Secure Claude config — Haifa M9
Practical guide for deploying Claude code and Claude desktop securely at Haifa M9 edge sites. Focus: network segmentation, least privilege, and runtime hardening.
Overview & scope
This document targets system integrators and SREs configuring Claude AI instances in Haifa M9 facilities. It covers secure network layout, recommended OS and container hardening, secrets handling, and monitoring.
- Targets: claude code, claude desktop, claude ai endpoints
- Platform: Debian/Ubuntu server + container runtime
- Assumptions: dedicated VLANs and perimeter firewall
Security checklist
- Isolate Claude nodes into a dedicated VLAN.
- Use mTLS for service-to-service connections.
- Enable OS-level firewall and restrict inbound SSH to jump hosts.
- Store secrets in a hardware-backed KMS or Vault.
- Enforce image signing and runtime attestation.
Network topology & ports
Minimal topology: border firewall → DMZ (ingress) → Claude VLAN → management VLAN.
| Service | Protocol | Direction | Port(s) |
|---|---|---|---|
| Claude API | HTTPS | Ingress | 443 (TLS) |
| Inter-node | mTLS | Both | 8100–8110 |
| Metrics | HTTPS | Egress | 9115 |
| SSH (admin) | SSH | Mgmt→Node | 22 (jump-host only) |
Step-by-step secure configuration
Apply DISA STIG or CIS benchmarks, disable unused services, enable automatic security updates, configure auditd and kernel hardening parameters.
Enforce read-only rootfs, drop CAP_SYS_ADMIN, enable seccomp and AppArmor/SELinux, validate images with Notary/Cosign, and run as non-root user.
Use short-lived credentials, rotate keys, ship minimal metrics to a secured backend, and redact PII before logs leave the VLAN.
Operational best practices
- Run chaos tests in a staging replica of Haifa M9.
- Maintain an incident runbook with clear rollback paths.
- Perform periodic attestation of runtime images and cryptographic keys.
FAQ
Implement retention at ingestion points and enforce DB policies; purge logs containing model prompts after the retention window.
Prometheus for metrics, Grafana for dashboards, and Loki/ELK for logs with RBAC and ingestion filtering.
Lead SRE — Haifa M9
Available for onsite consults and secure audits.
Request audit