| copyright | lastupdated | subcollection | keywords | ||
|---|---|---|---|---|---|
|
2024-10-09 |
pattern-network-vrf-only |
{{site.data.keyword.attribute-definition-list}}
{: #security-design}
The following are security design considerations for the hybrid cloud network for classic infrastructure disaster recovery pattern.
{: #IAM}
{{site.data.keyword.iamshort}} provides role-based access controls (RBAC) and is part of the zero trust strategy that allows for least privileged access to help support regulatory and compliancy requirements. {{site.data.keyword.IBM}} Security Verify can be added to support multi-factor authentication. For more information, see {{site.data.keyword.iamshort}} (IAM) and IBM Security Verify{: external}.
{: #CIS}
In addition to providing Global Server load balancing and domain name services, {{site.data.keyword.cis_full_notm}} (CIS) provides many security features to help meet compliance requirements as either a Pay-As-You-Go or bundled service package option. For more information, see Cloud Internet Services.
Consider using {{site.data.keyword.cis_full_notm}} or other third-party products such as Akamai, Cloudflare, Imperva, Barracuda, or F5 to meet security requirements:
- DDoS protection: Shields your website from malicious attacks that flood it with traffic.
- Web Application Firewall (WAF): Acts as a security guard for your website, filtering out suspicious traffic and blocking known threats like SQL injections and code injection attempts.
- Transport Layer Security (TLS): Encrypts communication between your website and visitors, protecting sensitive data like passwords and credit card information.
- Range: non-HTTP and HTTPS port protection Secures ports on your server beyond the standard web traffic ports (HTTP and HTTPS), protecting against attacks that target vulnerable services.
In this pattern {{site.data.keyword.cis_full_notm}} DDos and WAF features are used to meet security requirements. {: note}
{: #security-gateway-appliance}
{{site.data.keyword.Bluemix_notm}} classic firewalls offer various security functions to protect your cloud resources. Specific features and capabilities of {{site.data.keyword.Bluemix_notm}} classic firewalls vary depending on the vendor, hardware, software, licenses, add-on bundle, and configuration options selected.
Consider existing vendor relationships and operation teams’ technical expertise before you make an appliance choice.
In addition, consider the following needs:
- Number of users and devices: How many devices are connected to the network? A small business network has different needs than a large business network.
- Types of devices: Consider the variety of resources, data, and applications connected to the network.
- Bandwidth requirements: How much data traffic does the network typically handle?
- Scalability: Choose a firewall that can grow with your network needs.
- Type of firewall: Different firewall types offer different levels of protection. Consider stateful inspection firewalls, application-level firewalls, or next-generation firewalls (NGFWs) depending on the security need.
- Security features: Look for features like intrusion detection and prevention systems (IDS and IPS), deep packet inspection (DPI), malware protection, and content filtering.
- Threat intelligence: Choose a firewall that receives regular updates on the latest threats and vulnerabilities.
Consider the security level required based on the business need:
- Tier 1: Public Front-end Enterprise
- Tier 2: General Internal Enterprise
- Tier 3: Business Critical Enterprise
- Tier 4: Highly sensitive Enterprise
- Tier 5: Ultra-Secure Enterprise
| Security Function | Tier 1 | Tier 2 | Tier 3 | Tier 4 | Tier 5 |
|---|---|---|---|---|---|
| Network Firewall |  |
|
|
|
|
| Web Application Firewall (WAF) | |
|
|
|
|
| Intrusion Detection System (IDS) | |
|
|
|
|
| Antivirus and antimalware software | |
|
|
|
|
| Network segmentation | |
|
|
|
|
| Administrative role-based access controls (RBAC) | |
|
|
|
|
| Virtual Private Network (VPN) | |
|
|||
| Advanced Firewall with Deep Packet Inspection | |
|
|
||
| Intrusion Prevention System (IPS) | |
|
|
||
| Multifactor Authentication (MFA) | |
|
|
||
| Integration with Security Incident and Event Management (SIEM) System | |
|
|
||
| Network segmentation with Strict Access Controls | |
|
|||
| Administrative Privileged Access Management (PAM) | |
|
|||
| Integration with Advanced Threat Intelligence and Threat Hunting systems | |
|
|||
| Zero trust Architecture | |
||||
| Micro-Segmentation | |
||||
| Continuous Monitoring and Auditing | |
||||
| Integration with Advanced Threat Detection and Response (ATDR) Systems | |
||||
| Integration with Real-Time Incident Response Capabilities | |
||||
| {: caption="Table 1: Classic data center security features"} |
{{site.data.keyword.Bluemix_notm}} classic data centers support four gateway appliance and firewall options including Juniper vSRX, Virtual Router Appliance, FortiGate (FSA 10 Gbps and vFSA), and bring your own gateway appliance (BYOG) for Checkpoint, Cisco, and Palo Alto. This pattern supports personal choice based on security requirements and operational expertise.
