High Level Security Recommendations
Security recommendations for ICF include specifying a Tunnel Interface if connectivity to the provider is broken off from normal management traffic, and setting IP Group configuration within ICFD to push ingress traffic refinement at the provider.
ICF Tunnel Interface is an optional interface that is configured on the ICX for traffic communicating externally to reach the ICS. This interface is enabled within the IcfCloud creation process under Intercloud > IcfCloud > Setup wizard within the Secure Cloud Extension Screen (Figure A-1).
Figure A-1 Addition of Tunnel Interface During IcfCloud Setup
To configure this interface, the Advanced checkbox must be selected as shown in Figure A-1, and then the Separate Mgmt and Tunnel Interface checkbox is selected to pop-up the options for this interface.
This allows the option for a more secure path to be established for this interface if there is an option to set it apart from the management traffic of the other ICF components.
IP Groups specify an IP block, or specific hosts that are designated to be accessible to ICF resources in the Provider environment over required ports. Without an IP Group, the default sets something similar to this for the resources provisioned as shown in Figure A-2.
Figure A-2 AWS Network Security Group without an IP Group Applied
This allows through the needed port connectivity, but it is from any source. An IP Group is set up during the IcfCloud creation to reduce the footprint of exposure to resources in the provider Cloud. This is enabled by selecting the Advanced checkbox of the Config Details in the Intercloud > IcfCloud > Setup wizard shown in Figure A-3.
Figure A-3 IP Group Specification During IcfCloud Setup
IP Groups created is a single host or subnet entry, or a comma separated list of resources or ranges that should be allowed to communicate with ICF resources.