Additional Steps and Best Practices for Security
Security is important for the integrity of the event broker services because it transports your messaging data. If you have deployed your event broker services in a Customer-Controlled Region, there are a few additional security-related steps you can take because they fall within your responsibilities to manage. By default, in Public Regions and Dedicated Regions, Solace uses the following best practices, and also recommends them for your Customer-Controlled Region:
- permit OS, hotfixes, service packs, and security patches
- harden access to PubSub+ Cloud
- harden access to event broker services
- restrict ports and protocols on event broker services
- use Bastion host access to compute resources
- secure access for outbound connections
OS, Hotfixes, Service Packs, and Security Patches
It is critical that all service packs, hotfixes, and security patches are updated on the infrastructure for all PubSub+ Cloud components to ensure they have the latest, most secure code base.
To that end, these are best practices that we recommend and adhere to:
- OS patching is performed automatically on Solace-controlled environments. Compute instances are configured to automatically install OS patches and an alert system is in place to notify Solace if an instance needs to be rebooted to complete a patch installation.
- Event broker service updates follow a defined process. You can coordinate with Solace to schedule an upgrade to your event broker services to pick up the latest maintenance loads. During scheduled service upgrades, Solace upgrades your current release to apply the latest maintenance load that contains the latest security and critical fixes. For more information, see Upgrading Event Broker Services in PubSub+ Cloud .
- There is an integration period between PubSub+ Cloud and releases of PubSub+ Event Broker: Software. For this reason, you may see a period of time before event broker services are upgraded to a release of PubSub+ Event Broker: Software.
- Security vulnerability patching is completed as soon as possible. The patching time frame is linked to the CVSS score; third-party library fixes are applied once they are available from the vendor.
- Security updates are delivered via secure ports to the deployment. Port 443 is required to download updated docker images. For more information, see Connection Details for Operational Connectivity.
Hardening Access to PubSub+ Cloud
There are a few areas to further harden access to PubSub+ Cloud. Solace recommends the following additional practices for additional security:
- Integrate Single Sign-On (SSO) with your organization's central identity management system. This makes it easier for your users to authenticate and provides a single system to control and manage users.
- For management client applications, ensure that the API tokens are assigned the minimal, but necessary permissions for the client application to perform its tasks.
Hardening Access to Event Broker Services
The event broker services are created with default settings to allow for easy development and testing when connecting from client applications. These default settings are useful for developmental purpose and are secure, but further hardening of access can be considered for additional security.
Some of the settings are set only at creation time and others are only configurable after the event broker service has been created and are as follows.
- Settings when creating an event broker service:
- These settings must be made a creation time. Consider the following:
- Restrict the ports and protocols that are enabled by default to limit the vectors of attack to your messaging plane. For more information, see Restricting Secure Ports and Protocols on Event Broker Services.
- Settings after an event broker service is created:
- These settings can be only made after the event broker service is created.
- By default, client applications use Basic Authentication as the authentication scheme to connect to an event broker service. You can configure an event broker service to use more than one authentication scheme. Solace recommends that you use a more robust authentication scheme and at minimum, use the recommended authentication schemes specified by your organization's security policies for client application access. For example, you can use LDAP Authentication as the authentication instead of Basic Authentication. For more information, see Configuring Authentication to Event Broker Services.
- For the authorization of client applications, a client profile is created named default. Solace recommends that the default client profile is deleted, and that you create client profiles with restricted authorization for use with your client applications. For more information, see Using Client Profiles and Client Usernames.
- By default, SEMP over Message Bus is disabled for enhanced security and to keep your SEMP
show
commands hidden. For additional information, see Enabling SEMP Over the Message Bus.
Restricting Secure Ports and Protocols on Event Broker Services
Both event broker services and event broker management, as well as the events themselves (messaging), are securely accessed and securely utilized through Solace APIs and Open Source APIs.
These APIs do not provide a mechanism for the user or client applications to access the hosts or instances; only the functionality of the event broker services is available.
API access to an event broker service is configurable and we recommend the following configuration settings:
- Only use secured ports (i.e., do not enable the plain-text ports other than for development purposes or non-production usage).
- Disable protocols that you do not use. The default for an event broker service is to enable all protocols with secure ports. This can be configured when you create the event broker service.
- When possible, use non-default port numbers.
- You can explicitly enable CLI access to configure the message VPN for an event broker service. Enabling CLI access exposes another mechanism to connect and manage an event broker service, but may unnecessarily expose you to a security risk. If CLI access is not required or in use, Solace recommends that you disable the CLI port where your services have public Internet connectivity to harden access to your event broker service. The default setting when you create an event broker service is disabled. For more information, see Enabling the Solace CLI for Event Broker Services in PubSub+ Cloud.
Limiting Access to Compute Resources with Bastion Host
You should limit access to the compute resources from the public Internet. If you require access for troubleshooting or maintenance to the hosts in a Customer-Controlled Regions (Kubernetes cluster, Virtual Private Cloud, or Virtual Network), Solace recommends that the customer configures a bastion host that provides access through port 22 to limit the vectors of attack. For more information, see the appropriate section in the PubSub+ Cloud deployment guides. For example, if you are deploying to Amazon Elastic Kubernetes Service (EKS), see Installing PubSub+ Cloud in Amazon Elastic Kubernetes Service (EKS).
Securing Access for Outbound Connections
For interactions that require outbound connections, such as RDPs (REST Destination Points), the event broker services can be configured to originate from a static IP address. This makes it easier for applications outside of your deployment to whitelist.
For your organization, you can also configure your network to permit specific outbound access to a static IP address for the RDP for additional security.
Static IP addresses only show when an event broker service connects to external hosts through the NAT gateway and those NAT gateways are provisioned with static, public IP addresses in your data center.
For more information about static IP address, see Static IP Availability for Messaging Connectivity in Public Regions and Dedicated Regions.