Dome9 centrally manages cloud server firewalls
November 4, 2011
Organizations with any sort of data center face the challenge of managing and securing access to numerous servers in both local and distributed environments. Now as companies move to virtualized environments and cloud computing, the same security and device management issues are growing exponentially…
Third parties also require access to these devices, which further increases risk. According to a recent Ponemon Institute survey of U.S.-based IT security practitioners, 42% of the respondents indicated it is very likely that administrative server ports are left open and the company is exposed to increased hacker attacks and security exploits.
Within the cloud, the security that is available is somewhat limited and fractured, largely because the cloud provider’s focus is mostly on building and maintaining the infrastructure rather than on securing access to it. This means that subscribers are ultimately responsible for securing access to cloud services and to their own data.
Complicating matters further, when subscribers use multiple cloud providers they will have multiple standards and security services they must separately manage with different tools sets and configurations. This can lead to inefficient management and security that is not as elastic as the subscribed infrastructure being employed.
One company trying to address the server access control challenge across multiple public and private cloud instances and service providers is Dome9. Dome9 has a SaaS solution that automates and centralizes cloud firewall management to help ensure that ports are opened only when, by whom, and for as long as you intend. This helps mitigate the access problem created with firewall rules leave ports open after administration tasks are completed.
The Dome9 Central Web-based management console is the foundation of the offering. The console manages the control and administration of the cloud server security groups and indicates which ports are open and closed for the various protocols that someone can connect to. Access to a specific server can be limited to a specific IP address for a specified time period, and when the specified time expires, the port is closed. The portal also can send email invitations to particular server administrators or developers that will enable their access to specific resources. Cloud administrators can map individual users to specific machines as part of their login process.
Dome9 Central connects to the customer’s cloud servers using Windows and native Linux firewalls such as iptables. The connection to the cloud firewalls is enabled via either the Dome9 Agent installed on the virtual servers on any number of public and private clouds, such as those from Amazon, GoGrid, Terremark and others, or via the Dome9 Connect API that is with Dome9’s partner AWS EC2 and clouds running OpenStack Software.
The Dome9 Agent can be installed at any time, or preinstalled as part of a server image template, to provide cloud firewall management as well as policy portability. If, for example, an organization moves a virtual machine from one cloud to another, the policy goes with it because the agent is deployed directly on the machine, ensuring the server is continually secured and seamlessly managed.
Dr. Omar Caban, owner of Best Growth Stocks, uses Dome9 to improve the security of his Web servers. "Our Web services were under continual attacks because of our open cloud firewall ports," says Caban. "We chose Dome9 because their service was easy to implement. It took just 59 seconds to install on each of our servers. Also, it’s easy to use and very cost effective."
Dome9 provides "single pane of glass" central management across all employed servers and cloud instances. In addition, it provides logging of all activity on these servers and clouds to monitor and report on who’s accessing what servers, when, from where and how. This enables organizations to demonstrate compliance and control with detailed logs that report changes to policies by any user or administrator, and access by any developer or third-party consultant. These audit logs are stored within Dome9 Central (and not on the server), and they are available even after the servers are removed from service.
With Dome9, server administrators no longer have to manage server access individually with stand-alone tools — a feature that Best Growth Stock’s Caban really likes. "Dome9 gives us a single pane of glass that allows us to manage this access, and this allows us to focus more on the business instead of the technology issues,"according to Caban. "Now we can ensure that our ports are only open when needed and we can restrict access to a specific IP address, user and time period. And since Dome9 is ensuring our ports are closed, our open port attacks have been eliminated and our response times have improved."
Concern about security is a top reason cited for companies not adopting hosted or cloud services. Dome9 plugs the hole of one of the biggest vulnerabilities — the firewall — giving subscribers peace of mind.