We receive many questions from our customers about various security features and how to approach security in their Virtuozzo (formerly Jelastic) environment. To provide some guidance on this topic, we would like to discuss a few key principles of security. Some fundamental principles to consider when working on security are separation of services, not putting all your resources in one place, and the principle of least privilege. In this article, we will specifically focus on network isolation and discuss its importance in maintaining a secure environment.
Network isolation
Typically, all environments belonging to a single user are able to reach each other's internal IP. In some cases, it may be desirable to limit access between environments. On the other hand, you might want to allow broader access, such as for a collaborative environment where multiple users can work on the same environment.
What benefits does this function provide for customers?
Network isolation provides a simple way to prevent containers within an isolated group from being accessible via the platform's internal network. This can be useful if you need to share access to a database or application with a third party. By using network isolation, you can ensure that only authorized parties have access to your resources.
What does this mean?
Network isolation is a feature that manages rule-based access between environments in a Virtuozzo (formerly Jelastic) array. It is designed to prevent accidental or unauthorized access between environments. When two environments are in the same isolated group, communication between them will be allowed. Otherwise, the connection will be denied.
If network isolation is enabled on the platform, it means that all accounts are isolated from each other by default and cannot communicate with each other unless explicitly allowed.
How do I activate this functionality?
In the example below, two environments are set up under the same account: env-4453222 and env-7772010.
As a starting point, they can freely communicate with each other.
If, for example, it was desired that one of these environments be isolated from the rest, it can be easily achieved by creating a new "Environment group" and activating the "Network Isolation" function.
First, click on the plus sign next to “Env Groups” as shown in the image below:
In the box that appears, enter an optional name for the new group. Select one or more environments that should belong to the new group. Turn on network isolation by selecting "On" next to "Network Isolation", then click "Add" at the bottom right to create the new isolated group.
After completing these steps, env-4453222 will belong to a group where network isolation is active. This means that communication between this environment and other environments in the account will no longer be possible.
If you want to allow communication between multiple environments, you can add them to the same group under "Environments".
In addition to network isolation, let's take the opportunity to talk a little about firewall rules.
Firewall rules
Principle of least privilege
The principle of least privilege in information security is based on the idea that each user should only have access to the information and resources that are necessary for them to perform their tasks.
When this principle is applied, it can lead to several benefits, including:
- Increased security: the risk of potential threats is reduced if rights in a system are strictly distributed according to the absolute minimum for that user's needs.
- Reduced vulnerability surface: By limiting access rights, you can reduce the risk of a breach through lateral movement, where an attacker tries to gain access to sensitive accounts and escalate the breach by moving to other parts of the system.
Inspect preconfigured firewall rules
All newly created environments in Virtuozzo come with a pre-installed firewall configuration. The firewall rules can be easily accessed by clicking on “Settings” for the current environment:
After accessing the “Settings” panel, click on “Firewall” on the left side of the panel.
The Firewall overview panel contains the following:
- Firewall State: A function that enables or disables the firewall
- Inbound connections: incoming connections to the environment, for example your Wordpress database. The default policy is to deny all incoming connections that have not been specified.
- Outbound connections: outgoing connections, if, for example, you want to block a program from being able to connect to the internet. The default policy is to allow all outgoing traffic that has not been specified.
Inbound rules are used to manage incoming connections. In the example above, the first and last rule are grey-marked - these cannot be changed as these are the system's default values. According to the above example, all traffic will be blocked except for the explicitly stated rules.
This is also where you can add further restrictions, for example which IP addresses are allowed to connect to a backend service.
With that information in mind, we hope you now have a better understanding of network isolation and firewalls in the Virtuozzo platform.
If you have any suggestions for future topics you would like to see covered, please feel free to email them to hello@elastx.se. We may feature your suggestion in a future article!