Introduction
Welcome to the Fortanix-Data-Security-Manager (DSM) IP Policy Restrictions document. The purpose of this article is to describe the steps required to configure and provide network-based IP access control to the Fortanix DSM users.
IP Policy (Network-based Access Controls)
In controlled-network environments (not the Internet), network-based access controls are used as a defensive in-depth mechanism to allow access to only certain functionality from certain origins.
Fortanix DSM allows you to control the following:
Principal Types: Fortanix DSM allows specific security principals from a particular origin. It supports the following two types of authenticated principals:
User
App
API Classes: Fortanix DSM divides all APIs into disjoint API classes. The API classes do not intersect.
The following API classes are supported:
EKMS
KMIP
HEALTH
UNAUTHUSER
OTHER
An origin is defined as a non-empty set of IP subnets.
In order for an API to be ultimately allowed, the request is matched to the most specific policy item that applies to it. The request is allowed if and only if the policy item specifies that both the request's principal and the request's API class are allowed.
The whole policy is a list of policy items. One policy item must contain exactly the default origin 0.0.0.0/0. Except for the policy item with the default origin, each policy item's origin is a strict subset of another policy item in the policy.
IP Policy Validity Requirements
The requirements on policy items and their origins work to ensure that a policy's items can be arranged in a tree like structure with the following properties:
A node contains the policy item. This policy applies to all origins in the node’s origin that are not members of a child node's origin.
Every node with a parent must have their origin be a subset of their parent node’s origin.
Nodes with a common parent must define disjoint origins.
The root node is the policy item containing exactly the default origin 0.0.0.0/0.
IP Policy Example
Restricting Apps to a subnet:
"policy_items": [
{
"origins": [ "0.0.0.0/0" ],
"principals": { "users": true, "apps": false },
"api_classes": { "other": true, "kmip": true, "ekms": true, "health": true, "unauth_user": true }
},
{
"origins": [ "10.1.0.0/16", "10.3.0.0/16" ],
"principals": { "users": false, "apps": true },
"api_classes": { "other": true, "kmip": true, "ekms": true, "health": true, "unauth_user": false }
}
]
With this configuration, users will not be able use to the cluster from the subnets 10.1.0.0/16 and 10.3.0.0/16. They will still be able to see the index page, but they will not be able to authenticate or even see their authentication options.
Create/Edit/Delete an IP Policy
A Fortanix DSM account administrator can restrict which types of IP addresses are allowed for all the IP policies in the account.
Perform the following steps to create an account level IP policy:
Click the System Administration tab of the Fortanix DSM UI and click the Settings tab. In the Account Settings page, click the IP POLICY button. The root node policy item containing the default origin (0.0.0.0/0) appears. Here, default policy effectively means that there is no filtering based on IP.
Figure 1: Default IP Policy
Add a New Policy
To add a new policy item, perform the following:
Click the + icon to add another IP policy.
Figure 2: Add Policy Item
In the ADD POLICY ITEM page, you can restrict some functionalities originating from the configured IP addresses. Type the CIDRs that you want to restrict, separated by commas. Then, select the Principals and API classes that you want to allow.
Click SAVE to save the policy settings.
Edit an Existing Policy
To edit a policy item, perform the following:
Click Edit.
Figure 3: Edit Policy Item
In the EDIT POLICY ITEM page, modify the desired principals and API classes. You can also edit the CIDRs here.
Click SAVE to save the policy settings.
Delete an Existing Policy
To delete a policy item, perform the following:
Click DELETE.
Figure 4: Delete Policy Item
In the DELETE POLICY ITEM(S) page, you can delete an IP policy item.
Click DELETE to delete the policy settings.