SwiftStack Node Security¶
The SwiftStack node is the location where the Swift services actually run. The nodes are setup and controlled through the Controller interface.
OpenVPN Configuration¶
The SwiftStack Controller creates a hub-and-spoke network to each Node via an OpenVPN point-to-point connection. The OpenVPN server uses the 10.123.0.0/16 network by default, though this may be changed by an administrator of the SwiftStack Controller if this network interferes with an existing network.
Each SwiftStack node leverages OpenVPN as a client to maintain a persistent, but secure, connection back to the SwiftStack controller.
OpenVPN Security¶
Each node utilizes a locally generated 2048-bit RSA key for establishing the OpenVPN connection. Once established, OpenVPN generates an ephemeral set of keys that change over time that are used for the actual data encryption.
Data is encrypted using Blowfish-128-CBC, and message authentication is done with SHA1.
VPN Security¶
The intent of the VPN between the Controller and Node is to allow for metrics collection, configuration, and monitoring. It is not intended as a method of entry into a SwiftStack Node. In order to ensure this, two custom iptables chains are created to provide security over the VPN: ssvpn-in and ssvpn-out.
- ssvpn-in has the following rules:
- ALLOW inbound VPN traffic that has already been established by an outbound rule
- ALLOW inbound ICMP traffic (for pings)
- DENY all other inbound traffic
- ssvpn-out has the following rules:
- ALLOW outbound VPN traffic destined for port 9914
- ALLOW outbound VPN traffic destined for port 9915
- ALLOW outbound VPN traffic destined for port 6040
- ALLOW outbound VPN traffic destined for port 6050
This prevents someone from, for example, using SSH over the VPN in an attempt to login to a Node from the Controller.
Firewall Security¶
Each SwiftStack node will add a set of managed firewall rules using iptables. In addition to the two VPN iptables chains noted above, SwiftStack creates four custom iptables chains: ssacct-in, ssacct-out, ssnode-in, ssnode-out. Depending on the Cluster Node Roles assigned to the particular SwiftStack Node, various firewall rules are set.
ssacct-in/out are utilized only for accounting of traffic for the SwiftStack metrics collection and do not specifically accept or reject any traffic.
ssnode-in has the following rules, based on the assigned role(s):
Role Interface Rule All Roles Cluster ACCEPT inbound traffic port 58318 (ClusterVersionChecker service) Proxy Outward ACCEPT inbound traffic destination 224.0.0.0/8 (used for SwiftStack load balancer)
ACCEPT inbound traffic protocol VRRP (used for SwiftStack load balancer)
ACCEPT inbound traffic port 80 OR 443, depending on if SSL is utilized
Cluster ACCEPT inbound traffic TCP port 11211 (memcached)
ACCEPT inbound traffic UDP port 123 (ntp)
Account/Container Cluster ACCEPT inbound traffic TCP ports 6001 and 6002
ACCEPT inbound traffic UDP port 123 (ntp)
Replication ACCEPT inbound traffic TCP ports 6004 and 6005
ACCEPT inbound traffic TCP port 873 (rsync)
Object Cluster ACCEPT inbound traffic TCP ports 6000 and 6006-6100
ACCEPT inbound traffic UDP port 123 (ntp)
Replication ACCEPT inbound traffic TCP port 6003
ACCEPT inbound traffic TCP port 873 (rsync)
Gateway Outward ACCEPT inbound traffic:
TCP and UDP port 2049 (nfsd)
TCP and UDP port 111 (rpcbind/portmapper)
TCP and UDP port 662 (rpc.statd)
TCP and UDP port 892,20048 (rpc.mountd)
TCP ports 137,138,139,445 (netbios)
TCP port 32803 and UDP port 32769 (lockd)
ssnode-out presently is unused.
Additional Custom Firewall Rules¶
The firewall rules specified above are the ones required in order for the cluster to function. Server administrators can add additional rules on top of these to create a more restrictive environment if they desire.
