The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Cisco Intercloud Fabric security enhancements further secure the hybrid cloud environments by enforcing security on the hybrid connection control points. Security is enforced through the use of filtering capabilities automatically applied to both ends of the site-to-site encrypted tunnel; ICX on the private cloud and ICS on the public cloud. Traffic is controlled so that only cloud resources under the management control of Cisco Intercloud Fabric are allowed to communicate to one another, thus preventing using the site-to-site tunnel as a transit link to the Internet or cloud provider’s networks. By using Cloud Security Groups, hybrid cloud environments have a default policy applied to prevent traffic that does not belong to any subnet extended to the public cloud from leaving the private cloud or entering the private cloud from the public cloud.
Enterprise Security Groups are ICX-based security groups that control traffic leaving the private cloud by only allowing traffic from source IP addresses that belong to the networks that are extended to the public clouds.
Public Security Groups are S-based security groups that control traffic destined to the private cloud from the public cloud by only allowing traffic from source IP addresses that belong to the enterprise IP space extended to the public cloud.
Note | Cisco Intercloud Fabric has management ports and interfaces that are enabled by default. It is highly recommended you restrict device access from authorized hosts and protocols using only Infrastructure ACLs. For example: ! ip access-list ACL-INFRASTRUCTURE-IN !!---Permit secure connections for network management permit tcp host <trusted-management-stations><icfSwitch> eq 22 ! interface mgmt0 ip access-group ACL-INFRASTRUCTURE-IN in !
Refer to Cisco Security White Paper Securing the Management Plane for more information. |
You can configure Cloud Security Groups from the CLI only. Intercloud Fabric does not expose the Cloud Security Groups configuration.
You can manually configure Cloud Security Groups by creating an ACL that is applied to the ICX and ICS trunk tunnel.
The following example shows how to manually configure an ACL, verify the ACL list, check the port profiles, and apply the rule to both the ICX and ICS trunk tunnel:
ip access-list <ACL_name> 20 deny ip any any 10 permit ip X.X.Y.0/24 X.X.Y.0/24 copy r s exit show ip access-lists show run Port-profiles port-profile <ICX_Tunnel_Trunk> ip port access-group <ACL_name> in ip port access-group <ACL_name> out exit port-profile <ICS_Tunnel_Trunk> ip port access-group <ACL_name> in ip port access-group <ACL_name> out exit