Binding Your NTLS or SSH Traffic to a Device

You can configure your appliance to restrict NTLS or SSH traffic to a specific network device (or IP address for SSH traffic):

>NTLS is used to securely transport the cryptographic messages exchanged between a client and the HSM across the network. You must bind your NTLS traffic to a specific network device, a bonded network device, or all network devices.

>SSH is used to securely transport the administrative messages exchanged between LunaSH and the appliance or HSM across the network. By default, SSH traffic is unrestricted. SSH binding is optional.

Binding Your NTLS Traffic

By default, the network trust link service (NTLS) is bound to all devices (0.0.0.0). To use the SafeNet Luna Network HSM on your network, you must bind NTLS to one of the following:

>A specific device (eth0, eth1, eth2 or eth3)

>All devices (eth0, eth1, eth2 and eth3)

> A bonded device (bond0 or bond1). See SafeNet Luna Network HSM Appliance Port Bonding in the Appliance Administration Guide for more information.

Use the LunaSH ntls bind command to bind the service. The device you configure is not used until the following conditions are met:

>it has been configured with a valid IP address

>it is active on the network

>the NTLS service is restarted

This allows you to preconfigure the NTLS binding and have it become active only after you have completed your network configuration.

NOTE   When two or more of the appliance's network interfaces are configured to operate on the same subnetwork, a known Linux networking issue can result in a lost connection due to ARP flux. To avoid this, configure the network interfaces to operate on different subnetworks.

To bind your NTLS traffic to a device

Use the ntls bind command: to bind the NTLS traffic to a network device (eth0, eth1, eth2, eth3, bond0, bond1, all). You can use the ntls show command to see the current binding.

Example

lunash:>ntls bind eth0
 
NTLS binding set to network device eth0.
You must restart the NTLS service for the new settings to take effect.
 
 
If you are sure that you wish to restart NTLS, then type 'proceed', otherwise type 'quit'
 
> proceed
Proceeding...
Restarting NTLS service...
Stopping ntls:                                             [  OK  ]
 
Starting ntls:                                             [  OK  ]
 
Command Result : 0 (Success)

NOTE   The “Stopping ntls” operation might fail in the above example, because NTLS is not yet running on a new HSM appliance. Just ignore the message. 

lunash:>ntls show
 
NTLS is currently bound to IP Address: "192.20.11.78" (eth0)
 
Command Result : 0 (Success)
 
lunash:>ntls bind eth1
 
NTLS binding set to network device eth1.
You must restart the NTLS service for the new settings to take effect.
 
 
If you are sure that you wish to restart NTLS, then type 'proceed', otherwise type 'quit'
 
> proceed
Proceeding...
Restarting NTLS service...
Stopping ntls:                                             [  OK  ]
 
Starting ntls:                                             [  OK  ]
 
Command Result : 0 (Success)
 
lunash:>ntls show
 
NTLS is configured to bind to eth1, but it is not active at this time.
NTLS will bind to eth1 if it's active and has a valid IP address when NTLS restarts.
NTLS is currently bound to IP Address: "192.20.11.78" (eth0)
 
Command Result : 0 (Success)

Binding Your SSH Traffic

You can optionally bind your SSH traffic a specific device (eth0, eth1, eth2, eth3, all) on the appliance or to a specific IP address. By default, SSH traffic is unrestricted.

To bind your SSH traffic to a device or IP address

Use the sysconf ssh command to bind the SSH traffic to a device or IP address, as follows:

> To bind to a specific device, use the syntax sysconf ssh device <netdevice>. For example:

lunash:>sysconf ssh device eth1
 
Success:  SSH now restricted to ethernet device eth1 (ip address 192.168.255.2).
Restarting ssh service.
Stopping sshd:                                               [  OK  ]
Starting sshd:                                               [  OK  ]
Command Result : 0 (Success)
 
[myluna] lunash:>sysconf ssh show
 
SSHD configuration:
SSHD Listen Port: 22 (Default)
SSH is restricted to ethernet device eth1 (ip address 192.168.255.2).
Password   authentication is enabled
Public key authentication is enabled
 
Command Result : 0 (Success)

>To bind to an IP address or host name, use the syntax sysconf ssh ip <IP_address>. For example:

lunash:>sysconf ssh ip 192.20.10.200
 
Success:  SSH now restricted to ethernet device eth0 (ip address 192.20.10.200).
Restarting ssh service.
Stopping sshd:                                [  OK  ]
Starting sshd:                                [  OK  ]
 
Command Result : 0 (Success)


Customer Support Portal

SafeNet Luna Network HSM 7.2 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.