any interface that is connected to the public Internet.
4.6.3. Impath resilience
The nethsm_settings section in the client host hardserver config file defines settings for
Impath resilience that are specific to the nShield Connect. By default Impath resilience is
turned on with a timeout of 1 week. This enables clients to reconnect in the event of
network errors. An associated time-out can be configured to state when an Impath
resilience session will expire after which all previously loaded objects must be reloaded.
Your threat analysis of your environment, and knowledge of the reliability of your
network, will determine if Impath resilience needs to be enabled, and what timeout
should be set (e.g. a 5 minute Impath resilience timeout could give a reasonable trade-off
between security and resilience to transient network issues).
4.6.4. Configuring the RFS
The RFS contains the master copy of the Security World data for backup purposes. You
should regularly back up the entire contents of the RFS as it is required to restore an
nShield Connect or its replacement, to the current state in the case of failure.
To setup, the RFS requires certain information about the nShield Connect:
•
IP Address
•
ESN
•
The hash of the KNETI.
Even with a trusted network, it is recommended that the ESN and KNETI reported by
anonkneti be checked independently using the nShield Connect front panel, or from the
Serial Command Line Interface. If the network is untrusted, obtaining the ESN and KNETI
information directly from the nShield Connect front panel is essential. This information is
then used in the rfs-setup command to create the RFS. Specifically the --write- noauth
option should not be used with the rfs-setup command and the --setup --no
-authenticate option should not be used with the rfs-sync commands over insecure
networks as this does not authenticate the RFS which could give rise to a masquerade
attack.
If the cooperating clients that are required to access an RFS have either an nToken fitted,
or Software Key for secure authentication available, then the nToken’s or Software Key’s
KNETI (respectively) should be used to authenticate themselves over insecure networks.
4.6.5. Remote configuration
The module (hardserver) configuration file can be used to enable:
nShield® Security Manual 18 of 90
To Next Page
Loading...
Need help?
General
