |
|
|
Premium performance avoids bottlenecks To provide services for up to 100 clients, nShield Connect offers hardware acceleration for cryptographic operations, making it the world’s fastest network-attached HSMs with up to 6,000 signing transactions per second (TPS) with 1,024 RSA keys. Using RSA 2,048 bit keys, which the National Institute of Standards and Technology (NIST) recommends from 2010, nShield Connect excels at up to 3,000. Web servers, such as Microsoft IIS and Apache, can increase SSL throughput by off-loading handshakes operations to the HSM. Two Gigabit Ethernet ports enable the HSM to service two network segments.
Elliptic curve cryptography is becoming increasingly popular. nShield Connect modules can process elliptic curves inside the HSM, which requires the Elliptic Curve (ECC) Activation.
Readily integrates with third-party applications
nShield Connect integrates with applications through standard interfaces including PKCS#11, Java Cryptography Extension (JCE), Microsoft CAPI and CNG.
nShield Connect is compatible with other nShield Solo and netHSM modules and can be upgraded to support additional features using various option packs. nShield Connect supports a broad range of operating systems, including Windows 2008 R2/2008/2003/Vista/XP, Linux Solaris, AIX and HPUX. nShield Connect also supports these operating systems on virtual servers.
nToken delivers Hardware HSM client authentication For organizations that wish to enhance security for their HSM clients, nTokens are PCI or PCI Express cards that enable strong authentication for nShield Connect clients, ensuring that servers cannot be impersonated.
CodeSafe protects data in hostile environments
All HSMs can protect key material against breaches, but most cannot actually protect your valuable data while it is in use. Data breaches have shown that Trojans or rogue administrators still have access to sensitive information on the host system after it has been decrypted by the HSM. The Thales CodeSafe technology enables you to process sensitive information inside the HSM so that it is never exposed on the host system. This enables you to run critical processes in hostile environments, for example:
- Where facilities cannot be physically secured
- Where you need to protect against rogue individuals with access to the host system
- Where host systems may be hacked or become infected by Trojans
Cryptography and compliance
nShield Connect supports a broad range of public-key and symmetric algorithms, including a full Suite B implementation with optional, fully licensed elliptic curve cryptography (ECC). nShield Connect's security boundary is validated to FIPS 140-2 Level 3 and Common Criteria EAL 4+. Following security best practice and to enable compliance, it separates administrative and operational duties with two-factor authentication and dual control. These operator groups can segregate access to keys by application, role, division, or geography.
Integrated services
Thales offers professional services to ensure a best practice implementation of Thales HSMs. Organizations can benefit from developer support to integrate Thales HSMs with custom applications or to develop custom applications to be executed on the HSM to process sensitive data.
SPECIFICATIONS:
Model overview nShield Connect is available in several different variants:
| Part Code | Model | Power Supplies | Bundled # Client Licenses | Max # Client Licenses | Front Panel |
| NH2033 | nShield Connect 500; F3; SEE Ready (no nTokens) | 2 | 3 | 10 | Black |
| BN2033 | nShield Connect 500; F3; SEE Ready (3 nToken PCI) | 2 | 3 | 10 | Black |
| BN2033-E | nShield Connect 500; F3; SEE Ready (3 nToken PCIe) | 2 | 3 | 10 | Black |
| NH2040 | nShield Connect 1500; F3; SEE Ready (no nTokens) | 2 | 3 | 20 | Black |
| BN2040 | nShield Connect 1500; F3; SEE Ready (3 nToken PCI) | 2 | 3 | 20 | Black |
| BN2040-E | nShield Connect 1500; F3; SEE Ready (3 nToken PCIe) | 2 | 3 | 20 | Black |
| NH2047 | nShield Connect 6000; F3; SEE Ready (no nTokens) | 2 | 3 | 100 | Silver |
| BN2047 | nShield Connect 6000; F3; SEE Ready (3 nToken PCI) | 2 | 3 | 100 | Silver |
| BN2047-E | nShield Connect 6000; F3; SEE Ready (3 nToken PCIe) | 2 | 3 | 100 | Silver |
All nShield Connect variants are CodeSafe-ready and validated for FIPS 140-2 Level 3 as well as Common Criteria EAL4+. Each module is shipped with 3 bundled client licenses.
