SoftLayer Fundamentals
Security / Firewalls
Security Overview
The
environment
is achieved
through a
combination
of:
Architecture
and
operational
responsibilities in the
Additional
security
capabilities delivered
through partners
SoftLayer provides a security-rich environment for deploying and running customer workloads.
responsibilities in the
SoftLayer offerings.
Certified
physical
and
logical
security
of the SoftLayer data
centers.
Ease of use when
enabling
SoftLayer
security features.
through partners
(Open Ecosystem).
Securing the environment
SoftLayer offers security services that can be used by the customer to secure their
environment. These services include:
•Vulnerability scanning
•Antivirus and anti-spyware protection
•Host-based intrusion protection
•Firewall and network based threat protection (IPS, DDoS)
•Firewall and network based threat protection (IPS, DDoS)
•Network Gateways
•Virtual Private Networking (VPN):
–
IPSEC
–
SSL
–
PPTP
•Two factor authentication to the SoftLayer Customer Portal
•SSL Certificates that enable confidentiality of data-in-transit
Nessus Vulnerability Assessment
• Security Scanner
• Can be run from the Portal
• Shows a detailed summary page
McAfee
Securing the environment (cont.)
McAfee
• LinuxShield Antivirus: Free
• Windows VirusScan Anti-Virus: Free
• Total Protection (adds AntiSpyware): $5
• Host Intrusion Protection (IDS) w/reporting (only for
Windows): $30
Windows Firewall
• Installed by Default
• Configured with the following ports
• RDP 3389; FTP 20,21; HTTP 80; HTTPS443
• DNS 53; SMTP 25; POP 110; IMAP 143
• IDENT 113; ICMP echo reply
Software Firewall
• IDENT 113; ICMP echo reply
• If Plesk is installed: Ports open per Plesk requirements
Linux Firewall
• IPTables is installed
• APF – Advanced Policy Firewall
Secure Individual Servers
Can be ordered with the purchase of a server
Sold based on Port speed (must match server)
Standard Hardware Firewall
Sold based on Port speed (must match server)
Shared Firewall
Secure Single VLAN
Cannot be ordered with a server; must be ordered after a server has
been provisioned
1 Gbps Firewall with redundant links: Customer servers do not have to
match link speed
Dedicated Hardware Firewall
match link speed
High Availability as an option
Cannot have a Shared Firewall and Dedicated Firewall on the same
VLAN
• Vyatta Network OS subscription edition
deployed on a bare metal server.
•
Managed by the customer
• Network configuration is extended
through deployment of additional
SoftLayer also offers a network gateway appliance powered by the Vyatta
Network OS.
Using Network Gateways to Protect the Environment
through deployment of additional
software images, not new physical
network hardware.
• Capabilities:
•
Firewall
•
VPN
•
Load-balancing
•
NAT
A customer can construct a self-managed solution for software-based network
connectivity.
•Choice may be based on skill and experience within their team, functional and
non-functional requirements.
•Security capabilities will vary according to the chosen technology.
•Options include:
There are two overall types of VPN connections to SoftLayer:
• VPN System Administration Management
•
1 Gb link for VPN access for customers to perform administrative tasks on the
private network.
•
Additional tunnels can be requested through the Customer Portal
•
SSL VPN, PPTP VPN, and IPSec VPN connections available through the
Customer Portal.
Managing VPN Connections to SoftLayer
Customer Portal.
•VPN Production Access
•
The recommended solutions for any customer required production VPN access
to the SoftLayer network is to use either:
The FortiGate Security Appliance
The Vyatta Gateway Appliance
It’s possible to direct connect to SoftLayer:
•
Customer Ethernet circuit handoff
•
Provides a customer with an direct Ethernet interface to the SoftLayer private
network.
A Customer’s Telco provider brings an Ethernet circuit(s) to one of the 18
SoftLayer Points of Presence (PoP) around the world.
Customer (or their Telco) contracts with the PoP’s location provider for any
space, power, and cross connect charges to bring their circuit and any
customer premise equipment (CPE) to that PoP.
Direct Connection to SoftLayer
customer premise equipment (CPE) to that PoP.
Customer contacts SoftLayer to accept an Ethernet handoff connection to
SoftLayer equipment at the PoP.
SoftLayer Ethernet cross-connections are available in 1 Gbps or 10 Gbps
sizes.
Tier
4
• 99.995% availability
• Annual downtime .04 hours
• Two independent utility path • Fully redundant (2N+1) • Sustain 96-hour power outage
• 99.982% availability
• Annual downtime 1.6 hours
• Multi power and cooling paths • Fault tolerant (N+1)
• Sustain 72-hour power outage
SoftLayer data centers are Tier 3 data centers.
Securing the Data Centers
Tier 3
Tier 2
Tier 1
• Annual downtime 1.6 hours
• 99.749% availability • Annual downtime 22.0
hours
• 99.671% availability • Annual downtime 28.8
hours
• One path of power and cooling
• Some redundancy in power
• Single path power and cooling • No redundant
components • Sustain 72-hour power outage
