Overview

The CloudCo Partner Platform is architectured with security in mind. Private networks are segmented between customers at layer 2. Unlike other cloud platforms, no firewalls are enforced on customers by default.

This section covers securing instances with firewalls, automatic updates and best practices.


Automatic security updates

A prudent security measure is to have security-related packages download and install automatically.

Debian and Ubuntu support this through the unattended-upgrades package, which pulls and installs packages automatically from the "security" repositories. To use, first install:

sudo apt-get install unattended-upgrades

Then enable:

sudo dpkg-reconfigure --priority=low unattended-upgrades

Windows Server can be configured to perform automatic updates, however this is not advised. Refer to Microsoft’s Knowledge Base for details.


VyOS as a firewall

VyOS is made available for use as a firewall appliance for instances. Refer to the VyOS Firewall section for details.


Linux Firewalls

Depending on your kernel version, Linux instances uses either netfilter or IP tables for IP filtering. Firewall rules can be written manually, but are tedious and potentially error-prone. Many interfaces exist to make this work easier, two of which are described below.

The Uncomplicated Firewall

UFW is an easy to use, console-based firewall. It comes bundled with Ubuntu, but can be installed for any Linux distribution. For Debian:

apt-get install ufw

And for CentOS:

yum install ufw

To use, first define the default behavior for all traffic. The commands below illustrate traffic blocks in both directions.

ufw default deny incoming
ufw default deny outgoing

To enable services, use the allow command. For example, this will allow OpenSSH and web server connections on all private and public interfaces:

ufw allow in ssh
ufw allow in http
ufw allow in https

Individual interfaces and custom ports can be defined inline. For example, to only allow ssh connections from a specific IP to the first interface:

ufw allow in on eth0 from 10.0.0.1 to any ssh

If you need to remove a rule, append the word delete to the UFW command used to create it. For example, to remove allowing ssh access on all interfaces:

ufw delete allow in ssh

Once your rules are in place, start the firewall as below. You will then be able to check its status, which will list all the active rules:

ufw enable
ufw status

The UFW commands can be easily added to a shell script for deployments across multiple machines.

FireHOL

FireHOL is another popular firewall package. Unlike UFW, it uses its own meta language to define firewall rules in a config file.

To install on Debian and Ubuntu:

apt-get install firehol

And on CentOS:

yum install firehol

FireHOL is enabled by modifying a default script.

sed -i -e 's/START_FIREHOL=NO/START_FIREHOL=YES/' /etc/default/firehol

A default FireHOL configuration is made available in /etc/firehol/firehol.conf. The example below allows all traffic on a private interface on eth0, and a subset of traffic on a public interface on eth1:

version 5

interface eth0 vlan
    server all accept
    client all accept

interface eth1 internet
    protection strong
    server ssh accept src 10.0.0.1
    server http accept
    server https accept

FireHOL can then be started on Debian 8.0 Jessie:

sudo systemctl start firehol

And on other Linux templates:

sudo service firehol start

FreeBSD Firewalls

FreeBSD comes with several firewalls, including OpenBSD’s pf, and the older IPFW. Both can be configured more easily than Linux iptables rules. Refer to the FreeBSD Handbook Firewalls chapter for details.


Windows Firewalls

Windows Server 2008 R2 and Windows Server 2012 R2 include Windows Firewall With Advanced Security, which can be used to filter solicited and unsolicited traffic. Refer to this Technet article for full implementation details.