Ensure Secure Network Access
Adopt the following best practices to secure your virtual cloud networks, subnets, load balancers, and other networking resources.
Implement Network Access Controls
Enterprise Architect, Security Architect, Network Architect
- Define appropriate IAM policies to limit access to network resources to only the users and groups that are allowed to manage network resources.
- Formulate a tiered subnet strategy for the VCN:
- DMZ subnet for load balancers.
- Public subnets for externally accessible hosts, such as web application servers and instances that run intrusion detection systems (IDS).
- Private subnets for internal hosts such as databases.
- Compute instances that are attached to a private subnet can have only private IP addresses.
- Attach security-sensitive hosts (DB systems, for example) to private subnets. For connectivity from such hosts to the internet, use a NAT gateway. To enable the hosts to access otherOracle Cloud Infrastructure services, use a service gateway.
- Network security groups provide fine grain control of traffic flowing between vNICs controlled by the network security group.
- Security lists control traffic that can flow into, within and out of subnets.
- Use network security groups to control access to your resources in both private and
public subnets:
- Allow only network flows required for a workload by creating security groups for each tier of the application.
- Do not allow unnecessary lateral traffic within or between application tiers.
- Do not allow application tiers to communicate with other tiers unless required.
- Use granular security rules to regulate communication within the VCN, with the Internet, with other VCNs that are connected through peering gateways, and with on-premises hosts.
- To set up an intrusion detection system and scan all outgoing traffic, use the VCN route table feature.
- VCN Subnet Flow Logs log traffic flowing within a VCN. Turn on VCN Subnet Flow Logs and regularly monitor their contents.
- Enable Web Application Firewall for public-facing HTTPS services.
Secure the Load Balancers
Enterprise Architect, Security Architect, Network Architect
- To terminate TLS at the load balancer, use a HTTP load balancer. To terminate TLS at a backend server, use a TCP load balancer.
- You can configure network access to the load balancers by using network security groups or security lists.
- Define IAM policies to limit permissions to manage the load balancers to a minimal set of users and groups.
Restrict Access Using Network Sources
Enterprise Architect, Security Architect, Network Architect
A network source is a set of defined IP addresses. The IP addresses can be public IP addresses or IP addresses from VCNs within your tenancy.Network resources can only be created in the tenancy (or root compartment) and, like other Identity resources, reside in the home region.
You can use network sources to help secure your tenancy in the following ways:
- Specify the network source in an IAM policy to restrict access to resources. When specified in a policy, IAM validates that requests to access a resource originate from an allowed IP address. For example, you can restrict access to Object Storage buckets in your tenancy to only users that are signed in to Oracle Cloud Infrastructure through your corporate network. Or, you can allow only resources belonging to specific subnets of a specific VCN to make requests over a Service Gateway.
- Specify the network source in your tenancy's authentication settings to restrict sign in to the Console. You can set up your tenancy's authentication policy to allow sign in to the Console from only those IP addresses specified in your network source. Users attempting to sign in from an IP address not on the allowed list in your network source will be denied access.
Secure DNS Zones and Records
Enterprise Architect, Security Architect, Network Architect
Define IAM policies to limit the users who can modify DNS zones and records.
Leverage Maximum Security Zones in Oracle Cloud Infrastructure
Enterprise Architect, Security Architect, Network Architect
When you start a new project and build a new solution there is plenty of best practices guidance out there, from many different sources, such as:
- Vendor recommendations
- Organizational standards and policies
- External frameworks
- Regulatory compliance
- Reference architectures
These best practices typically cover a range of different security topics, including authentication, encryption, storage, access control, etc. However, in many cases, best practices advice is ignored. We’ve all seen it many times: project timelines, budget constraints, knowledge gaps, and environments starting out as non-production, can all mean that the relevant best practices are not followed, leading to an insecure environment and a weak security posture.
The Maximum Security Zones service within Oracle Cloud Infrastructure aims to help you minimise this risk. A security zone is a preventative control, which, by nature of the fact that it contains sensitive data and resources, is restrictive by design. For example, Maximum Security Zones will release with a maximum security policy enabled. This takes the position that public access should not be allowed, and that sensitive data should be separated from the Internet as much as possible. The security policy enforces this position by preventing you, in real-time, from creating resources that would break this policy.