Entrust nShield Security Manual page 18

any interface that is connected to the public Internet.
4.6.3. Impath resilience
nethsm_settings
The
Impath resilience that are specific to the nShield Connect. By default Impath resilience is
turned on with a timeout of 1 week. This enables clients to reconnect in the event of
network errors. An associated time-out can be configured to state when an Impath
resilience session will expire after which all previously loaded objects must be reloaded.
Your threat analysis of your environment, and knowledge of the reliability of your
network, will determine if Impath resilience needs to be enabled, and what timeout
should be set (e.g. a 5 minute Impath resilience timeout could give a reasonable trade-off
between security and resilience to transient network issues).
4.6.4. Configuring the RFS
The RFS contains the master copy of the Security World data for backup purposes. You
should regularly back up the entire contents of the RFS as it is required to restore an
nShield Connect or its replacement, to the current state in the case of failure.
To setup, the RFS requires certain information about the nShield Connect:
• IP Address
• ESN
• The hash of the KNETI.
Even with a trusted network, it is recommended that the ESN and KNETI reported by
anonkneti
be checked independently using the nShield Connect front panel, or from the
Serial Command Line Interface. If the network is untrusted, obtaining the ESN and KNETI
information directly from the nShield Connect front panel is essential. This information is
rfs-setup
then used in the
option should not be used with the
-authenticate
option should not be used with the
networks as this does not authenticate the RFS which could give rise to a masquerade
attack.
If the cooperating clients that are required to access an RFS have either an nToken fitted,
or Software Key for secure authentication available, then the nToken's or Software Key's
KNETI (respectively) should be used to authenticate themselves over insecure networks.
4.6.5. Remote configuration
The module (hardserver) configuration file can be used to enable:
nShield® Security Manual
section in the client host hardserver config file defines settings for
command to create the RFS. Specifically the
rfs-setup --setup --no
command and the
rfs-sync
commands over insecure
--write- noauth
18 of 90