cloud and local firewall at all (sig consensus?)
Eric V. Smith
eric at trueblade.com
Thu Dec 20 22:23:23 UTC 2012
On 12/20/2012 3:49 PM, Matthew Miller wrote:
> On Wed, Dec 12, 2012 at 09:58:04PM -0800, Garrett Holmstrom wrote:
>> EC2 recommends images with *no* default firewall since they use security
>> groups to control traffic, and adding a second, guest-level firewall tends
>> to confuse people.
>
> I'd like to get a group consensus on this. Dennis Gilmore has expressed
> concern about leaving the local firewall off -- having it on may be
> redundant, but it protects against configuration errors or security bugs in
> EC2 itself.
>
> Options for the out-of-the-box config are:
>
> A) no local firewall (Garrett, do you have a reference to an EC2
> recommendation for this configuration?)
>
> B) firewall allowing ssh in by default (normal Fedora default)
>
> C) firewall allowing in ssh + http/https (since cloud systems are often
> web servers)
>
> I'm lightly in favor of C, since I like the concept of defense-in-depth, and
> this seems like a decent compromise. But I really don't have a very strong
> opinion. What are your thoughts?
>
I think B is the right solution. I don't trust EC2's firewalls
(especially EC2 instance to EC2 instance) and I have EC2 instances that
don't run web servers.
--
Eric.
More information about the cloud
mailing list