A Trusted Internal Network is a well maintained, trusted and probably small internal network where network traffic is unrestricted to and from the cluster subnet. While this configuration provides advantages of access to a company's infrastructure, services and storage, it also introduces a few threats. Most of these are not malicious, and normal internal safeguards such as an Intrusion Detection Systems, anti-virus software and active network monitoring typically address rogue employees or bot infestations that may attempt to disrupt the network. Human error via network and new admin mistakes are the most common causes of cluster service outages.
Guidelines for the trusted internal network model:
Implement all the guidelines for isolated local networks.
Disable ssh root logins. Admins should log in as themselves (using their global uid) with user privileges. Set up sudo to allow specific admin commands per user or root, if needed. See Section 3.2, “Administrator Privileges in Oracle VM” for details.
If shared storage is mounted from outside the server pool subnet, restrict the export to the Oracle VM Server dom0 and VM IP addresses. Do not make NFS shares and LUNs on Fibre Channel or SAN storage globally accessible.
Establish appropriate network firewalls as discussed below.
A default Oracle Linux install has the iptables firewall enabled. However, a best practice for network filtering is to use an additional external firewall device. This permits separation of control (network administrator control of network access, use of globally administered and audited rules), and relieves the Oracle VM dom0 of the potentially high CPU load that can be created by implementing packet filter rules. In order to use Oracle VM Manager on a system with iptables enabled you can either open the ports used by Oracle VM Manager, or open all ports by disabling iptables. The latter is not advised in the absence of an external firewall devices because it removes network protection.
Be sure to open the necessary ports on the different firewalls that may be installed between different parts of your network. Additional information including a listing of required ports and a diagram showing how components connect to each other can also be found in Section 2.1, “Oracle VM Pre-Installation Tasks”.
When using iptables, ensure that the service is running on each
node and that at least the default policy and ruleset are
present in the file /etc/sysconfig/iptables:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:148] -A INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 54322 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 7002 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT