What security is in place on my SwiftStack storage nodes?

Caleb Tennis -

SwiftStack Node Security

The SwiftStack node is the location where the Swift services actually run. The nodes are setup and controlled through the Controller interface.

OpenVPN Configuration

The SwiftStack Controller creates a hub-and-spoke network to each Node via an OpenVPN point-to-point connection. The OpenVPN server uses the 10.123.0.0/16 network by default, though this may be changed by an administrator of the SwiftStack Controller if this network interferes with an existing network.

Each SwiftStack node leverages OpenVPN as a client to maintain a persistent, but secure, connection back to the SwiftStack controller.

OpenVPN Security

Each node utilizes a locally generated 2048-bit RSA key for establishing the OpenVPN connection. Once established, OpenVPN generates an ephemeral set of keys that change over time that are used for the actual data encryption.

Data is encrypted using Blowfish-128-CBC, and message authentication is done with SHA1.

VPN Security

The intent of the VPN between the Controller and Node is to allow for metrics collection, configuration, and monitoring. It is not intended as a method of entry into a SwiftStack Node. In order to ensure this, two custom iptables chains are created to provide security over the VPN: ssvpn-in and ssvpn-out.

ssvpn-in has the following rules:
  • ALLOW inbound VPN traffic that has already been established by an outbound rule
  • ALLOW inbound ICMP traffic (for pings)
  • DENY all other inbound traffic
ssvpn-out has the following rules:
  • ALLOW outbound VPN traffic destined for port 9914
  • ALLOW outbound VPN traffic destined for port 9915
  • ALLOW outbound VPN traffic destined for port 6040
  • ALLOW outbound VPN traffic destined for port 6050

This prevents someone from, for example, using SSH over the VPN in an attempt to login to a Node from the Controller.

Firewall Security

Each SwiftStack node will add a set of managed firewall rules using iptables. In addition to the two VPN iptables chains noted above, SwiftStack creates four custom iptables chains: ssacct-in, ssacct-out, ssnode-in, ssnode-out. Depending on the Node Rolesassigned to the particular SwiftStack Node, various firewall rules are set.

ssacct-in/out are utilized only for accounting of traffic for the SwiftStack metrics collection and do not specifically accept or reject any traffic.

ssnode-in has the following rules, based on the assigned role(s):

Role Interface Rule
All Roles Cluster ACCEPT inbound traffic port 58318 (ClusterVersionChecker service)
     
Proxy Outward

ACCEPT inbound traffic destination 224.0.0.0/8 (used for SwiftStack load balancer)

ACCEPT inbound traffic protocol VRRP (used for SwiftStack load balancer)

ACCEPT inbound traffic port 80 OR 443, depending on if SSL is utilized

  Cluster

ACCEPT inbound traffic TCP port 11211 (memcached)

ACCEPT inbound traffic UDP port 123 (ntp)

     
Account/Container Cluster

ACCEPT inbound traffic TCP ports 6001 and 6002

ACCEPT inbound traffic UDP port 123 (ntp)

  Replication

ACCEPT inbound traffic TCP ports 6004 and 6005

ACCEPT inbound traffic TCP port 873 (rsync)

     
Object Cluster

ACCEPT inbound traffic TCP ports 6000 and 6006-6100

ACCEPT inbound traffic UDP port 123 (ntp)

  Replication

ACCEPT inbound traffic TCP port 6003

ACCEPT inbound traffic TCP port 873 (rsync)

     
Gateway Outward

ACCEPT inbound traffic:

TCP and UDP port 2049 (nfsd)

TCP and UDP port 111 (rpcbind/portmapper)

TCP and UDP port 662 (rpc.statd)

TCP and UDP port 892,20048 (rpc.mountd)

TCP ports 137,138,139,445 (netbios)

TCP port 32803 and UDP port 32769 (lockd)

ssnode-out presently is unused.

Additional Custom Firewall Rules

The firewall rules specified above are the ones required in order for the cluster to function. Server administrators can add additional rules on top of these to create a more restrictive environment if they desire.

Have more questions? Submit a request

Comments

Powered by Zendesk