SoftLayer Fundamentals Security / Firewalls August, 2014
Security Overview SoftLayer provides a security-rich environment for deploying and running customer workloads. Architecture and operational responsibilities in the SoftLayer offerings. The environment is achieved through a combination of: Additional security capabilities delivered through partners (Open Ecosystem). Certified physical and logical security of the SoftLayer data centers. Ease of use when enabling SoftLayer security features. 2
Securing the environment SoftLayer offers security services that can be used by the customer to secure their environment. These services include: Vulnerability scanning Antivirus and anti-spyware protection Host-based intrusion protection Firewall and network based threat protection (IPS, DDoS) Network Gateways Virtual Private Networking (VPN): IPSEC SSL PPTP Two factor authentication to the SoftLayer Customer Portal SSL Certificates that enable confidentiality of data-in-transit 3
Securing the environment (cont.) Nessus Vulnerability Assessment Security Scanner Can be run from the Portal Shows a detailed summary page McAfee LinuxShield Antivirus: Free Windows VirusScan Anti-Virus: Free Total Protection (adds AntiSpyware): $5 Host Intrusion Protection (IDS) w/reporting (only for Windows): $30 PCI Compliance w/mcafee SECURE 4
Software Firewall Windows Firewall Installed by Default Configured with the following ports RDP 3389; FTP 20,21; HTTP 80; HTTPS443 DNS 53; SMTP 25; POP 110; IMAP 143 IDENT 113; ICMP echo reply If Plesk is installed: Ports open per Plesk requirements Linux Firewall IPTables is installed APF Advanced Policy Firewall Others: IPFW, SmoothWall, IPCop, Ebox 5
Standard Hardware Firewall Secure Individual Servers Can be ordered with the purchase of a server Sold based on Port speed (must match server) Shared Firewall Fortigate 3950B 6
Dedicated Hardware Firewall Secure Single VLAN Cannot be ordered with a server; must be ordered after a server has been provisioned 1 Gbps Firewall with redundant links: Customer servers do not have to match link speed High Availability as an option Cannot have a Shared Firewall and Dedicated Firewall on the same VLAN Fortigate 310B 7
Using Network Gateways to Protect the Environment SoftLayer also offers a network gateway appliance powered by the Vyatta Network OS. Vyatta Network OS subscription edition deployed on a bare metal server. Managed by the customer Network configuration is extended through deployment of additional software images, not new physical network hardware. Capabilities: Firewall VPN Load-balancing NAT QoS 8
Using Network Gateways to Protect the Environment (cont.) A customer can construct a self-managed solution for software-based network connectivity. Choice may be based on skill and experience within their team, functional and non-functional requirements. Security capabilities will vary according to the chosen technology. Options include: 9
Managing VPN Connections to SoftLayer There are two overall types of VPN connections to SoftLayer: VPN System Administration Management 1 Gb link for VPN access for customers to perform administrative tasks on the private network. Additional tunnels can be requested through the Customer Portal SSL VPN, PPTP VPN, and IPSec VPN connections available through the Customer Portal. VPN Production Access The recommended solutions for any customer required production VPN access to the SoftLayer network is to use either: The FortiGate Security Appliance The Vyatta Gateway Appliance 10
Direct Connection to SoftLayer It s possible to direct connect to SoftLayer: Customer Ethernet circuit handoff Provides a customer with an direct Ethernet interface to the SoftLayer private network. A Customer s Telco provider brings an Ethernet circuit(s) to one of the 18 SoftLayer Points of Presence (PoP) around the world. Customer (or their Telco) contracts with the PoP s location provider for any space, power, and cross connect charges to bring their circuit and any customer premise equipment (CPE) to that PoP. Customer contacts SoftLayer to accept an Ethernet handoff connection to SoftLayer equipment at the PoP. SoftLayer Ethernet cross-connections are available in 1 Gbps or 10 Gbps sizes. 11
Other security resources 12
Securing the Data Centers SoftLayer data centers are Tier 3 data centers. Tier 4 99.995% availability Annual downtime.04 hours Two independent utility path Fully redundant (2N+1) Sustain 96-hour power outage Tier 3 99.982% availability Annual downtime 1.6 hours Multi power and cooling paths Fault tolerant (N+1) Sustain 72-hour power outage Tier 2 99.749% availability Annual downtime 22.0 hours One path of power and cooling Some redundancy in power Tier 1 99.671% availability Annual downtime 28.8 hours Single path power and cooling No redundant components 13
Securing the Data Centers (cont.) Data center and server room security Data centers located only in facilities with controlled access and 24- hour security. No server room doors are public-facing. Server rooms are staffed 24 x 7. Unmarked entry and exit doors into server rooms. Digital security video surveillance is used in the data center and server rooms Biometric security systems are used throughout the data center. Server room access strictly limited to SoftLayer employees and escorted contractors or visitors. Barcode-only identification on hardware; no customer markings of any type on the servers themselves. 14
Securing the Data Centers (cont.) Operational security Engineers and technicians trained on internal industry standard policies and procedures, and audited yearly. Geographic redundancy for all core systems for disaster recovery and business continuity. Two-factor authentication for Customer Portal access adds greater server security. All data removed from re-provisioned machines with drive wipe software approved by the US Department of Defense. Ongoing PCI DSS compliance for SoftLayer s own handling of credit card information. Current SSAE 16 SOC1 report, with no exceptions noted. 15
16