[openstack-dev] [neutron] - Changing the Neutron default security group rules

Sean M. Collins sean at coreitpro.com
Wed Mar 2 21:25:25 UTC 2016

Jeremy Stanley wrote:
> On 2016-03-03 07:49:03 +1300 (+1300), Xav Paice wrote:
> [...]
> > In my mind, the default security group is there so that as people
> > are developing their security policy they can at least start with
> > a default that offers a small amount of protection.
> Well, not a small amount of protection. The instances boot
> completely unreachable from the global Internet, so this is pretty
> significant protection if you consider the most secure system is one
> which isn't connected to anything. 

This is only if you are booting on a v4 network, which has NAT enabled.
Many public providers, the network you attach to is publicly routed, and
with the move to IPv6 - this will become more common. Remember, NAT is
not a security device.

Sean M. Collins

More information about the OpenStack-dev mailing list