قالب وردپرس درنا توس
Home / Tips and Tricks / How to use DigitalOcean firewalls for your drops – CloudSavvy IT

How to use DigitalOcean firewalls for your drops – CloudSavvy IT



Digital Ocean logo

Firewalls are critical to the security of all servers. Just allowing the right traffic to the right resource prevents malicious traffic and potential attacks from taking advantage of your unprotected server. DigitalOcean offers virtual machines, so-called drops, which have their own firewall system configuration, monitoring and maintenance advantages over traditional OS-level firewalls.

The firewall system is called Cloud Firewalls. It is a network-level firewall that loses traffic that you do not want to make to your Droplet, and therefore the potentially harmful traffic will never reach your server. Some of the features of Cloud Firewalls are:

  • Incoming and outgoing state firewalls
  • Named services, such as SSH, HTTP (S), MySQL, etc.
  • Custom gates
  • Gate areas
  • Restrict with sources, such as drops, load balances, VPCs, tags, or specific IPv4 or IPv6 CIDR addresses

DigitalOcean recently released the Virtual Private Cloud (VPC) network. By defining a collection of resources in a VPC, all traffic is kept internally in that network, also from other VPC networks. Cloud Firewalls works with VPC to further segment and protect traffic. For this article, we will use two virtual machines configured in the following mansion:

  • THE: Ubuntu 1
    8.04.3 LTS x64
  • Pricing: Basic virtual machine at $ 5 / month
  • Area: SFO2 Region
  • Authentication: SSH keys
  • Tags: test, ubuntu

Create a Cloud Firewall

After creating a Linux virtual machine, one of the first tasks is to protect the SSH service, as this is often a primary target for malicious actors. Let’s create a simple and easy to use firewall that limits SSH to our newly created virtual machine with only the IP we designate.

In this example, it will be the IP address 192.168.100.5. After clicking on “Create firewall” we get a form where we request the name, incoming rules, outgoing rules and the resource to which the firewall is to be applied.

  • Name: ssh-limit
  • Incoming rules

Create a firewall.

Let’s then look at outgoing rules. What you see below are the standard rules. What this says is that all TCP / UDP outbound traffic is allowed to all sites, as well as ICMP traffic. In general, it’s okay, depending on your needs. Most server administrators have higher control over outgoing traffic rather than incoming. With that said, you can really limit this traffic.

Outgoing rules

Finally, let’s apply this new firewall to a newly created virtual machine that we have tagged test. Why apply the firewall on a tag rather than on the Droplet itself? By applying a tag, this firewall will automatically be applied to each new resource that is appropriately tagged. It automates the configuration and means that important firewall configurations will not be missed.

Apply new firewall to newly created virtual machine

After creation, you can see that the firewall is correctly applied to Droplet and will now release all traffic that does not fit that pattern before the traffic gets to Droplet.

Firewall is applied correctly to Droplet and loses all traffic that does not fit that pattern before the traffic reaches Droplet

Provision of a new drop

What happens when we provide a new Droplet and tag the virtual machine with it test notice? After creating a new virtual machine and navigating to the drop section of the network, you can see that ssh-limit firewall that we previously created is applied automatically.

ssh-limit firewall is applied automatically

Limit internal VPC traffic

What if we have MySQL databases on our two drops that have been installed and we want to ensure that traffic does not leak beyond these resources? To ensure that port 3306 (MySQL) traffic is only allowed from other resources within VPC, a cloud firewall rule can actually be applied to the VPC traffic area.

Cloud firewall rule applies to VPC traffic intervals

If you use the Managed Databases product from DigitalOcean, such as a MySQL, PostGres or Redis database, this capability also makes it easy to protect these resources. The perfect setting would be to include all the relevant resources in a VPC and then use Cloud Firewalls to properly protect the traffic between the various resources.

Cloud firewall reservation

You need to be aware of a few things when using Cloud Firewalls. Some of these are quantity restrictions for Cloud Firewalls, and others are product restrictions that may affect how you use Cloud Firewalls.

  • There are a maximum of ten individually added drops to a particular firewall.
  • There are a maximum of 5 tags that can be added to a particular firewall, but by using tags you can get around the ten individual drop rule (ie a tag with 50 drops still works with the firewall).
  • A firewall can have a total of 50 combined incoming and outgoing rules.
  • Firewalls only support ICMP, TCP, and UDP traffic right now.
  • Traffic logs will not be available for lost traffic as this happens at the network level.

Conclusion

Although this is just an overview of functionality and rules that can be defined for DigitalOcean Droplets, the combination of a network-level firewall and VPC network can easily protect your Droplets from malicious traffic. With the low cost of small drops and the simple configuration, you can quickly see how to use Cloud Firewalls to protect your server resources.


Source link