[openstack-dev] [neutron] - Changing the Neutron default security group rules
Jeremy Stanley
fungi at yuggoth.org
Wed Mar 2 21:12:32 UTC 2016
On 2016-03-03 07:49:03 +1300 (+1300), Xav Paice wrote:
[...]
> In my mind, the default security group is there so that as people
> are developing their security policy they can at least start with
> a default that offers a small amount of protection.
Well, not a small amount of protection. The instances boot
completely unreachable from the global Internet, so this is pretty
significant protection if you consider the most secure system is one
which isn't connected to anything. Unfortunately this is not, I
think, what most users want as an end state for most of their
instances. I simply wonder if there's a default which can be useful
to at least some majority, rather than having to make things equally
complex for everyone. Hard to identify, rife with opinion, and not a
solution I'm holding my breath for... but probably still more
attainable than world peace.
> Disabling that protection means I'd have to be dealing with a vast
> number of customers with instances that have been compromised
> because they didn't add to the security groups.
Sure, and that's I think how we've arrived at the default
indecision. It's easier to tell customers that they have to adjust
their firewall rules before they can do anything at all (and risk
some of them going elsewhere for an easier out-of-the-box
experience), than to bear the liability and reputation loss from
customers getting compromised because they assumed wrongly that they
shouldn't have to secure their systems "in the cloud." That said,
there _are_ providers whose default behavior is to not filter you.
In IRC I tried to draw comparisons to colocation, where my default
expectation is a routed network I can put my servers on with no risk
that the provider is surreptitiously blocking my traffic. If I want
packet filtering, I can bring a firewall into the colo and plug it
in, then configure it to my liking, but the default bare-bones
experience is a _less_ complex one (no firewall appliance) and if I
want separate filtering that's additional complexity I opt into by
choice.
--
Jeremy Stanley
More information about the OpenStack-dev
mailing list