Zum Inhalt springen
Produkte
Plattform
Developer Tools
Portal

Security in Networks

Diese Seite ist noch nicht in deiner Sprache verfügbar. Englische Seite aufrufen

Instructions for secure network configurations

Section titled “Instructions for secure network configurations”

Setting up a secure network within STACKIT requires a combination of best practices and the use of specific features. Here are guidelines to help you create a secure network in STACKIT:

  1. Network topology and segmentation:
    • Create Virtual Networks (OpenStack Networks) to isolate resources and control traffic.
    • Segment resources using subnets within a network to achieve granular access control and isolation.
    • You can find further information about Virtual Networks here: Basic Concepts Virtual Network
  2. Network access control:
    • Use Security Groups (SGs) to filter inbound and outbound traffic at the network level. Determine which ports, protocols, and IP address ranges are allowed.
    • Associate SGs with subnets or network interfaces as needed.
    • You can find further information about security groups here: Creating/Deleting and changing security groups

Secure configuration of security groups

Section titled “Secure configuration of security groups”

Correctly configuring security groups is critical to securely controlling traffic to and from instances. Properly configured security groups can help protect your network from unauthorized access and other potential threats.

Basic principles:

Section titled “Basic principles:”
  1. Principle of least privilege: Allow only absolutely necessary traffic.
  2. Explicit Deny: It is better to explicitly deny traffic and then only allow what is really needed.

Steps to securely configure security groups:

Section titled “Steps to securely configure security groups:”
  1. Revise default security group:
    • Remove all default allowed entry and exit rules.
    • Only add the rules that are absolutely necessary.
  2. Create custom security groups:
    • Avoid generic names. Name the security groups according to their function or the service they protect.
    • Limit traffic to the absolute minimum.
  3. Configure inbound rules:
    • Only allow traffic from trusted IP addresses or IP ranges.
    • Set specific ports for services and avoid using wide port ranges unless absolutely necessary.
  4. Configure outbound rules:
    • If possible, limit outbound traffic.
    • Note that many applications require updates or external dependencies. Make sure these connections are allowed.
  5. Secure remote access:
    • Use strict IP restrictions for SSH (port 22) and RDP (port 3389).
    • Consider using key-based authentication methods for SSH.
  6. Periodic review:
    • Review security group rules regularly and remove obsolete or unnecessary rules.
    • Stay up to date on current best practices and security standards.
  7. Automation and infrastructure as code:
    • Consider managing Security Group rules as code, for example with tools like Terraform. This promotes consistency, traceability and simplifies reviews.

Conclusion: Effective management of security groups requires attention and regular review. With the above best practices and a proactive security philosophy, you can significantly improve the security of your instances and networks in STACKIT.

Creating networks automatically

Section titled “Creating networks automatically”

Automation plays a critical role in the security of cloud environments. Tools like Terraform allow infrastructure as code (IaC) to be defined and provisioned.

What is Infrastructure as Code?

Section titled “What is Infrastructure as Code?”

Infrastructure as Code (IaC) is an approach in which the entire IT infrastructure is defined in the form of code or scripts. This code can be versioned, shared, and stored in version control systems such as Git. It allows developers and system administrators to treat infrastructure as they would treat software code.

Security benefits of Infrastructure as Code:

Section titled “Security benefits of Infrastructure as Code:”
  • Consistency: Using IaC minimizes manual intervention, resulting in consistent and reproducible environments. This reduces the risk of human errors and inconsistencies that can lead to security vulnerabilities.
  • Versioning: Because the infrastructure is defined as code, you can track changes, allowing for better control and auditing. You can know exactly what changes were made, when and by whom.
  • Automated security checks: With IaC you can integrate automated tests and security checks into your CI/CD process. This ensures that infrastructure configurations comply with security policies before going into production.
  • Rapid remediation: In the event of a security incident, you can quickly revert to a known, secure configuration or apply security patches system-wide by updating and reapplying the IaC code.

Introducing IaC into your STACKIT environment, especially when combined with automation tools like Terraform, not only promotes efficiency and reusability, but also significantly contributes to the security of your entire cloud infrastructure.

Role and rights concept, including risky combinations

Section titled “Role and rights concept, including risky combinations”

The role and rights concept that is applied within the STACKIT Portal can be found under the following links:

Management of service accounts and API tokens is described here:

Access to service accounts and API tokens can be managed according to the role and rights concept. It is important to identify and prevent potential risky combinations of roles and rights. Some examples are:

  • A user with both Owner, Admin and Member roles could inadvertently impact productive systems.
  • The combination of application user and developer rights can lead to unwanted changes in the production environment.

To avoid such risks, role crossing should be avoided and regular audits should be carried out.