Hardening Guidelines
The CipherTrust Manager should be deployed into as secure an environment as possible. Every effort has been made to make the CipherTrust Manager as secure as possible, however, additional precautions should be taken especially when the CipherTrust Manager is deployed into an untrusted environment.
Network Security Groups
A network security group includes security rules that permit or deny inbound network traffic to required ports of CipherTrust Manager interfaces and outbound network traffic from CipherTrust Manager clients. For the list of available CipherTrust Manager inbound network traffic ports, refer to the following Recommended Interface Types and Port Assignments.
Recommended Interface Types and Port Assignments
The recommended interface types and port assignments for the CipherTrust Manager are:
Type | Protocol | Port Number |
---|---|---|
SSH | TCP | 22 Inbound |
SSH (if using Luna Network HSM, TCT Luna T-Series Network HSM, or AWS CloudHSM) | TCP | 22 Outbound |
HTTP | TCP | 80 Inbound |
HTTPS, which includes Web UI, ksctl CLI, REST API, CipherTrust Transparent Encryption (CTE), CipherTrust Transparent Encryption UserSpace (CTE-U) client access and Data Protection Gateway (DPG), CipherTrust RESTful Data Protection (CRDP), CT-V WebService, CT-VL, CADP for JAVA Webservice connectors. | TCP | 443 Inbound for most deployment types. 9443 Inbound for Virtual CipherTrust Managers launched from AWS China. |
HTTPS for DPoD Luna Cloud HSM Service | TCP | 443 Outbound |
PostgreSQL (Applies only to Clustering) | TCP | 5432 Inbound/Outbound |
NAE | TCP | 9000 Inbound |
KMIP | TCP | 5696 Inbound |
If using Luna Network HSM or TCT Luna T-Series Network HSM | TCP | 1792 Outbound |
If using AWS CloudHSM | TCP | If you have a Virtual CipherTrust Manager deployed on an AWS EC2 instance, attach the cluster security group to the EC2 instance, as described in AWS documentation. For all other deployments, configure the network security group to allow 2223-2225 Inbound/Outbound. |
NTP | UDP | 123 Outbound |
Syslog | UDP | 514 Outbound |
Syslog | TCP | 6514 Outbound |
SNMP | UDP | 161 Inbound, 162 Outbound |
LDAP | TCP | 389 Outbound |
LDAPs | TCP | 636 Outbound |
DNS Queries | UDP | 53 Outbound |
Luna Network HSM (STC type), root of trust connection only | TCP | 5656 Outbound |
SCP server for automatic backup storage | TCP | 22 Outbound |
SMTP | TCP | 587 Outbound |
Thales Data Platform (TDP) Knox connection for Data Discovery and Classification (DDC) | TCP | 8443 Outbound |
Data Discovery and Classification (DDC) Agent | TCP | 11117 Inbound |
If you are using the Secrets Management feature, the included Akeyless Gateway service requires public network connectivity to Akeyless SaaS Core Services.
Caution
Rules with source IP of 0.0.0.0/0
(IPv4) and ::/0 (IPv6) allow all IP addresses to access the instance. It is recommended to set security group rules to allow access from known IP addresses only.
Caution
Whenever a new interface is added, the respective port should be added to the security group also.
- Port 9100 is reserved for an internal service and is not available for any CipherTrust Manager interface.
Port Assignments for Related Components
Some CipherTrust Manager use cases require other connections between related components, which also require open network traffic to certain ports. These connections are not directly to or from the CipherTrust Manager appliance.
DDC agents form connections to data stores. Refer to DDC documentation for a list of ports used for communication between DDC agents and supported data store types.
As a prerequisite to setting up a Luna Network HSM as root-of-trust for CipherTrust Manager, you must create a partition on the Network HSM and register the CipherTrust Manager as a client. As indicated in Luna documentation on port usage, SSH access for this prerequisite configuration requires port 22.
Encryption of Virtual CipherTrust Manager
It is best practice to encrypt any Virtual CipherTrust Manager used in production. This is especially true if the Virtual CipherTrust Manager is deployed into an untrusted environment. When a Virtual CipherTrust Manager instance first boots, there are a number of secrets generated specific to that instance. To ensure that these secrets are never exposed, the CipherTrust Manager should be encrypted on first boot before it generates these. Please refer to Disk Encryption for details.
System Administrative Key
The SSH Private Key, used to access the System Administrative account "ksadmin", is extremely sensitive and should be kept in a secure environment.
HSM Configurations
If configured to use an HSM (SafeNet Luna Network HSM, Luna T-Series Network HSM, DPoD's Luna Cloud HSM service, or AWS CloudHSM), the CipherTrust Manager will protect all of its secrets with a non exportable HSM key. To protect all secrets, the CipherTrust Manager must be connected to the HSM on first boot. This is the most secure configuration. Special configuration is required to use an HSM with a cluster of appliances.
TLS Compatibility
This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version
setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.
Interface | Minimum TLS version | Maximum TLS version | Default Minimum TLS version |
---|---|---|---|
Web UI | TLS 1.2 | TLS 1.3 | TLS 1.2 |
NAE | TLS 1.0 | TLS 1.3 | TLS 1.2 |
KMIP | TLS 1.0 | TLS 1.3 | TLS 1.2 |
Caution
TLS 1.0 and TLS 1.1 support will be discontinued in a future release.
Warning
In a production environment, always enable SSL/TLS with the NAE interface. You should only disable SSL/TLS with NAE for troubleshooting purposes.
Administrative Session Timeout
By default, there is no timeout for a ksadmin
administrative session taking place through SSH or serial connection to the appliance.
We recommend setting a timeout so that ksadmin
must re-authenticate after a period of inactivity.
To set a timeout
Login via SSH as
ksadmin
.Edit the
/home/ksadmin/.bashrc
file.vi /home/ksadmin/.bashrc
Append the following line:
TMOUT=<desired timeout value in seconds>
Reload the
.bashrc
file to apply the new setting.source /home/ksadmin/.bashrc
Restricting Cluster Port
Configure cluster allowlist to only allow specific IPs to connect to the cluster port 5432.