Considerations for Additional Security and Best Practices
Security is important for the integrity of the event broker services because it transports your messaging data. If you have deployed your event broker services in a customer-controlled dedicated region [e.g., Kubernetes cluster, Virtual Private Cloud or Virtual Network (VPC/VNet)], there are a few things you can consider for additional security as they fall into your responsibilities to manage. By default, in Solace-controlled regions (Public Cloud or Customer Dedicated Regions), Solace uses the same best practices as follows:
- permit OS, hotfixes, service packs, and security patches
- restrict ports and protocols on event broker services
- harden access to event broker services
- harden access to PubSub+ Cloud
- harden security for event broker services
- use Bastion host access to compute resources
- secure access for outbound connections
It is critical that all service packs, hotfixes, and security patches are updated on the infrastructure for all PubSub+ Cloud components to ensure they have the latest, most secure code base.
To that end, these are best practices that we recommend and adhere to:
OS patching is performed automatically on Solace-controlled environments. Compute instances are configured to automatically install OS patches and an alert system is in place to notify Solace if an instance needs to be rebooted to complete a patch installation.
Event broker service updates follow a defined process. Solace schedules upgrade windows to service and patch event broker services with customers. During scheduled service upgrade windows, Solace applies patches to customer event broker services so that they are current.
There is an integration period between PubSub+ Cloud and releases of PubSub+ Event Broker: Software. For this reason, you may see a period of time before event broker services are upgraded to a release of PubSub+ Event Broker: Software.
Virtual machines that run the Mission Control Agent and event broker services have Ubuntu LTS releases as its base OS. Solace creates custom images for these VMs (AMIs and managed images) that are based on the canonical Ubuntu LTS image.
These custom images contain the required software and tooling to run software from Solace. Solace ensures that these custom images contain the latest Ubuntu patch set and enables unattended upgrades so that the VMs can have the latest security updates.
Security vulnerability patching is completed as soon as possible. The patching time frame is linked to the CVSS score; third-party library fixes are applied once they are available from the vendor.
Security updates are delivered via secure ports to the deployment. Depending on the type of deployment, different ports are required:
For deployments on Kubernetes, port 443 is required to download updated docker images. For more information, see Connection Details for Kubernetes.
For VM-based deployments to Azure and AWS, port 80 is required to receive security updates. For more information, see Connection Details for Amazon Web Service (AWS) Deployments and Connection Details for Azure Deployments, respectively.
There are a few areas to further harden access to PubSub+ Cloud. Solace recommends the following additional practices for additional security:
- Integrate Single Sign-On (SSO) with your organization's central identity management system. This makes it easier for your users to authenticate and provides a single system to control and manage users.
- For management client applications, ensure that the API tokens are assigned the minimal, but necessary permissions for the client application to perform its tasks.
The event broker services are created with default settings to allow for easy development and testing when connecting from client applications. These default settings are useful for developmental purpose and are secure, but further hardening of access can be considered for additional security.
Some of the settings are set only at creation time and others are only configurable after the event broker service has been created and are as follows.
- Settings when creating an event broker service:
- These settings must be made a creation time. Consider the following:
- Restrict the ports and protocols that are enabled by default to limit the vectors of attack to your messaging plane. For more information, see Restricting Secure Ports and Protocols on Event Broker Services.
- Settings after an event broker service is created:
- These settings can be only made after the event broker service is created.
- By default, the authentication scheme for a client application's to access an event broker service uses Basic Authentication. An event broker service can be configured to use one or more authentication schemes. Solace recommends that you use a more robust authentication scheme and at minimum, use the recommended authentication schemes specified by your organization's security policies for client application access. For example, you can use client certificates or LDAP authentication. For more information, see Configuring Authentication.
- For the authorization of client applications, a client profile is created named default. Solace recommends that the default client profile is deleted, and that you create client profiles with restricted authorization for use with your client applications. For more information, see Using Client Profiles.
Both event broker services, event broker management, as well as events (messaging) are securely accessed and securely utilized through Solace APIs and Open Source APIs.
These APIs do not provide a mechanism for the user or client applications to access the hosts or instances, only the functionality of the event broker services is available.
API access to an event broker service is configurable and we recommend the following configuration settings:
- Only use secured ports (i.e., do not enable the plain-text ports other than for development purposes or non-production usage).
- Disable protocols that you do not use. The default for an event broker service is to enable all protocols with secure ports. This can be configured when you create the event broker service.
- When possible, use non-default port numbers.
You should limit access to the compute resources from the public Internet. If you require access for troubleshooting or maintenance to the hosts in a customer-controlled private network [Kubernetes cluster or Virtual Private Cloud or Virtual Network (VPC/VNet)], Solace recommends that the customer configures a bastion host that provides access through port 22 to limit the vectors of attack. For more information, see the appropriate section in the PubSub+ Cloud deployment guides. For example, if you are deploying to Amazon Elastic Kubernetes Service (EKS), see Installing PubSub+ Cloud in Amazon Elastic Kubernetes Service (EKS).
For interactions that require outbound connections, such as RDPs (REST Destination Points), the event broker services can be configured to originate from a static IP address. This makes it easier for applications outside of your deployment to whitelist.
For your organization, you can also configure your network to permit specific outbound access to a static IP address for the RDP for additional security.
Static IP addresses only show when an event broker service connects to external hosts through the NAT gateway and those NAT gateways are provisioned with static, public IP addresses in your data center.
For more information about getting the static IP address, see Getting the IP Address of an Event Broker Service for Outbound Connections.