Hardening Secure Factory Service
To maximize the security of the solution, restrict access to Secure Factory Service instances to trusted employees and trusted machines within your network.
Follow best practices for hardening service instances, both by ensuring physical security and by implementing access policies and protecting your services from attacks. Please contact us for more information about required controls for Secure Factory machines.
For your system to work properly, you must:
-
Enable the following operating system services:
- NTP (Network Time Protocol) to enable Secure Factory Service and Secure Factory CLI to synchronize.
- DNS (Domain Name System) to enable Secure Factory Service to communicate with Device Management.
-
Enable the following inbound traffic for Secure Factory Service to function correctly:
- TCP port 8443 must be accessible to Secure Factory CLI workstations.
- TCP port 443 must be accessible to Secure Factory Control, possibly over VPN.
- TCP port 27017 must be accessible to other Secure Factory Service hosts to enable database access.
-
Enable bidirectional traffic on TCP port 1792 for communication with the SafeNet Luna HSMs.
-
To enable remote SSH sessions to your Secure Factory Service nodes and HSM devices, enable access to port 22.
-
Ensure that the following TCP ports are only accessible to the monitoring system (possibly only on the host machine):
- Port 9101 to monitor HSM service metrics.
- Port 22 must be accessible to Secure Factory Service nodes at least during the setup phase to be able to exchange server and client certificate files over SSH.
- Port 8444 to monitor Secure Factory Service metrics.
- Port 9444 to monitor Secure Factory Control metrics.
- Port 9216 to monitor database metrics.
-
Ensure that port 8180 is only accessible to Docker containers on the host machine to configure the HSM.
-
Enable outbound traffic to Izuma Device Management.
Note: You might also need to enable access to other services; for example, AWS S3 to download Secure Factory, Docker and Ubuntu updates.
-
Ensure the Docker containers and the system user that installs the service can access the installation path and subfolders.
-
Protect private keys and sensitive credentials, which are located at
<installation path>/keystore/secrets
. Only Docker containers and the system user that installs the service must be able to access these files.