Additional Steps and Best Practices for Security

If you have deployed your event broker services in a Customer-Controlled Cluster, there are a few additional security-related steps you can take that fall within your responsibilities to manage. By default, Solace uses the following best practices in Public Clusters and Dedicated Clusters, and also recommends them for your Customer-Controlled Cluster:

permit OS, hotfixes, service packs, and security patches
harden access to Solace Cloud
harden access to event broker services
restrict ports and protocols on event broker services
use Bastion host access to compute resources
secure access for outbound connections

OS, Hotfixes, Service Packs, and Security Patches

It is critical that all service packs, hotfixes, and security patches are updated on the infrastructure for all Solace Cloud components to ensure they have the latest, most secure code base.

To that end, we recommend these best practices:

OS patching is performed automatically on Solace-controlled environments. Compute instances are configured to automatically install OS patches and an alert system is in place to notify Solace if an instance needs to be rebooted to complete a patch installation.
Event broker service updates follow a defined process. You can coordinate with Solace to schedule an upgrade to your event broker services to pick up the latest maintenance loads. During scheduled service upgrades, Solace upgrades your current release to apply the latest maintenance load that contains the latest security and critical fixes. For more information, see Upgrading Event Broker Services in Solace Cloud.
Security vulnerability patching is completed as soon as possible. The patching time frame is linked to the CVSS score; third-party library fixes are applied once they are available from the vendor.
Security updates are delivered via secure ports to the deployment. Port 443 is required to download updated docker images. For more information, see Connection Details for Operational Connectivity.

If your security policy does not permit port 80 to be open, the Mission Control Agent VM/EC2 must be periodically recreated with an updated managed image/AMI to obtain the latest security patches. Contact Solace for assistance to obtain an updated, managed image.

Hardening Access to Solace Cloud

Solace recommends the following additional practices to further harden access to Solace Cloud for additional security:

Integrate Single Sign-On (SSO) with your organization's central identity management system. This makes it easier for your users to authenticate and provides a single system to control and manage users.

For management client applications, ensure that the API tokens are assigned the minimal, but necessary permissions for the client application to perform its tasks.

Hardening Access to Event Broker Services

Event broker services are created with default settings to allow for easy development and testing when connecting from client applications. These default settings are useful for developmental purpose and are secure, but you can consider further hardening of access for additional security.

Some of the settings are set only at creation time and others are only configurable after the event broker service has been created.

Settings made when creating an event broker service:

These settings must be made at event broker service creation time. Consider the following:

Restrict the ports and protocols that are enabled by default to limit the vectors of attack to your messaging plane. For more information, see Restricting Secure Ports and Protocols on Event Broker Services.

Settings made after creating an event broker service:

These settings can be made only after the event broker service is created.

By default, client applications use basic authentication to connect to an event broker service. You can configure an event broker service to use more than one authentication scheme. Solace recommends that you use a more robust authentication scheme and, at minimum, use the recommended authentication schemes specified by your organization's security policies for client application access. For example, you can use LDAP authentication instead of basic authentication. For more information, see Configuring Authentication to Event Broker Services.
For the authorization of client applications, a client profile is created named default. Solace recommends that the default client profile is deleted, and that you create client profiles with restricted authorization for use with your client applications. For more information, see Using Client Profiles and Client Usernames.
By default, SEMP over the message bus is disabled for enhanced security and to keep your SEMP show commands hidden. For additional information, see Enabling SEMP Over the Message Bus.

Restricting Secure Ports and Protocols on Event Broker Services

Both event broker services and event broker management, as well as the events themselves (messaging), are securely accessed and used through Solace APIs and Open Source APIs.

These APIs do not provide a mechanism for users or client applications to access the hosts or instances; only the functionality of the event broker services is available.

API access to an event broker service is configurable and we recommend the following configuration settings:

Use only secured ports. Do not enable the plain-text ports other than for development purposes or non-production usage.
Disable protocols that you do not use. By default, an event broker service enables all protocols with secure ports. You can configure this when you create the event broker service.
When possible, use non-default port numbers.
You can explicitly enable CLI access to configure the Message VPN for an event broker service. Enabling CLI access exposes another mechanism to connect and manage an event broker service, but may unnecessarily expose you to a security risk. If CLI access is not required or in use, Solace recommends that you disable the CLI port where your services have public internet connectivity to harden access to your event broker service. The default setting when you create an event broker service is disabled. For more information, see Enabling the Solace Event Broker CLI for Event Broker Services.

Limiting Access to Compute Resources with Bastion Host

Solace recommends limiting access to the compute resources from the public internet. If you require access for troubleshooting or maintenance to the hosts in a Customer-Controlled Clusters (Kubernetes cluster, virtual private cloud or virtual network), Solace recommends that the customer configures a bastion host that provides access through port 22 to limit the vectors of attack. For more information, see the appropriate section in the deployment guides for Solace Cloud. For example, if you are deploying to Amazon Elastic Kubernetes Service (EKS), see Installing Solace Cloud in Amazon Elastic Kubernetes Service (EKS).

Securing Access for Outbound Connections

For interactions that require outbound connections, such as REST Delivery Points (RDPs), an event broker service can be configured to originate from a static IP address to make it easier for applications outside of your deployment to add it to an allowlist.

For your organization, you can also configure your network to permit specific outbound access to a static IP address for the RDP for additional security.

Static IP addresses only show when an event broker service connects to external hosts through the NAT gateway and those NAT gateways are provisioned with static, public IP addresses in your data center.

For more information about static IP address, see Static IP Availability for Messaging Connectivity in Public Clusters and Dedicated Clusters.

Provide feedback