How To Enable & Manage the New, Free GoGrid Firewall Service

May 1st, 2013 by - 6,758 views

Security and infrastructure don’t always go hand in hand. In fact, many non-adopters of cloud computing have cited the lack of good security as one of the primary reasons they are not wholeheartedly embracing the cloud and all its glory. In some ways, these naysayers are correct: You shouldn’t deploy a cloud or frankly any type of infrastructure without some type of security, whether it’s software-based controls or a hardware device. At GoGrid, it is this desire to overcome security concerns that compelled us to release our free (that’s right FREE) Firewall Service.

When we developed our Firewall Service, we wanted to do more than simply offer a set of blocking rules or a hardware device. We wanted our solution to be centrally managed, easy to use and configure, fully featured, integrated across all our data centers, reliable, programmatically controlled, highly available, flexible, elastic, self-healing…whew! And did I mention, free? As we did for our new Dynamic Load Balancers, we embraced the concepts of software-defined networking (SDN) when architecting our Firewall Service.

Our research showed that for small environments, software-based firewalls (like IPtables or a Windows Firewall) worked just fine, provided the infrastructure didn’t need to scale. Similarly, hardware-based firewalls were great for enterprise-grade installations (but remember, if you get one hardware device, you typically need another one ready as a failover). We wanted to do it better. You can read more about the theory behind our cloud Firewall Service in this article.

As with my previous How To articles, there are 3 easy steps in the Firewall Service setup:

1. Create a Security Group
2. Define
a Policy
3. Add
a Connection

GoGrid’s Firewall Service is distributed and global. That means that once it’s configured, it automatically synchronizes across all our data centers. If you have multiple web servers in multiple GoGrid data centers, you simply define the Security Groups and Policies, connect the servers, and you’re done. Any future policy changes are automatically synchronized to the connected servers. Simple, right? Let’s see how to set up the Firewall Service.

A Video Walk-Through

The video below (also available directly on YouTube) provides a quick overview of how to enable and manage GoGrid’s Firewall Service. In this video, you’ll learn:

  • Why GoGrid’s Firewall Service is unique
  • Details on Security Groups, Polices, and Connections
  • How to create and manage GoGrid’s Firewall Service

Let’s get started:

The video cannot be shown at the moment. Please try again later.

Ready to try it out yourself? First, make sure you have a GoGrid account. If you don’t, just contact one of our Cloud Specialists, mention this article, and they’ll set you up with a service credit to get started.

Setting Up the GoGrid Firewall Service

In the written part of this tutorial, we’ll walk through 3 steps:

  1. Creating a Security Group
  2. Defining Policies
  3. Adding a Connection

This article provides a high-level overview. You can also refer to the Firewall Service documentation and user manual on the GoGrid wiki. Also note that there is full documentation on how to programmatically control GoGrid’s Firewall Service using our RESTful API.

Creating a Security Group

The first step in enabling GoGrid’s Firewalls Service is to create a security group. To do so, log into the management console, then click on the Networking tab.

Firewall Service - Networking Tab

Firewall Service – Networking Tab

From the left navigation, select Security Group.

Firewall Service - Security Group

Firewall Service – Security Group

On the Security Group page, you’ll see all available Security Groups. To make the configuration process a bit easier, we’ve created 4 default Security Groups: Default Block All, Default Core, Default Linux Web, and Default Windows Web. Note: The only action you can take on these default groups is Clone.

Each of these default Security Groups is preconfigured with a set of common rules. The Firewall Service defaults to blocking all connections (the most restrictive), and you then open up specific protocols and ports based on your needs.

If you have a Windows or Linux web server environment, your best bet is to start by cloning one of those Default Security Groups, which opens up ports 80 (HTTP), 443 (HTTPS), and either 22 (SSH on Linux) or 3389 (RDP on Windows). Let’s walk through that process.

Click on one of the Default Security Groups and then click the Clone button at the top of the screen.

Firewall Service - Clone

Firewall Service – Clone

Next, select the Data Center (remember that Security Groups synchronize across all GoGrid data centers), enter the Name and the Description, and set the Status.

