January 9, 2014 | Written by: Chris Dotson
Share this post:
It’s okay to socialize and be friendly to most people, but not to attackers on the Internet. The first layer of protection for your system is to turn off any unnecessary services and secure the necessary ones. An almost-universal second layer of protection is a firewall, which will filter the incoming packets to keep out unnecessary traffic.
According to the lawyers, I’m required to say that the robot is not a purchasable option on the SoftLayer cloud—yet.
As mentioned in an earlier post, firewalls and cloud services are not mutually exclusive. Using a firewall is a great idea any time you’re talking to the Internet, which includes most cloud deployments. When it comes to firewall options, SoftLayer has an embarrassment of riches. I’ve saved my favorite in this list for last.
1. Use a host-based firewall. Rather than having a separate device on the network, you can have the host OS run a firewall. This is cheap and effective, and SoftLayer makes it very easy with built-in support for deploying Advanced Policy Firewall on Linux. The biggest drawbacks with using host-based firewalls are that you can’t easily separate the responsibility of “firewall administrator” from “system administrator” (which some organizations will want to do); they don’t scale well for large numbers of systems without some other automation in place; and you have to know how to manage and maintain your host-based firewall. There are some easier ways to be antisocial.
2. Use the SoftLayer “Standard Hardware Firewall (Single Server)” option. This is a hardware-based firewall that sits in between your host and the big bad Internet. Anyone with the proper access in the SoftLayer portal can control it with a few clicks on the portal. You don’t need to worry about configuring or maintaining the firewall; just turn it on and drop in your rules!
3. Use the SoftLayer “Dedicated Hardware Firewall” option. This is the big brother of the single server firewall option above. Just like the single server option, you don’t have to worry about having the skill and spending the labor to maintain the firewall itself. Here, though, your rules can cover your entire network (VLAN), which may contain many hosts.
4. Use the SoftLayer “FortiGate Security Appliance” option. With this option, you still don’t have to go buy a firewall and install it, but you do have to know how to manage it. When you choose this, you get full access to a dedicated FortiGate firewall to configure it however you like, which provides you with more flexibility than just specifying rules. The downside, of course, is that you get stuck with managing it!
5. Create your own firewall system using a CloudLayer virtual machine. Aside from the host-based firewall above, this is the most inexpensive option, and SoftLayer makes it easy for you to drop in an appliance distribution such as Vyatta Core edition to act as a firewall. You can use almost any operating system or virtual appliance you like as your firewall. However, you do have to manage it yourself, and you do have to do a little work on each of your other systems to have them use your firewall virtual machine as their gateway to the rest of the world.
6. Use the “Gateway Appliance” option. As I mentioned, this last option is my favorite! You get a hardware-based Vyatta system with a support subscription automatically included—so while you do have to manage the system yourself, you can call Vyatta for help if needed. This system can be configured to manage as many different networks (VLANs) at a single data center as you like, all through the portal without having to put in a service ticket for a human. (I don’t like having to deal with humans in a cloud environment, but I must admit it’s amazing how fast SoftLayer can get a real human to resolve service tickets!)
Vyatta is a specialized Linux distribution that can be configured with a single configuration file, so you get all of the networking power of the Linux kernel with a very easy-to-use configuration interface. You can copy a configuration file from one system to another to have the second system up and running in minutes.
SoftLayer gives you the flexibility to be antisocial however you like, whether you want to manage a firewall yourself or have a turnkey firewall managed for you. Questions? Comments? Please leave them below, although I may decide to be antisocial and not respond.