Difference between revisions of "UEC: Security"

From OnnoWiki
Jump to navigation Jump to search
(New page: Eucalyptus provides ingress filtering for the instances based on the concept of security groups. A Security Group is a named set of rules that Eucalyptus applies to the incoming packets fo...)
 
Line 10: Line 10:
  
 
Create a security group named “webservers” :
 
Create a security group named “webservers” :
view source
+
 
print?
+
uecadmin@client1:~$ euca-add-group -d "Web Servers" webservers
1 uecadmin@client1:~$ euca-add-group -d "Web Servers" webservers
 
  
 
Add a rule to the security group “webservers” allowing icmp and tcp traffic from a.b.c.d :
 
Add a rule to the security group “webservers” allowing icmp and tcp traffic from a.b.c.d :
view source
+
 
print?
+
uecadmin@client1:~$ euca-authorize -P tcp -s a.b.c.d webservers
1 uecadmin@client1:~$ euca-authorize -P tcp -s a.b.c.d webservers
+
uecadmin@client1:~$ euca-authorize -P icmp -s a.b.c.d webservers
2 uecadmin@client1:~$ euca-authorize -P icmp -s a.b.c.d webservers
 
  
 
The added rules can be viewed with euca-describe-groups command
 
The added rules can be viewed with euca-describe-groups command
view source
+
 
print?
+
$ euca-describe-groups
1 $ euca-describe-groups
+
GROUP  admin  default default group
2 GROUP  admin  default default group
+
GROUP  admin  webservers      Web Servers
3 GROUP  admin  webservers      Web Servers
+
PERMISSION      admin  webservers    ALLOWS  icmp    -1      -1      FROMCIDR    0.0.0.0/0
4 PERMISSION      admin  webservers    ALLOWS  icmp    -1      -1      FROMCIDR    0.0.0.0/0
+
PERMISSION      admin  webservers    ALLOWS  tcp    22      22      FROMCIDR    0.0.0.0/0
5 PERMISSION      admin  webservers    ALLOWS  tcp    22      22      FROMCIDR    0.0.0.0/0
 
  
 
Launch an instance associated with the security group “webservers” :
 
Launch an instance associated with the security group “webservers” :
view source
+
 
print?
+
uecadmin@client1:~$ euca-run-instances emi-XXXXXXXX -k mykey -g webservers
1 uecadmin@client1:~$ euca-run-instances emi-XXXXXXXX -k mykey -g webservers
 
  
 
List the details of the existing security groups :
 
List the details of the existing security groups :
view source
+
 
print?
+
euca-describe-groups
1 euca-describe-groups
 
  
 
Remove the rule for icmp traffic from the source ip a.b.c.d from the security group “webservers” :
 
Remove the rule for icmp traffic from the source ip a.b.c.d from the security group “webservers” :
view source
+
 
print?
+
uecadmin@client1:~$ euca-revoke -P icmp -s a.b.c.d webservers
1 uecadmin@client1:~$ euca-revoke -P icmp -s a.b.c.d webservers
 
  
 
Delete the security group “webservers” :
 
Delete the security group “webservers” :
view source
+
 
print?
+
euca-delete-group webservers
1 euca-delete-group webservers
 
  
 
==Referensi==
 
==Referensi==

Revision as of 08:14, 28 December 2010

Eucalyptus provides ingress filtering for the instances based on the concept of security groups. A Security Group is a named set of rules that Eucalyptus applies to the incoming packets for the instances in Managed and Managed-NOVLAN modes. You can specify a security group while launching an instance. Each security group can have multiple rules associated with it. Each rule specifies the source IP/network, protocol type, destination ports etc. Any packet matching these parameters specified in a rule is allowed in. Rest of the packets are blocked.

A security group that does not have any rules associated with it causes blocking of all incoming traffic.

The mechanism only provides ingress filtering and does not provide any egress filtering. As a result all outbound traffic is allowed. If you need to implement egress filtering, you will need to implement that inside the instance using a firewall.

Tools like Hybridfox let you manage security groups and also let you specify a security group while launching an instance.

Here are a few euca commands to manage security groups:

Create a security group named “webservers” : 

uecadmin@client1:~$ euca-add-group -d "Web Servers" webservers

Add a rule to the security group “webservers” allowing icmp and tcp traffic from a.b.c.d : 

uecadmin@client1:~$ euca-authorize -P tcp -s a.b.c.d webservers
uecadmin@client1:~$ euca-authorize -P icmp -s a.b.c.d webservers

The added rules can be viewed with euca-describe-groups command 

$ euca-describe-groups
GROUP   admin   default default group
GROUP   admin   webservers      Web Servers
PERMISSION      admin   webservers     ALLOWS  icmp    -1      -1      FROMCIDR     0.0.0.0/0
PERMISSION      admin   webservers     ALLOWS  tcp     22      22      FROMCIDR     0.0.0.0/0

Launch an instance associated with the security group “webservers” : 

uecadmin@client1:~$ euca-run-instances emi-XXXXXXXX -k mykey -g webservers

List the details of the existing security groups : 

euca-describe-groups

Remove the rule for icmp traffic from the source ip a.b.c.d from the security group “webservers” : 

uecadmin@client1:~$ euca-revoke -P icmp -s a.b.c.d webservers

Delete the security group “webservers” : 

euca-delete-group webservers

Referensi


Pranala Menarik

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=UEC:_Security&oldid=23699"