Performance Performance numbers are provided in signing transactions per second (TPS).
| Part Code | Model | TPS @ RSA 1,024 bit | TPS @ RSA 2,048 bit | TPS @ RSA 4,096 bit |
| NH2033 | nShield Connect 500; F3; SEE Ready (no nTokens) | 500 | 150 | 65 |
| BN2033 | nShield Connect 500; F3; SEE Ready (3 nToken PCI) | 500 | 150 | 65 |
| BN2033-E | nShield Connect 500; F3; SEE Ready (3 nToken PCIe) | 500 | 150 | 65 |
| NH2040 | nShield Connect 1500; F3; SEE Ready (no nTokens) | 1,500 | 500 | 150 |
| BN2040 | nShield Connect 1500; F3; SEE Ready (3 nToken PCI) | 1,500 | 500 | 150 |
| BN2040-E | nShield Connect 1500; F3; SEE Ready (3 nToken PCIe) | 1,500 | 500 | 150 |
| NH2047 | nShield Connect 6000; F3; SEE Ready (no nTokens) | 6,000 | 3,000 | 500 |
| BN2047 | nShield Connect 6000; F3; SEE Ready (3 nToken PCI) | 6,000 | 3,000 | 500 |
| BN2047-E | nShield Connect 6000; F3; SEE Ready (3 nToken PCIe) | 6,000 | 3,000 | 500 |
Performance may vary depending on operating system, application, network topology, and other factors.
Physical specifications
- Physical dimensions: 19” rack unit, 1U, 705mm depth (43.4 x 430 x 705 mm)
- Unpackaged weight: 11.5 Kg
- Packaged dimensions: 190 x 590 x 890 mm
- Packaged weight: 19.5 Kg
- Power consumption: up to 1.2A at 110V AC 60Hz or 0.6A at 220V AC 50Hz
- Input voltage: 100-240V AC auto switching 50-60 Hz (nominal)
Operating temperatures
- Normal range: 10 to 35 C
- Operating range: 5 to 40 C
- Storage range: -20 to 70 C
Humidity
- Operating range: 10 to 90 % (relative, non-condensing at 35%)
- Storage range: 0 to 85 % (relative, non-condensing at 35%)
Front
- Touch wheel
- Smart card reader
- Vents with easy access to field-replaceable, redundant fans
- USB connector for keyboard
- Color LCD
- Power button
- Clear button
- Warning LED
Back
- Dual, hot-swap power supplies, each with IEC 320 mains socket & rocker switch
- Mains cable retaining bracket, supplied with cable retainers
- 2x 1 Gigabit Ethernet ports
Hardware Options
- nToken
- Slide rails (sold as pair)
- Smart cards for administrators and operators (15 cards sold as standard with each unit)
- External USB keyboard
Optional features
- CipherTools - Developer Software to integrate with applications
- CodeSafe - Process sensitive data in custom applications on the HSM
- Database Security Option Pack - Manage keys for Microsoft SQL Server encryption
- payShield Cardholder Authentication for nShield - Add cardholder authentication functionality to the HSM
- Remote Operator - Remotely manage the HSM
- Elliptic Curve (ECC) Activation - Activate elliptic curve cryptography on the HSM
- KCDSA Activation - Activate the Korean Certificate-based Digital Signature Algorithm on the HSM
Spare parts (not included)
Algorithms
- Public key algorithms: RSA, Diffie-Hellman, DSA, El-Gamal, KCDSA, ECDSA, ECDH
- Symmetric algorithms: AES, ARIA, Camellia, CAST, DES, RIPEMD160 HMAC, SEED, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, Triple DES
Platforms
- Windows 2008 R2/2008/2003/Vista/XP
- Solaris
- HP-UX
- AIX
- Linux
Application interfaces
- PKCS #11
- Microsoft CryptoAPI / CNG
- Java JCE
- OpenSSL
- nCore
- FIPS 140-2 Level 3
- Common Criteria EAL4+
- Information on RoHS compliance
0 comments:
Post a Comment