Firewall Service - Add & Edit General Security Group Info

Firewall Service – Add & Edit General Security Group Info

Once you enter these settings, click Save. You’ll see your new Security Group appear in the list with an amber status, which means it’s being replicated across all data centers.

Firewall Service - Security Group Replication

Firewall Service – Security Group Replication

Once the replication is completed, the status light will turn green.

From there, we go on to review and set the Policies.

Setting the Firewall Service Policies

The Firewall Service’s policies govern what is done with traffic and which ports allow or block traffic. In the example above, we cloned the default Linux Web Security Group, which means the default policies were copied as well.

Select your new Security Group and click Edit.

Firewall Service - Edit Security Group

Firewall Service – Edit Security Group

You can easily see what Policies are enabled for a particular Security Group. Let’s say you want to make a change to the Policies, like removing Ping responses. To remove a policy, simply click on it and then click the Delete button.

Firewall Service - Delete Policy

Firewall Service – Delete Policy

The two ICMP (Ping) protocols have been deleted. Next, let’s add a unique port (e.g., 1234) for TCP. To do so, click Add.

Firewall Service - Add Custom Policy

Firewall Service – Add Custom Policy

Fill in the fields and then click Save to store your Policy changes.

Firewall Service - Custom Port added

Firewall Service – Custom Port added

Lastly, select your new Policy and click Save to store (and replicate) the changes to your Security Group and Policies.

Note: SMTP (Port 25) is a special use case. Because we want to keep the GoGrid cloud as spammer-free as possible, Port 25 is blocked at a higher level by default. If you try to open up SMTP, you’ll get the following prompt:

Firewall Service - SMTP port

Firewall Service – SMTP port

Assigning Security Groups to Connections

The final step in securing your cloud environment with GoGrid’s Firewall Service is to associate your Security Group and Policies with Connections to GoGrid Cloud Servers. Currently, you can only associate Security Groups with public interfaces but we’ll be enabling private interfaces soon.

To add a Connection to one or more servers, click on the Connections link on the left-hand nav. This action will display the current configured Connections as well as allow you to add new ones.

Firewall Service - Connections

Firewall Service – Connections

To Add a new connection, select the Data Center, enter a Name, a Description, select the Server from the drop-down of available servers and interfaces, and choose the Security Group. If your server isn’t in the drop-down, it’s either in a different data center or not eligible to use the Firewall Service (e.g., a dedicated server).

Firewall Service - Configure Connection

Firewall Service – Configure Connection

Click Save to create the Connection. The new Connection will appear in the list.

Firewall Service - Active Connection

Firewall Service – Active Connection

Also, you can confirm that your Cloud Server(s) are protected by going to the Grid view. You’ll see a Firewall icon on each server that’s protected, and if a Security Group has Connections associated with it, they’ll display there, too.

Firewall Service - Grid Firewall & Security Groups

Firewall Service – Grid Firewall & Security Groups

If you hold the mouse over your server, you can also get more details.

Firewall Service - Mouse-over Firewall & Security Group

Firewall Service – Mouse-over Firewall & Security Group

Once you associate other Connections (Servers) with Security Groups, your environment will be protected based on the Policies you’ve defined. The nice thing about this centrally managed Firewall Service is that if you need to make a change to a Security Group (e.g., add/edit/delete a Policy), it will automatically propagate out to all attached Connections. Edit once and protect many!

Protecting your GoGrid Cloud

We want to make managing (and SECURING) your GoGrid cloud environment as easy and powerful as possible. Built on our SDN architecture, the Firewall Service is distributed, highly available, resilient, centrally managed, programmatically controlled, and flexible.

Remember, we offer this new Firewall Service on GoGrid for FREE. It’s an essential service that will make your infrastructure on GoGrid much more secure. Give it a try and let us know what you think.

The following two tabs change content below.

Michael Sheehan

Michael Sheehan, formerly the Technology Evangelist for GoGrid, is a recognized technology, social media, and cloud computing pundit and blogger who writes regularly about technology news and trends.

Leave a reply