Network security

Use static DNS servers

It is recommended to use trusted static caching DNS servers to offload risks associated with untrusted DNS servers obtained through DHCP. Trusted servers ensure reliable name resolution, mitigate security vulnerabilities, and prevent DNS hijacking attacks. Ensure that at least two or three reliable DNS servers are configured, and avoid using public ones.

To configure static DNS servers, refer to Adding external DNS servers in the Administrator Guide.

Configure inbound/outbound restrictions

Block unnecessary outbound and inbound traffic to reduce the risk of unauthorized communications, such as botnets, email spam, etc. It is a good practice to control outbound SMTP traffic (on TCP port 25) to prevent spam or phishing emails sent by botnets, malware, etc. Additionally, restrict inbound RPC, DNS, and NETBIOS traffic to protect against lateral movement attacks or amplification attacks that could lead to DDoS attacks and cloud outages. It is recommended to use a firewall to allow legitimate inbound and outbound traffic flows.

• To configure inbound firewall rules, refer to Configuring inbound firewall rules in the Administrator Guide.
• To configure outbound firewall rules, refer to Configuring outbound firewall rules in the Administrator Guide.

Implement API allow lists

API allowlisting is mandatory to restrict external network access to critical system components. This can be implemented in various ways, with firewalls being the preferred method. It is recommended to use IP-based access controls or allow lists. This will help reduce exposure to external attacks, unauthorized access, data breaches, and service exploitation.

Implement API allowlisting:

• Mandatory for Keystone, Nova, and Barbican due to service sensitivity and exposure risk
• Recommended for other services, if applicable

Implement DNSSEC

Implement Domain Name System Security Extensions (DNSSEC) to digitally sign DNS records and protect their integrity. This prevents DNS spoofing and man-in-the-middle attacks, ensuring secure communication between clients and their environments.

To check your domain DNSSEC setup, you can use the DNS Debugger tool or similar.

Ensure ICMP redirects are not accepted

Configure the system to ignore ICMP redirect messages unless absolutely necessary or disable ICMP redirects entirely to prevent attackers from maliciously altering the system's routing table. This ensures traffic is not redirected to attacker-controlled routes.

1. In the /etc/sysctl.conf or /etc/sysctl.d/* file, set the following parameters:

   net.ipv4.conf.all.accept_redirects = 0
   net.ipv4.conf.default.accept_redirects = 0
   net.ipv6.conf.all.accept_redirects = 0
   net.ipv6.conf.default.accept_redirects = 0

2. Set the active kernel parameters by running:

   # sysctl -w net.ipv4.conf.all.accept_redirects=0
   # sysctl -w net.ipv4.conf.default.accept_redirects=0
   # sysctl -w net.ipv6.conf.all.accept_redirects=0
   # sysctl -w net.ipv6.conf.default.accept_redirects=0
   # sysctl -w net.ipv4.route.flush=1
   # sysctl -w net.ipv6.route.flush=1

Ensure secure ICMP redirects are not accepted

Protect the system from receiving updates to its routing table from known, but potentially compromised, gateways by setting net.ipv4.conf.all.secure_redirects to 0. This measure ensures that the system maintains control over its routing configurations and reduces the likelihood of man-in-the-middle attacks.

1. In the /etc/sysctl.conf or /etc/sysctl.d/* file, set the following parameters:

   net.ipv4.conf.all.secure_redirects = 0
   net.ipv4.conf.default.secure_redirects = 0

2. Set the active kernel parameters by running:

   # sysctl -w net.ipv4.conf.all.secure_redirects=0
   # sysctl -w net.ipv4.conf.default.secure_redirects=0
   # sysctl -w net.ipv4.route.flush=1

Ensure IPv6 router advertisements are not accepted

Disable router advertisements to prevent traffic from being routed through malicious or compromised devices. Configure trusted routes manually, such as a default route to a verified router, to ensure traffic follows secure paths. This approach prevents attacks that exploit automatic routing updates, such as those using rogue routers to capture sensitive data.

1. In the /etc/sysctl.conf or /etc/sysctl.d/* file, set the following parameters:

   net.ipv6.conf.all.accept_ra = 0
   net.ipv6.conf.default.accept_ra = 0

2. Set the active kernel parameters by running:

   # sysctl -w net.ipv6.conf.all.accept_ra=0
   # sysctl -w net.ipv6.conf.default.accept_ra=0
   # sysctl -w net.ipv6.route.flush=1

Ensure suspicious packets are logged

Enable logging of suspicious network packets to detect spoofed packets, unusual traffic patterns, or attempts to exploit vulnerabilities. Regularly review logs to identify potential network threats and mitigate them early.

1. In the /etc/sysctl.conf or /etc/sysctl.d/* file, set the following parameters:

   net.ipv4.conf.all.log_martians = 1
   net.ipv4.conf.default.log_martians = 1

2. Set the active kernel parameters by running:

   # sysctl -w net.ipv4.conf.all.log_martians=1
   # sysctl -w net.ipv4.conf.default.log_martians=1
   # sysctl -w net.ipv4.route.flush=1