Running a virtual machine in an Infrastructure-as-a-Service (IaaS) environment with a publicly routed IP address is a privilege that comes with a high responsibility! Once your VM has booted, it is open for attacks from the world-wide internet.

And be sure: it will be attacked!

Since this is an IaaS environment you are responsible for the security of your VMs! LRZ reserves the right to perform scans (port scans, vulnerability scans, etc.) against all VMs in its Cloud. LRZ will monitor all network traffic. In case of possible abuse (unusually high traffic in or out, or high volume traffic on suspicious ports) we reserve the right to block or shut down your VM without prior notification.

With the LRZ Cloud we want to support your research, not hinder it, therefore security groups are in place that can be configured by you to match your needs. By default, no incoming traffic is allowed but there are no restrictions regarding outgoing traffic. It is up to you, the user, to properly configure the security groups and your VMs, if needed. The user also has to take care of possible threats that could come to the VM due to outdated software or weak security features. If machines are hacked or if we detect insecure configurations, users may be banned from future Cloud usage.

Here are some security recommendations you should observe. This list is just a starting point and not comprehensive!

  • If you don't want to provide a server that is reachable world-wide, but if you do need some kind of external connectivity, e.g., to upload data, then limit accessibility to the MWN. You can still reach your VM from anywhere (e.g., your DSL home line) if you first establish a VPN to the MWN. Do not provide a public IP address for your VM unless absolutely necessary!
  • Always keep your operating system updated. It is especially important to apply all security updates/patches in a timely fashion!
  • Use (cryptographically) good passwords for your user accounts in your VMs!
  • Adjust the security groups to your needs. Be usre that you do not open any ports you do not absolutely need. Alternatively you can install a local firewall in your VM and close all incoming ports that you do not absolutely need.
  • Block requests to all system services (via the security group) or turn off all system services (daemons or xinetd services) that you do not absolutely need (stealth mode, e.g., disable ping, ICMP echo).

If you think this is all too complicated and too much work, then please do yourself and us a favour and do not use the LRZ Cloud service!

  • No labels