Rainbow-Chrysalis Luna SA HSM
Good performance, comprehensive documentation, solidly built, excellent security.
The device could have benefited from a browser-based GUI.
While it is not the fastest kit on the block, it certainly offers a range of features, performance and security at an acceptable price.
Of course, we are not all seduced by looks, but this box - with its burnt-orange fascia and wavy ventilation-hole detail - could win an award just for sheer . The Rainbow-Chrysalis Luna SA Hardware Security Module is a tamper-resistant 2U rack mount unit. Installation presented no problems and configuration was carried out using a serial cable link to a command line interface.
Unlike some of the other devices on test, this does not offer any kind of graphical user interface for configuration or monitoring. It can, however, be monitored using SNMP. Operating in command line mode is not to everyone's taste, but presents no problems in this instance.
It is supplied with extensive and comprehensive documentation on CD-Rom, which also contains client software to be installed on the web servers. The documentation is also provided in printed form, which is convenient.
There are guides for installation and set up which lead you through the necessary steps to bring the system online. The Luna SA needs to be configured with one or more logical HSM partitions, which in turn can be configured to contain virtual servers and services, and the keys and certificates associated with them.
Real servers are defined as clients of the partitions and their contents. The system requires trusted links to be set up between the servers and the device, a process which involves installing and running the client software on the servers and exchanging keys and certificates with the Luna SA.
Communication between clients and the virtual servers and services assigned to them can only occur across the trusted links, which use SSL encryption and full two-way digital certificate authentication. The Luna SA prevents unauthorized access to any part of a partition's contents, and also prevents authorized clients from accessing virtual servers and services not allocated to them.
The device can operate as part of a more elaborate set-up or in standalone mode, which is how we tested it. It also supports Microsoft IIS 5.0, IIS 6.0, and Windows ISA Server for Microsoft Windows 2000 Server and Windows Server 2003 as well as Apache Web Server 1.3.27 and 2.0.46 and Sun One Web Server 4.1, 6.0
Once the device is operating correctly, the front panel can be locked away securely behind a tamper-proof screen. This denies access to the serial link, preventing unauthorized reconfiguration.