

Network Security

This document outlines the network security requirements and practices for Safespring Storage services.

4.1 Network Protection

Network protection is implemented by using the ubuntu UFW firewall with default deny policies for all incoming traffic.

The firewall is enabled by default due to it's inclusion in the all group in our inventory. Default settings for the firewall are included in the internal ansible role ufw.

4.2 Network Services Security

Access control is implemented with role based access control (RBAC) and firewalls.

All administrative access is monitored and and logged as documented in Logging and Monitoring.

4.3 Network Segmentation

Networks related to the Storage service are segmented into management related traffic, customer related traffic and service traffic.

Management and service related traffic relies on the segmentation of the infrastructure networks, encompassing out of band traffic, ssh traffic and internal traffic.

Customer related traffic is isolated using loadbalancers and firewalls. The service components can only be reached by the loadbalancers and not by customers directly.

The storage service traffic is segmented with a unique layer 3 network, separated from other services.