A really good thing about setting up blogs and small websites these days is that dedicated servers and dedicated IPs from cloud vendors are an affordable option for most.1 Setting up your own server instance is pretty easy, but often very insecure by default. Setting up security through Linux firewalls is possible, but can be somewhat daunting for many who are simply looking for an inexpensive and flexible web host.
Fortunately, there is an outstanding option for those looking to simply secure a single server (or many servers) from Dome9. Dome9 is essentially a system for managing system firewalls – removing the complexities of installing and configuring firewalls on individual nodes as well as providing some automation to firewall management.
First, What Is A Firewall?
You might be somewhat familiar with firewall software already – most operating systems ship with some form of firewall software built in. In personal computing use, firewall configurations often block certain types of internet traffic altogether. In a server configuration firewall configuration becomes a bit more complicated: while there are some services you want to block, some you want to leave completely open (such as web server traffic), or restricted to a certain range of IP addresses – such as allowing SSH traffic only from your home or office internet address.
Let’s take a look at a simple example:
This would be a desired configuration for a simple web application (such as a WordPress site). The rules that we want to enforce:
- All HTTP (and possibly HTTPS) traffic is open to the world. We want people to visit our website!
- SSH access is limited to a certain IP range. (The image displays – for example – a ‘local’ set of SSH addresses behind a a router. In a cloud deployment, you might want to limit SSH access to your home internet connection IP, or from where you might actually access your servers.)
- Blocking all access from ‘the outside’ to port 3306 – the default MySQL server.
- … and finally, blocking all attempts at network connections other than the HTTP and HTTPS connections that you want external connections to make. (i.e. only allow global access on ports 80 and 443 – the ports that web browsers use to access a website.)
These rules can be set up on individual servers using firewall configurations (such as
iptables on Linux servers) – but direct firewall management can be something of a chore, especially if you have more than one server to maintain. This is where a firewall management system comes in handy – in this example we’ll look at using Dome9.2
How Does Dome9 Manage Firewalls?
Dome9 manages firewalls through an agent infrastructure. To use Dome9 on a server instance, you will need to install a software agent that will manage local firewall settings. The agents themselves can be controlled either individually or in groups through a web interface.
Let’s get started.
Sign Up For A Dome9 Account
I won’t cover this in any detail – you’ll find the signup process at Dome9 to be similar to other web account signups. If this is your first account at Dome9, you’ll be given a free trial of their enterprise features, after which you’ll likely have to talk with their sales group about your needs. Large accounts will be encouraged to buy a plan, but they do have a “Lite Cloud” plan that you can use for your own personal websites for five servers or less.
Install The Dome9 Agent On Your Server
Once you have logged in and have an account, you’ll need to install the Dome9 agent on the servers you wish to manage.
The Install New Agent Button (or menu option) will guide you through a series of steps for installing an agent for the appropriate system type (Windows or Linux). The instructions will basically give you a set of copy-paste commands that you can use to install and start the Dome9 agent.
Create a Security Group
Dome9 installs a ‘default’ security group, though you will likely want to create your own group for firewall management. Let’s take a look at a few rules for a “WordPress” server. Note that only rules listed will have an ‘allow’ option. You can set up a rule that ‘blocks’ traffic – minus the “On Demand” feature of Dome9 that we’ll cover later on. Here is an example rule set:
In this case, we’re only managing three services – leaving all others blocked. HTTP and HTTPS are open to the world, while SSH is limited to (the greyed out) block of IP addresses. To add a new service (such as MySQL), simply choose the Add New Service button. When you choose this option, you are presented a menu of common services you can choose from – as well as the ability to specify custom ports and port ranges for any other services you may wish to access.
If we complete the example, we can specify a few settings for this port. In this case, we’ll leave the port protected and only allow “On Demand” access to the MySQL port. You can also add specific IP addresses or IP blocks if you have a set that you would like to leave open full time.3
With this in place, a new rule has been added to the Inbound Policy Rule set.
Adding Your Server To The Security Group
Now that we have a security group in place, we’ll need to add our web server to the group. This will prompt the agent to apply the firewall rules specified by the group.
This is a relatively simple operation. From the list of servers where agents have been installed (if you installed the agent, this should be visible rather quickly), choose the server listed (this defaults to your hostname).
This will open a dialog that will allow you to choose your security group (Dome9 requires that a server belong to at least one security group) along with a list of the rules that are currently applied.
You will also want to remove the default security group (with the big black ‘x’) to have your server be protected by only the single web-server group.
With this in place, you now have a web server that is open to the world for HTTP, restricted on the SSH ports to a couple of IP addresses (meaning that SSH is only available from those IP address/ranges) and ‘blocked’ for MySQL connections. This is good enough for day-to-day site operation, but let’s take a look at another Dome9 feature: “on demand” access.
Granting On Demand Access to A Resource
Let’s take a look at setting up on demand access to the MySQL database. This might be a situation where I am troubleshooting some data setups, or just want easier access to the MySQL database through a tool like MySQL Workbench.
I’ll need to ensure that the MySQL user itself is setup to allow access from remote hosts (such as ‘%’) and have the MySQL database set to bind to
0.0.0.0 in the
my.cnf file. (I won’t cover this exact problem in detail here.) Now MySQL access is only blocked by the firewall configuration. Sure enough:
Now, let’s configure ‘dynamic access’ to the MySQL resource. First, go to the Dynamic Access tab in the Dome9 interface.
Note the Get Access button. You can use this button to give yourself access for a certain period of time or you can send an invitation to someone else to access the resource. Let’s see now that works. First, choose to send an invitation:
Now, select a few options about this access. Access can be limited for a certain amount of time and the invitation can be set to expire as well. Dome9 also allows you to send an invitation via e-mail to others or yourself – or generate a link that can be sent over instant messaging, etc.
This action will give you a bit of detail about the invitation as well as send an e-mail to the party you wish to grant access to (if you chose the e-mail option). The e-mail contains a simple link that when clicked will create a ‘lease’ for accessing the resource.
Once this access is granted, I can now use the MySQL workbench to access the database running on the web server. My access will only last an hour before the Dome9 agent again reasserts the global rule of denying access to port 3306.
With the ability to generate timed firewall rules you can limit access in a controlled manner rather than having to manually edit groups or firewall rules. The effect of this is that you are better able to provide access when it is needed – and for no longer than the access is needed. Centralized management will also make it much easier to know what access has been granted across your entire infrastructure at a glance.
We’ve only touched the surface of the capabilities and advantages of managing firewall rules through Dome9. This management is critical for larger organizations with many machines – but Dome9 offers some very useful features for personal websites. If you are (for example) running your personal website through a cloud instance provider, you may find tools such as Dome9 to be extraordinarily useful in preventing your cloud instance from being accessed (or hacked) by others. Dome9 is a tool that will give you the ability to lock down your instances without being terribly hard to use.4