In Softlayer, Vyatta Network Gateway is offered to provide routing, firewall and VPN gateway function. As a network security device, we have to protect Vyatta gateway itself properly.
“This Vyatta gateway is administered directly by the customer. The customer has the ability to login directly to the device and make extensive configurations for servicing their network traffic. The customer is responsible for maintaining proper backups of the device’s configuration files.”
So as a customer of Softlayer, it is YOUR responsibility to secure the Vyatta gateway.
Here I will try to give you a few tips to lock down your Vyatta gateway:
- Disable un-secure and unused services running on Vyatta gateway. We are lucky: only SSH and HTTPs are enabled by default with Softlayer Vyatta build.
- Softlayer Vyatta build allows you to SSH to Vyatta gateway through Internet by default. You have two ways to make it more secure:
- Set SSH service only listens on Vyatta private network
set service ssh listen-address private-ip
- Apply firewall rules on the Vyatta gateway public interface to only allowed trusted network to access your Vyatta gateway. Note the firewall rules should apply as “local”.
- Apply the principle of least privilege by use of Role-based access control (RBAC). Vyatta defines 3 roles (operator, administrator and superuser) by default.
- Integrate with your central AAA server if you have one for access control. TACACS+ and Radius are supported by Vyatta gateway.
- Configure SNMP and Syslog to monitor the operation of Vyatta gateway.
- BY default, Softlayer Vyatta gateway NTP is configured to sync the Vyatta clock with Softlayer NTP server. You can change to sync the clock with your own NTP server if you like. Don’t forget to change the time-zone to reflect your local time!
- Control the device access in customer portal to only allow your network administrator has access to Vyatta gateway. Make sure the user name and password of Vyatta is only visible to them.
- Follow your password management policy and change your password regularly.