{: #gateway-references}
- Explore {{site.data.keyword.vra}} (vRA).
- Explore {{site.data.keyword.vsrx_full}} license features.
- Explore FortiGate FSA 10 Gbps.
- Explore Virtual FortiGate Security Appliance (vFSA)
- Explore Bring Your Own Gateway Appliance (BYOG) to support Checkpoint, Cisco, and Palo Alto.
{: #vpn-security}
VPN offers a valuable layer of security for public internet activities.
Key VPN Security Considerations include:
- Encryption strength: Choose a VPN with strong encryption algorithms like AES-256. Weak encryption can be cracked, exposing your data.
- Protocol choice: Protocols like OpenVPN, IKEv2, and IPsec offer strong security and performance. Avoid outdated or less secure protocols like PPTP.
- Authentication: Consider strong authentication methods like multi-factor authentication for secure data transmission.
- Access control: Granularly control access permissions to resources accessible through the VPN, limiting potential damage from breaches.
- Security of endpoints: Ensure that all connected devices comply with security policies and are kept up to date with patches.
{{site.data.keyword.IBM_notm}} classic data centers offer three options for implementing a virtual private network connection from a remote site into {{site.data.keyword.Bluemix_notm}}, including SSL VPN, IPsec VPN, and VPN gateway appliance on classic. This pattern supports the VPN gateway appliance on classic to meet the private administrative and management connectivity requirements.
{: #security-service-endpoints}
With {{site.data.keyword.Bluemix_notm}}service endpoints, you can connect to {{site.data.keyword.Bluemix_notm}} services over the {{site.data.keyword.Bluemix_notm}} private network instead of the default public network. Moving these workloads from the public network to the private network offers enhanced security as Cloud Services are no longer served on an internet routable IP address.
{: #security-jump-bastion}
Jump servers or bastion hosts can offer extra levels of security and control and can be deployed on bare metal or virtual server instances within {{site.data.keyword.Bluemix_notm}} classic.
Considerations include:
- Enhanced security required - All access to internal systems funnels through the jump server or bastion host, making it easier to monitor and enforce security policies. Access can be granted or revoked to specific users and systems with granularity. By keeping internal systems directly inaccessible from the outside, it minimizes potential entry points for attackers. Hackers need to compromise the jump server first, adding an extra layer of defense.
- Improved management and auditing - Manage access to all internal systems from a single point, streamlining the process and reduce errors. All activity on the jump server or Bastion host is logged, providing a centralized record of who accessed what and when. This helps with troubleshooting, security audits, and forensic investigations.
- Secure access to legacy systems - Jump servers and Bastion hosts can act as a bridge between modern tools and legacy systems that might not support secure protocols like SSH. You can use the jump server to tunnel secure connections to older systems.
- Multi-factor Authentication (MFA) - MFA can be implemented on the jump server or Bastion host itself, adding another layer of protection to internal system access.
The following table helps determine whether a bastion host or jumper server is needed:
| Feature | Jump server | Bastion host |
|---|---|---|
| Location | Internal network | Network perimeter (DMZ and public subnet) |
| Purpose | Manage internal systems | Grant controlled access to specific internal systems for external users |
| Security Focus | Centralized access control, which simplifies administration | Secure entry point, isolation of internal systems |
| Attack Surface | Higher (internal systems directly exposed if the jump server is compromised) | Lower (internal systems protected even if the bastion host is compromised) |
| {: caption="Classic data center jump server versus bastion host matrix"} |
In this pattern, a Bastion host is deployed on a virtual server instance in a classic data center to control secure remote administrative access of all devices within the {{site.data.keyword.Bluemix_notm}} environment.