A while back we introduced the free Basic Firewall functionality for all Express Cloud Servers ordered after the 19th of March 2012. This is an easy way to add an extra layer of protection to your Cloud instance at no additional cost. Many customers are now using the Basic Firewall to further protect their infrastructure ever since we made it available, which is why I thought it would be a good idea to go through the features it offers – and to point out a few pitfalls when using them.
Putting the basic in Basic Firewall
The Basic Firewall can be used to filter traffic directed towards your Cloud instance. We decided on a simple approach: after the firewall is enabled, all incoming traffic is blocked. You can allow traffic by specifying the source IP or IP range, target port(s) and protocols. You can create these exceptions before or after switching the Basic Firewall on. This makes it quite easy to protect your instance against unwanted connections (or connection attempts).
There are a few services that you will probably want to enable for every instance:
- Remote access to your machine: this can be port 22 (for SSH) or port 3389 (Remote Desktop)
- DNS servers: these can often be found in /etc/resolv.conf (on Linux), or in your network configuration in the Windows settings
- Trusted hosts: there might be some IP addresses that you’ll want to give unrestricted access to your machine (an office IP address for example)
- Unblock basic services that you want to offer to the internet: if you are running a web server on your Cloud instance, be sure to unblock the ports it needs!
One important thing to keep in mind is that the firewall will never end existing connections. If you have existing SSH or remote desktop connections to your instance, and you block these in the firewall, only new connections will be blocked.
Locked yourself out? We got you covered!
The Basic Firewall allows you to easily revert changes in case you accidentally make critical services unreachable (I know first-hand how easy it is to lock yourself out). It’s always possible to turn off the firewall, which switches the configuration back to ‘allow-all’ mode. This way you can find out if there’s an error or oversight in your rules without blocking connections to your instance.
One step further
While you are thinking about securing your instance, consider using SSL or other transport encryption/authentication mechanisms for your services. Most standard services (such as http, smtp and often pop3/imap) have secure alternatives, be sure to use them whenever your application can handle it. In case you need SSL certificates, Leaseweb can always help you out. Just contact firstname.lastname@example.org for more information.
There are a number of scenarios that we have seen the Basic Firewall used for. One common use case is protecting database servers against access from unwanted networks. Other customers use the basic firewall to disable Windows services, or limit access to them by allowing only a small set of IP addresses to connect. There are a lot of possibilities, but creating a secure set of firewall rules means designing it specifically for your situation and infrastructure. Taking some time to think about securing your environment makes sense and will prevent possible headaches in the future!