Security and infrastructure don’t always go hand in hand. In fact, many non-adopters of cloud computing have cited the lack of good security as one of the primary reasons they are not wholeheartedly embracing the cloud and all its glory. In some ways, these naysayers are correct: You shouldn’t deploy a cloud or frankly any type of infrastructure without some type of security, whether it’s software-based controls or a hardware device. At GoGrid, it is this desire to overcome security concerns that compelled us to release our free (that’s right FREE) Firewall Service.
When we developed our Firewall Service, we wanted to do more than simply offer a set of blocking rules or a hardware device. We wanted our solution to be centrally managed, easy to use and configure, fully featured, integrated across all our data centers, reliable, programmatically controlled, highly available, flexible, elastic, self-healing…whew! And did I mention, free? As we did for our new Dynamic Load Balancers, we embraced the concepts of software-defined networking (SDN) when architecting our Firewall Service.
Our research showed that for small environments, software-based firewalls (like IPtables or a Windows Firewall) worked just fine, provided the infrastructure didn’t need to scale. Similarly, hardware-based firewalls were great for enterprise-grade installations (but remember, if you get one hardware device, you typically need another one ready as a failover). We wanted to do it better. You can read more about the theory behind our cloud Firewall Service in this article.
As with my previous How To articles, there are 3 easy steps in the Firewall Service setup:
1. Create a Security Group
2. Define a Policy
3. Add a Connection
GoGrid’s Firewall Service is distributed and global. That means that once it’s configured, it automatically synchronizes across all our data centers. If you have multiple web servers in multiple GoGrid data centers, you simply define the Security Groups and Policies, connect the servers, and you’re done. Any future policy changes are automatically synchronized to the connected servers. Simple, right? Let’s see how to set up the Firewall Service.
A Video Walk-Through
The video below (also available directly on YouTube) provides a quick overview of how to enable and manage GoGrid’s Firewall Service. In this video, you’ll learn:
- Why GoGrid’s Firewall Service is unique
- Details on Security Groups, Polices, and Connections
- How to create and manage GoGrid’s Firewall Service
Let’s get started:
The video cannot be shown at the moment. Please try again later.
Ready to try it out yourself? First, make sure you have a GoGrid account. If you don’t, just contact one of our Cloud Specialists, mention this article, and they’ll set you up with a service credit to get started.
Setting Up the GoGrid Firewall Service
In the written part of this tutorial, we’ll walk through 3 steps:
- Creating a Security Group
- Defining Policies
- Adding a Connection
This article provides a high-level overview. You can also refer to the Firewall Service documentation and user manual on the GoGrid wiki. Also note that there is full documentation on how to programmatically control GoGrid’s Firewall Service using our RESTful API.
Creating a Security Group
The first step in enabling GoGrid’s Firewalls Service is to create a security group. To do so, log into the management console, then click on the Networking tab.
From the left navigation, select Security Group.
On the Security Group page, you’ll see all available Security Groups. To make the configuration process a bit easier, we’ve created 4 default Security Groups: Default Block All, Default Core, Default Linux Web, and Default Windows Web. Note: The only action you can take on these default groups is Clone.
Each of these default Security Groups is preconfigured with a set of common rules. The Firewall Service defaults to blocking all connections (the most restrictive), and you then open up specific protocols and ports based on your needs.
If you have a Windows or Linux web server environment, your best bet is to start by cloning one of those Default Security Groups, which opens up ports 80 (HTTP), 443 (HTTPS), and either 22 (SSH on Linux) or 3389 (RDP on Windows). Let’s walk through that process.
Click on one of the Default Security Groups and then click the Clone button at the top of the screen.
Next, select the Data Center (remember that Security Groups synchronize across all GoGrid data centers), enter the Name and the Description, and set the Status.
Once you enter these settings, click Save. You’ll see your new Security Group appear in the list with an amber status, which means it’s being replicated across all data centers.
Once the replication is completed, the status light will turn green.
From there, we go on to review and set the Policies.
Setting the Firewall Service Policies
The Firewall Service’s policies govern what is done with traffic and which ports allow or block traffic. In the example above, we cloned the default Linux Web Security Group, which means the default policies were copied as well.
Select your new Security Group and click Edit.
You can easily see what Policies are enabled for a particular Security Group. Let’s say you want to make a change to the Policies, like removing Ping responses. To remove a policy, simply click on it and then click the Delete button.
The two ICMP (Ping) protocols have been deleted. Next, let’s add a unique port (e.g., 1234) for TCP. To do so, click Add.
Fill in the fields and then click Save to store your Policy changes.
Lastly, select your new Policy and click Save to store (and replicate) the changes to your Security Group and Policies.
Note: SMTP (Port 25) is a special use case. Because we want to keep the GoGrid cloud as spammer-free as possible, Port 25 is blocked at a higher level by default. If you try to open up SMTP, you’ll get the following prompt:
Assigning Security Groups to Connections
The final step in securing your cloud environment with GoGrid’s Firewall Service is to associate your Security Group and Policies with Connections to GoGrid Cloud Servers. Currently, you can only associate Security Groups with public interfaces but we’ll be enabling private interfaces soon.
To add a Connection to one or more servers, click on the Connections link on the left-hand nav. This action will display the current configured Connections as well as allow you to add new ones.
To Add a new connection, select the Data Center, enter a Name, a Description, select the Server from the drop-down of available servers and interfaces, and choose the Security Group. If your server isn’t in the drop-down, it’s either in a different data center or not eligible to use the Firewall Service (e.g., a dedicated server).
Click Save to create the Connection. The new Connection will appear in the list.
Also, you can confirm that your Cloud Server(s) are protected by going to the Grid view. You’ll see a Firewall icon on each server that’s protected, and if a Security Group has Connections associated with it, they’ll display there, too.
If you hold the mouse over your server, you can also get more details.
Once you associate other Connections (Servers) with Security Groups, your environment will be protected based on the Policies you’ve defined. The nice thing about this centrally managed Firewall Service is that if you need to make a change to a Security Group (e.g., add/edit/delete a Policy), it will automatically propagate out to all attached Connections. Edit once and protect many!
Protecting your GoGrid Cloud
We want to make managing (and SECURING) your GoGrid cloud environment as easy and powerful as possible. Built on our SDN architecture, the Firewall Service is distributed, highly available, resilient, centrally managed, programmatically controlled, and flexible.
Remember, we offer this new Firewall Service on GoGrid for FREE. It’s an essential service that will make your infrastructure on GoGrid much more secure. Give it a try and let us know what you think.
Latest posts by Michael Sheehan (see all)
- Get Your Game On in the Cloud - June 11, 2013
- How Software Defined Networking Delivers Next-Generation Success - June 5, 2013
- James Gosling to Speak on Innovation at GoGrid Cloud Meetup on 5/22 - May 16, 2013