You can configure your appliance to restrict NTLS or SSH traffic to a specific network device (or IP address for SSH traffic):
>NTLS is used to securely transport the cryptographic messages exchanged between a client and the HSM across the network. You must bind your NTLS traffic to a specific network device, a bonded network device, or all network devices.
>SSH is used to securely transport the administrative messages exchanged between LunaSH and the Luna Network HSM 7 appliance or HSM across the network. By default, SSH traffic is unrestricted. SSH binding is optional.
Binding Your NTLS Traffic
By default, the network trust link service (NTLS) is bound to all devices (0.0.0.0). To use the Luna Network HSM 7 on your network, you must bind NTLS to one of the following:
>A specific device (eth0, eth1, eth2 or eth3)
>All devices (eth0, eth1, eth2 and eth3)
> A bonded device (bond0 or bond1). See Luna Network HSM 7 Appliance Port Bonding for more information.
Use lunash:> ntls bind to bind the service. The device you configure is not used until the following conditions are met:
>it has been configured with a valid IP address
>it is active on the network
>the NTLS service is restarted
This allows you to preconfigure the NTLS binding and have it become active only after you have completed your network configuration.
NOTE When two or more of the appliance's network interfaces are configured to operate on the same subnetwork, a known Linux networking issue can result in a lost connection due to ARP flux. To avoid this, configure the network interfaces to operate on different subnetworks.
To bind your NTLS traffic to a device
Use lunash:> ntls bind to bind the NTLS traffic to a network device (eth0, eth1, eth2, eth3, bond0, bond1, all). You can use lunash:> ntls show to see the current binding.
Example
lunash:>ntls bind eth0 NTLS binding set to network device eth0. You must restart the NTLS service for the new settings to take effect. If you are sure that you wish to restart NTLS, then type 'proceed', otherwise type 'quit' > proceed Proceeding... Restarting NTLS service... Stopping ntls: [ OK ] Starting ntls: [ OK ] Command Result : 0 (Success)
NOTE The “Stopping ntls” operation might fail in the above example, because NTLS is not yet running on a new HSM appliance. This message can be safely ignored.
lunash:>ntls show NTLS is currently bound to IP Address: "192.20.11.78" (eth0) Command Result : 0 (Success) lunash:>ntls bind eth1 NTLS binding set to network device eth1. You must restart the NTLS service for the new settings to take effect. If you are sure that you wish to restart NTLS, then type 'proceed', otherwise type 'quit' > proceed Proceeding... Restarting NTLS service... Stopping ntls: [ OK ] Starting ntls: [ OK ] Command Result : 0 (Success) lunash:>ntls show NTLS is configured to bind to eth1, but it is not active at this time. NTLS will bind to eth1 if it's active and has a valid IP address when NTLS restarts. NTLS is currently bound to IP Address: "192.20.11.78" (eth0) Command Result : 0 (Success)
Binding Your SSH Traffic
You can optionally bind your SSH traffic a specific device (eth0, eth1, eth2, eth3, all) on the appliance or to a specific IP address. By default, SSH traffic is unrestricted.
To bind your SSH traffic to a device or IP address
Use lunash:> sysconf ssh to bind the SSH traffic to a device or IP address, as follows:
> To bind to a specific device, use lunash:> sysconf ssh device <netdevice>. For example:
lunash:>sysconf ssh device eth1 Success: SSH now restricted to ethernet device eth1 (ip address 192.168.255.2). Restarting ssh service. Stopping sshd: [ OK ] Starting sshd: [ OK ] Command Result : 0 (Success) [myluna] lunash:>sysconf ssh show SSHD configuration: SSHD Listen Port: 22 (Default) SSH is restricted to ethernet device eth1 (ip address 192.168.255.2). Password authentication is enabled Public key authentication is enabled Command Result : 0 (Success)
>To bind to an IP address or host name, use lunash:> sysconf ssh ip <IP_address>. For example:
lunash:>sysconf ssh ip 192.20.10.200 Success: SSH now restricted to ethernet device eth0 (ip address 192.20.10.200). Restarting ssh service. Stopping sshd: [ OK ] Starting sshd: [ OK ] Command Result : 0 (Success)
