the Solo RTC time (including within the Connect) at regular intervals to ensure that a
similar time, within a margin of error, is reported. Significant discrepancies should be
investigated.
To identify NTP server failures or attacks, NTP servers should be monitored for
availability on the network and an alert generated if the NTP server is unavailable.
4.5.3. Set the Host date and time (nShield Solo only)
Set the host date and time using an accurate trusted local time source as part of the
commissioning process. This must be set as early in the commissioning process as
possible. The correct time must be set to support hardserver logging.
4.6. nShield Connect and client configuration
4.6.1. Configuring the Ethernet interfaces - IPv4 and IPv6
Dual Ethernet interfaces are supplied to support separate external and internal IP
address allocation if required by the security pollicy for the network configuration. They
cannot be bonded or otherwise used for redundancy. The second Ethernet port must be
disabled if not required (this is the default setting).
4.6.1.1. IPv6 Compliance
A sub-menu in the nShield Connect front panel menu permits you to select an IPv6
compliance mode for an nShield Connect. Compliance with USGv6 or IPv6 ready can be
selected.
Both these modes change the settings for the nShield Connect firewall so that it will
pass-through packets which are discarded in the normal default mode. This behaviour is
required for compliance testing but is not recommended for normal use since allowing
packets with invalid fields or parameters through the firewall increases the attack
surface. It is recommended that the IPv6 compliance mode is set to Default for all normal
operations.
4.6.2. Optionally configure hardserver interfaces
By default, the hardserver listens on all interfaces. However, you can alter the hardserver
settings. Altering the hardserver settings would prove necessary if, for example, you
wanted to connect one of the Ethernet interfaces to external hosts
Ensure that you have configured the Ethernet interfaces on the HSM before attempting
to configure the hardserver. For security reasons, do not allow the hardserver to listen on
nShield® Security Manual 17 of 90
To Next Page
Loading...
Need help?
General
