Hardening Guidelines
The CipherTrust Manager should be deployed into as secure an environment as possible. Every effort has been made to make the CipherTrust Manager as secure as possible, however, additional precautions should be taken especially when the CipherTrust Manager is deployed into an untrusted environment.
Network Security Groups
A network security group includes security rules that permit or deny inbound network traffic to required ports of CipherTrust Manager interfaces and outbound network traffic from CipherTrust Manager clients. For the list of available CipherTrust Manager inbound network traffic ports, refer to the following Recommended Interface Types and Port Assignments.
Recommended Interface Types and Port Assignments
The recommended interface types and port assignments for the CipherTrust Manager are:
| Type | Protocol | Port Number |
|---|---|---|
| SSH | TCP | 22 Inbound |
| SSH (if using Luna Network HSM, TCT Luna T-Series Network HSM, or AWS CloudHSM) | TCP | 22 Outbound |
| HTTP | TCP | 80 Inbound |
| HTTPS | TCP | 443 Inbound for most deployment types. 9443 Inbound for Virtual CipherTrust Managers launched from AWS China. |
| HTTPS for DPoD Luna Cloud HSM Service | TCP | 443 Outbound |
| PostgreSQL (Applies only to Clustering). | TCP | 5432 Inbound/Outbound |
| NAE | TCP | 9000 Inbound |
| KMIP | TCP | 5696 Inbound |
| If using Luna Network HSM or TCT Luna T-Series Network HSM | TCP | 1792 Outbound |
| If using AWS CloudHSM | TCP | If you have a Virtual CipherTrust Manager deployed on an AWS EC2 instance, attach the cluster security group to the EC2 instance, as described AWS documentation. For all other deployments, configure the network security group to allow 2223-2225 Inbound/Outbound. |
| NTP | UDP | 123 Outbound |
| Syslog | UDP | 514 Outbound |
| TCP | 6514 Outbound | |
| SNMP | UDP | 161 Inbound |
| UDP | 162 Outbound |
If you are using the Secrets Management feature, the included Akeyless Gateway service requires public network connectivity to Akeyless SaaS Core Services.
Rules with source IP of 0.0.0.0/0 (IPv4) and ::/0 (IPv6) allow all IP addresses to access the instance. It is recommended to set security group rules to allow access from known IP addresses only.
Whenever a new interface is added, the respective port should be added to the security group also.
Encryption of Virtual CipherTrust Manager
It is best practice to encrypt any Virtual CipherTrust Manager used in production. This is especially true if the Virtual CipherTrust Manager is deployed into an untrusted environment. When a Virtual CipherTrust Manager instance first boots, there are a number of secrets generated specific to that instance. To ensure that these secrets are never exposed, the CipherTrust Manager should be encrypted on first boot before it generates these. Please refer to Disk Encryption for details.
System Administrative Key
The SSH Private Key, used to access the System Administrative account "ksadmin", is extremely sensitive and should be kept in a secure environment.
HSM Configurations
If configured to use an HSM (SafeNet Luna Network HSM, Luna T-Series Network HSM, DPoD's Luna Cloud HSM service, or AWS CloudHSM), the CipherTrust Manager will protect all of its secrets with a non exportable HSM key. To protect all secrets, the CipherTrust Manager must be connected to the HSM on first boot. This is the most secure configuration. Special configuration is required to use an HSM with a cluster of appliances.
TLS Compatibility
This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.
| Interface | Minimum TLS version | Maximum TLS version | Default Minimum TLS version |
|---|---|---|---|
| Web UI | TLS 1.2 | TLS 1.3 | TLS 1.2 |
| NAE | TLS 1.0 | TLS 1.3 | TLS 1.2 |
| KMIP | TLS 1.0 | TLS 1.3 | TLS 1.2 |
TLS 1.0 and TLS 1.1 support will be discontinued in a future release.
In a production environment, always enable SSL/TLS with the NAE interface. You should only disable SSL/TLS with NAE for troubleshooting purposes.
Administrative Session Timeout
By default, there is no timeout for a ksadmin administrative session taking place through SSH or serial connection to the appliance.
We recommend setting a timeout so that ksadmin must re-authenticate after a period of inactivity.
To set a timeout
Login via SSH as
ksadmin.Edit the
/home/ksadmin/.bashrcfile.vi /home/ksadmin/.bashrcAppend the following line:
TMOUT=<desired timeout value in seconds>Reload the
.bashrcfile to apply the new setting.source /home/ksadmin/.bashrc