Step 6: Configuring an Audit Server Connection

The next step in the hardening process is to configure and enable a connection from the Makito X Series to a remote audit server using the Transport Layer Security (TLS) protocol. To ensure a successful TLS connection, the audit server must meet the following requirements*:

Support for TLSv1.0 (RFC2246), TLSv1.1 (RFC4346), and/or TLSv1.2 (RFC5246) and ciphersuites compatible with the configured cryptographic strength policy.
Support for syslog protocol (RFC5424).

* Tested using BalaBit syslog-ng Premium Edition 4.2.2

To configure a connection to an audit server via the Web Interface, do the following:

Make sure the Makito X Series will trust the syslog server by installing its root CA certificate on the device (refer to Installing a Certificate).

Note

If you are using a self-signed certificate (SSC) on the Makito X Series, and client authentication is enabled on the audit server, the audit server's trusted clients list must include the encoder's or decoder's certificate fingerprint, which can be obtained by clicking on the certificate's name in the Administration > Certificates list view.
On the Administration page, click Audit from the sidebar menu.
The Audit page opens (as shown in the following Makito X4 Encoder example):
Check the Audit (Enabled) checkbox.
Type the IP address or Common Name of the audit server in the Audit Server Address field, optionally followed by :<port-number>. The server address must match the Common Name or one of the Subject Alternative Names in the server's certificate for successful authentication.
Choose TLS from the Transport menu.
If your policy requires that only connections to servers with CA-signed certificates are accepted, choose CA-signed from the Trusted Server menu. The audit server's root CA certificate must be imported on the Makito X (see Installing a Certificate).
If you choose to allow Trusted Servers to be Self-signed, enter the Fingerprint from the certificate of the audit server.
Click Apply.