|Manage Security / Best Practices|
This topic describes which networking mode is the most secure, and describes how to enforce message security.
Managed mode is the only recommended networking mode for secure deployments. It provides security groups, which are used to control inbound traffic to instances, as well as Layer-2 isolation between security groups.
Layer-2 isolation is enforced using a VLAN tag per security group. This protects traffic within a security group from potential eavesdropping and hijacking by instances that belong to other security groups.
Eucalyptus does not currently enforce Layer-2 isolation between instances within the same security group.
For more information about choosing a networking modes, see the Installation Guide.
Eucalyptus components receive and exchange messages using either Query or SOAP interfaces (or both). Messages received over these interfaces are required to have a time stamp (as defined by AWS specification) to prevent message replay attacks. Because Eucalyptus enforces strict policies when checking timestamps in the received messages, for the correct functioning of the cloud infrastructure, it is crucial to have clocks constantly synchronized (for example, with ntpd) on all machines hosting Eucalyptus components. To prevent user commands failures, it is also important to have clocks synchronized on the client machines.
Following the AWS specification, all Query interface requests containing the Timestamp element are rejected as expired after 15 minutes of the timestamp. Requests containing the Expires element expire at the time specified by the element. SOAP interface requests using WS-Security expire as specified by the WS-Security Timestamp element.
Eucalyptus requires that all user requests (SOAP with WS-Security and Query) are signed, and that their content is properly hashed, to ensure integrity and non-repudiation of messages. For stronger security, and to ensure message confidentiality and server authenticity, client tools and applications should always use SSL/TLS protocols with server certification verification enabled for communications with Eucalyptus components.
By default, Eucalyptus components are installed with self-signed certificates. For public Eucalyptus endpoints, certificates signed by a trusted CA provider should be installed.