Security and Firewalls
The OrionVM Platform is architectured with security in mind. Private networks are segmented between customers at layer 2. Unlike other cloud platforms, no firewalls are enforced on customers by default.
This section covers securing instances with firewalls, automatic updates and best practices.
Automatic security updates
A prudent security measure is to have security-related packages download and install automatically.
Debian and Ubuntu support this through the unattended-upgrades package, which pulls and installs packages automatically from the "security" repositories. To use, first install:
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
Windows Server can be configured to perform automatic updates, however this is not advised. Refer to Microsoft’s Knowledge Base for details.
VyOS as a firewall
VyOS is made available for use as a firewall appliance for instances. Refer to the VyOS Firewall section for details.
Depending on your kernel version, Linux instances uses either netfilter or IP tables for IP filtering. Firewall rules can be written manually, but are tedious and potentially error-prone. Many interfaces exist to make this work easier, two of which are described below.
The Uncomplicated Firewall
UFW is an easy to use, console-based firewall. It comes bundled with Ubuntu, but can be installed for any Linux distribution. For Debian:
apt-get install ufw
And for CentOS:
yum install ufw
To use, first define the default behavior for all traffic. The commands below illustrate traffic blocks in both directions.
ufw default deny incoming ufw default deny outgoing
To enable services, use the allow command. For example, this will allow OpenSSH and web server connections on all private and public interfaces:
ufw allow in ssh ufw allow in http ufw allow in https
Individual interfaces and custom ports can be defined inline. For example, to only allow ssh connections from a specific IP to the first interface:
ufw allow in on eth0 from 10.0.0.1 to any ssh
If you need to remove a rule, append the word delete to the UFW command used to create it. For example, to remove allowing ssh access on all interfaces:
ufw delete allow in ssh
Once your rules are in place, start the firewall as below. You will then be able to check its status, which will list all the active rules:
ufw enable ufw status
The UFW commands can be easily added to a shell script for deployments across multiple machines.
FireHOL is another popular firewall package. Unlike UFW, it uses its own meta language to define firewall rules in a config file.
To install on Debian and Ubuntu:
apt-get install firehol
And on CentOS:
yum install firehol
FireHOL is enabled by modifying a
sed -i -e 's/START_FIREHOL=NO/START_FIREHOL=YES/' /etc/default/firehol
A default FireHOL configuration is made available in
/etc/firehol/firehol.conf. The example below allows all traffic on a private interface on eth0, and a subset of traffic on a public interface on eth1:
version 5 interface eth0 vlan server all accept client all accept interface eth1 internet protection strong server ssh accept src 10.0.0.1 server http accept server https accept
FireHOL can then be started on Debian 8.0 Jessie:
sudo systemctl start firehol
And on other Linux templates:
sudo service firehol start
FreeBSD comes with several firewalls, including OpenBSD’s pf, and the older IPFW. Both can be configured more easily than Linux iptables rules. Refer to the FreeBSD Handbook Firewalls chapter for details.
Windows Server 2008 R2 and Windows Server 2012 R2 include Windows Firewall With Advanced Security, which can be used to filter solicited and unsolicited traffic. Refer to this Technet article for full implementation details.