Additional Steps and Best Practices for Security

Security is important for the integrity of the event broker services because it transports your messaging data. If you have deployed your event broker services in a Customer-Controlled Region (Kubernetes cluster, Virtual Private Cloud or Virtual Network), there are a few additional security-related steps you can take because they fall within your responsibilities to manage. By default, in Public Regionsand Dedicated Regions, Solace uses the same best practices as described in the following sections:

permit OS, hotfixes, service packs, and security patches
harden access to PubSub+ Cloud
harden access to event broker services
restrict ports and protocols on event broker services
use Bastion host access to compute resources
secure access for outbound connections

OS, Hotfixes, Service Packs, and Security Patches

It is critical that all service packs, hotfixes, and security patches are updated on the infrastructure for all PubSub+ Cloud components to ensure they have the latest, most secure code base.

To that end, these are best practices that we recommend and adhere to:

OS patching is performed automatically on Solace-controlled environments. Compute instances are configured to automatically install OS patches and an alert system is in place to notify Solace if an instance needs to be rebooted to complete a patch installation.
Event broker service updates follow a defined process. You can coordinate with Solace to schedule an upgrade to your event broker services to pick up the latest maintenance loads. During scheduled service upgrades, Solace upgrades your current release to apply the latest maintenance load that contains the latest security and critical fixes. For more information, see Upgrading Event Broker Services in PubSub+ Cloud.
There is an integration period between PubSub+ Cloud and releases of PubSub+ Event Broker: Software. For this reason, you may see a period of time before event broker services are upgraded to a release of PubSub+ Event Broker: Software.
Virtual machines that run the Mission Control Agent and event broker services have Ubuntu LTS releases as its base OS. Solace creates custom images for these VMs (AMIs and managed images) that are based on the canonical Ubuntu LTS image.
These custom images contain the required software and tooling to run software from Solace. Solace ensures that these custom images contain the latest Ubuntu patch set and enables unattended upgrades so that the VMs can have the latest security updates.
Security vulnerability patching is completed as soon as possible. The patching time frame is linked to the CVSS score; third-party library fixes are applied once they are available from the vendor.
Security updates are delivered via secure ports to the deployment. Port 443 is required to download updated docker images. For more information, see Connection Details for Operational Connectivity.
For VM-based deployments to Azure and AWS, port 80 is required to receive security updates. For more information, see Connection Details for Amazon Web Service (AWS) Deployments and Connection Details for Azure Deployments, respectively.

If your security policy does not permit port 80 to be open, the Mission Control Agent VM/EC2 must be periodically recreated with an updated managed image/AMI to obtain the latest security patches. Contact Solace for assistance to obtain an updated, managed image.

Support for VM-based deployments is now deprecated and version 10.0.1 was the last event broker release that supported deployments in VM-based regions. For more details, see the Deprecated Features list.

Hardening Access to PubSub+ Cloud

There are a few areas to further harden access to PubSub+ Cloud. Solace recommends the following additional practices for additional security:

Integrate Single Sign-On (SSO) with your organization's central identity management system. This makes it easier for your users to authenticate and provides a single system to control and manage users.

For management client applications, ensure that the API tokens are assigned the minimal, but necessary permissions for the client application to perform its tasks.

Hardening Access to Event Broker Services

The event broker services are created with default settings to allow for easy development and testing when connecting from client applications. These default settings are useful for developmental purpose and are secure, but further hardening of access can be considered for additional security.

Some of the settings are set only at creation time and others are only configurable after the event broker service has been created and are as follows.

Settings when creating an event broker service:

These settings must be made a creation time. Consider the following:

Restrict the ports and protocols that are enabled by default to limit the vectors of attack to your messaging plane. For more information, see Restricting Secure Ports and Protocols on Event Broker Services.

Settings after an event broker service is created:

These settings can be only made after the event broker service is created.

By default, client applications use Basic Authentication as the authentication scheme to connect to an event broker service. You can configure an event broker service to use more than one authentication scheme. Solace recommends that you use a more robust authentication scheme and at minimum, use the recommended authentication schemes specified by your organization's security policies for client application access. For example, you can use LDAP Authentication as the authentication instead of Basic Authentication. For more information, see Configuring Authentication to Event Broker Services.
For the authorization of client applications, a client profile is created named default. Solace recommends that the default client profile is deleted, and that you create client profiles with restricted authorization for use with your client applications. For more information, see Using Client Profiles and Client Usernames.
By default, SEMP over Message Bus is disabled for enhanced security and to keep your SEMP show commands hidden. For additional information, see Enabling SEMP Over the Message Bus.

Restricting Secure Ports and Protocols on Event Broker Services

Both event broker services, event broker management, as well as events (messaging) are securely accessed and securely utilized through Solace APIs and Open Source APIs.

These APIs do not provide a mechanism for the user or client applications to access the hosts or instances, only the functionality of the event broker services is available.

API access to an event broker service is configurable and we recommend the following configuration settings:

Only use secured ports (i.e., do not enable the plain-text ports other than for development purposes or non-production usage).
Disable protocols that you do not use. The default for an event broker service is to enable all protocols with secure ports. This can be configured when you create the event broker service.
When possible, use non-default port numbers.
For event broker services deployed using Kubernetes, you can explicitly enable CLI access to configure the message VPN for an event broker service. Enabling CLI access exposes another mechanism to connect and manage an event broker service, but may unnecessarily expose you to a security risk. Solace recommends that you disable this port where your services have public Internet connectivity to harden access to your event broker service and when the CLI access is not required or in use. The default setting when you create an event broker service is disabled. For more information, see Enabling the Solace CLI for Event Broker Services in PubSub+ Cloud.

Limiting Access to Compute Resources with Bastion Host

You should limit access to the compute resources from the public Internet. If you require access for troubleshooting or maintenance to the hosts in a Customer-Controlled Regions (Kubernetes cluster, Virtual Private Cloud, or Virtual Network), Solace recommends that the customer configures a bastion host that provides access through port 22 to limit the vectors of attack. For more information, see the appropriate section in the PubSub+ Cloud deployment guides. For example, if you are deploying to Amazon Elastic Kubernetes Service (EKS), see Installing PubSub+ Cloud in Amazon Elastic Kubernetes Service (EKS).

Securing Access for Outbound Connections

For interactions that require outbound connections, such as RDPs (REST Destination Points), the event broker services can be configured to originate from a static IP address. This makes it easier for applications outside of your deployment to whitelist.

For your organization, you can also configure your network to permit specific outbound access to a static IP address for the RDP for additional security.

Static IP addresses only show when an event broker service connects to external hosts through the NAT gateway and those NAT gateways are provisioned with static, public IP addresses in your data center.

For more information about getting the static IP address, see Getting the Static IP Address of an Event Broker Service for Outbound Connections.

Provide feedback