How to: Use Security Profiles

Introduction

Firewalls are essential to the security of any Internet-connected device. To simplify this aspect of the cloud experience for our users, we have provided an easy-to-use Web-based firewall service at no additional cost.

In this guide, we’ll discuss how this new feature works as well as provide some examples so that you can take advantage of and begin utilizing this feature today.

Step 1Create a Security Profile

First, you will want to create a security profile under the Firewall tab of any cloud device on your account. A security profile simply being a set of customizable network traffic rules you define, which can then be updated and applied to your cloud instances at any time within Ubiquity Motion. To create a new profile, click Create Security Profile, set a name for it, and then provide a description for the profile.

Once a security profile has been created, it is made available for use across all cloud instances under your account thus allowing you to quickly apply the same set of rules to any that you choose.

Step 2Defining Rules

By default, the creation of every cloud instance has a set of rules that are automatically enabled. Essentially, these default rules allow for any inbound or outbound connection to/from the cloud instance. The only exceptions being that mailing protocol ports are not enabled (Ports: 25, 26, 143, 465, 587, and 993).

Default Rules
Protocol Direction CIDR Range Port Range
ALL Ingress 0.0.0.0/0 ALL
TCP Ingress 169.254.169.254/32 80
ICMP Egress 169.254.169.254/32 ALL
UDP Egress 169.254.169.254/32 80
TCP Egress 169.254.169.254/32 80
TCP Egress 0.0.0.0/0 1-24
TCP Egress 0.0.0.0/0 27-142
TCP Egress 0.0.0.0/0 144-464
TCP Egress 0.0.0.0/0 466-586
TCP Egress 0.0.0.0/0 588-992
TCP Egress 0.0.0.0/0 994-65535
UDP Egress 0.0.0.0/0 ALL
ICMP Egress 0.0.0.0/0 ALL

Below are the two irremovable default rules in place that ensure that your cloud can properly communicate with our internal cloud-init system. These rules are necessary for the full functionality of your cloud instances on our platform and cannot be removed under any circumstances.

Irremovable Default Rules
Protocol Direction CIDR Range Port Range
TCP Ingress 169.254.169.254/32 80
TCP Egress 169.254.169.254/32 80

To limit connectivity to only the rules defined in your profile, you will want to remove the aforementioned default rules. To do this, select the Manage button next to the profile, and then click the Remove Rule button next to each one.

Default Security Profile Rules on Ubiquity Cloud

NOTE:

The removal of the default rules will still retain default rules for mailing protocols and cloud-init (irremovable). Should you require the ability to send and receive email, these protocols can be unblocked after you have filled out an email request on the cloud overview page, and subsequently our staff approves your request.

Creating Rules

Once a profile is applied to a cloud instance, all previous rules are overwritten with the rules contained in the profile. Therefore, when creating a profile, you will want to take into account all rules that you will require (eg: SSH/RDP, HTTP, and HTTPS) before you apply it. To view what rules are currently active on the cloud instance, click the Current Applied Rules button under the Firewall tab.

When creating a rule, the first option you’ll want to select is the protocol. Using the drop-down menu, choose between predefined protocols and their respective port ranges or select TCP/UDP to define your own custom rules. Then choose the direction you wish the rule to apply to (ingress or egress). Next, define the port range the rule applies or skip this step if you chose a predefined protocol. Lastly, input the IP address(es) you want the rule to apply or set it to 0.0.0.0/0 to allow any connections. Define the IP(s) as a single address or a CIDR (Classless Inter-Domain Routing) prefix, which will allow you to specify a range of IP addresses (See table below for examples).

CIDR Prefix Examples

CIDR Prefix Example Number of IPs
/32 192.168.1.90/32 1
/31 192.168.1.90/31 2
/30 192.168.1.92/30 4
/29 192.168.1.200/29 8
/28 192.168.1.16/28 16
/27 192.168.1.64/27 32
/26 192.168.1.192/26 64
/25 192.168.1.128/25 128
/24 192.168.1.0/24 256
0.0.0.0/0 ALL

Step 3Activating the Profile

IMPORTANT NOTE:

Only one security profile can be active on a cloud instance, so double-check that your profile encompasses all rules you wish to apply for that specific instance.

The last step is to apply the profile settings. Just navigate to the Firewall tab and click Apply Profile on the profile you wish to activate and that’s it!

Written by
on July 24, 2015

Facebook Twitter Google+ LinkedIn Addthis