Manage internal firewall controls
StorageGRID includes an internal firewall on each node that enhances the security of your grid by enabling you to control network access to the node. Use the firewall to prevent network access on all ports except those necessary for your specific grid deployment. The configuration changes you make on the Firewall control page are deployed to each node.
Use the three tabs on the Firewall control page to customize the access you need for your grid.
-
Privileged address list: Use this tab to allow selected access to closed ports. You can add IP addresses or subnets in CIDR notation that can access ports closed using the Manage external access tab.
-
Manage external access: Use this tab to close ports that are open by default, or reopen ports previously closed.
-
Untrusted Client Network: Use this tab to specify whether a node trusts inbound traffic from the Client Network.
This tab also provides the option to specify additional ports you want open when untrusted Client Network is configured. These ports can provide access to the Grid Manager, the Tenant Manager, or both.
The settings on this tab override the settings in the Manage external access tab.
-
A node with an untrusted Client Network will accept only connections on load balancer endpoint ports configured on that node (global, node interface and node type bound endpoints).
-
Additional ports opened under the Untrusted Client Network tab are open on all untrusted Client Networks, even if no load balancer endpoints are configured.
-
Load balancer endpoint ports and selected additional ports are the only open ports on untrusted Client Networks, regardless of the settings on the Manage external networks tab.
-
When trusted, all ports opened under the Manage external access tab are accessible, as well as any load balancer endpoints opened on the Client Network.
-
The settings you make on one tab can affect the access changes you make on another tab. Be sure to check the settings on all tabs to ensure your network behaves in the way you expect. |
To configure internal firewall controls, see Configure firewall controls.
For more information about external firewalls and network security, see Control access at external firewall.
Privileged address list and Manage external access tabs
The Privileged address list tab enables you to register one or more IP addresses that are granted access to grid ports that are closed. The Manage external access tab enables you to close external access to selected external ports or all open external ports (external ports are ports that are accessible by non-grid nodes by default). These two tabs often can be used together to customize the exact network access you need to allow for your grid.
Privileged IP addresses don't have internal grid port access by default. |
Example 1: Use a jump host for maintenance tasks
Suppose you want to use a jump host (a security hardened host) for network administration. You could use these general steps:
-
Use the Privileged address list tab to add the IP address of the jump host.
-
Use the Manage external access tab to block all ports.
Add the privileged IP address before you block ports 443 and 8443. Any users currently connected on a blocked port, including you, will lose access to Grid Manager unless their IP address has been added to the Privileged address list. |
After you save your configuration, all external ports on the Admin Node in your grid will be blocked for all hosts except the jump host. You can then use the jump host to perform maintenance tasks on your grid more securely.
Example 2: Limit access to the Grid Manager and Tenant Manager
Suppose you want to limit access to the Grid Manager and Tenant manager for security reasons. You could use these general steps:
-
Use the toggle on the Manage external access tab to block port 443.
-
Use the toggle on the Manage external access tab to allow access to port 8443.
-
Use the toggle on the Manage external access tab to allow access to port 9443.
After you save your configuration, hosts will not be able to access port 443, but they can still access the Grid Manager through port 8443 and the Tenant Manager through port 9443.
Example 3: Lock down sensitive ports
Suppose you want to lock down sensitive ports and the service on that port (for example, SSH on port 22). You could use the following general steps:
-
Use the Privileged address list tab to grant access only to the hosts that need access to the service.
-
Use the Manage external access tab to block all ports.
Add the privileged IP address before you block ports 443 and 8443. Any users currently connected on a blocked port, including you, will lose access to Grid Manager unless their IP address has been added to the Privileged address list. |
After you save your configuration, port 22 and SSH service will be available to hosts on the privileged address list. All other hosts will be denied access to the service no matter what interface the request comes from.
Example 4: Disable access to unused services
At a network level, you could disable some services that you don't intend to use. For example if you will not provide Swift access, you would perform the following general steps:
-
Use the toggle on the Manage external access tab to block port 18083.
-
Use the toggle on the Manage external access tab to block port 18085.
After you save your configuration, the Storage Node no longer allows Swift connectivity, but continues to allow access to other services on unblocked ports.
Untrusted Client Networks tab
If you are using a Client Network, you can help secure StorageGRID from hostile attacks by accepting inbound client traffic only on explicitly configured endpoints or additional ports you select on this tab.
By default, the Client Network on each grid node is trusted. That is, by default, StorageGRID trusts inbound connections to each grid node on all available external ports.
You can reduce the threat of hostile attacks on your StorageGRID system by specifying that the Client Network on each node be untrusted. If a node's Client Network is untrusted, the node only accepts inbound connections on ports explicitly configured as load balancer endpoints and any additional ports you designate using the Untrusted Client Network tab on the Firewall control page. See Configure load balancer endpoints and Configure firewall controls.
Example 1: Gateway Node only accepts HTTPS S3 requests
Suppose you want a Gateway Node to refuse all inbound traffic on the Client Network except for HTTPS S3 requests. You would perform these general steps:
-
From the Load balancer endpoints page, configure a load balancer endpoint for S3 over HTTPS on port 443.
-
From the Firewall control page, select Untrusted to specify that the Client Network on the Gateway Node is untrusted.
After you save your configuration, all inbound traffic on the Gateway Node's Client Network is dropped except for HTTPS S3 requests on port 443 and ICMP echo (ping) requests.
Example 2: Storage Node sends S3 platform services requests
Suppose you want to enable outbound S3 platform services traffic from a Storage Node, but you want to prevent any inbound connections to that Storage Node on the Client Network. You would perform this general step:
-
From the Untrusted Client Networks tab of the Firewall control page, indicate that the Client Network on the Storage Node is untrusted.
After you save your configuration, the Storage Node no longer accepts any incoming traffic on the Client Network, but it continues to allow outbound requests to configured platform services destinations.
Example 3: Limiting access to Grid Manager to a subnet
Suppose you want to allow Grid Manager access only on a specific subnet. You would perform the following steps:
-
Attach the Client Network of your Admin Nodes to the subnet.
-
Use the Untrusted Client Network tab to configure the Client Network as untrusted.
-
In the Additional ports open on untrusted Client Network section of the tab, add port 443 or 8443.
-
Use the Manage external access tab to block all external ports (with or without privileged IP addresses set for hosts outside that subnet).
After you save your configuration, only hosts on the subnet you specified can access the Grid Manager. All other hosts are are blocked.