Oracle Cloud Infrastructure Compute Classic Security

admin管理员组

文章数量:1627760

Instance Isolation
Oracle Cloud Infrastructure Compute Classic lets you create and run virtual machines on the Oracle
Cloud infrastructure. The Oracle Cloud Infrastructure Compute Classic provides resizable computing
capacity using server instances in Oracle’s data centers.
Security within Oracle Cloud Infrastructure Compute Classic is provided on multiple levels: the
hypervisor, guest operating system, a dynamic firewall, token-based API calls, user permissions, and
SSH-based secure access to instances. The goal is to prevent customer workloads and data from
being accessed by unauthorized users and systems.
Like many other cloud compute services, virtualization is the foundation of Oracle Compute Cloud
Service. Many security-related concerns about virtualization are unwarranted. Multiple hardware
supported and software-supported isolation techniques address the risks associated with virtualization.
The first technique is instruction isolation. Intel VT-x and AMD-V both enable a virtual machine monitor
to give the CPU to a virtual machine for direct execution until the time the virtual machine attempts to
execute a privileged instruction. At that point, the virtual machine execution is suspended, and the
CPU is given back to the virtual machine monitor.
In addition to CPU instruction isolation, the hypervisor also provides memory and device isolation by
the virtualization of physical memory and physical devices including disks. This explicit virtualization of
the physical resources leads to a clear separation between the guest OS and the hypervisor, resulting
in a secure compute environment. Thus, different customer instances running on the same physical
machine are isolated from each other via the hypervisor.
18 ORACLE INFRASTRUCTURE AND PLATFORM CLOUD SERVICES SECURITY WHITE PAPER In Oracle’s multitenant elastic compute service, the logical tenant isolation is achieved via
virtualization, as previously described. Oracle also offers a dedicated compute solution, which is a fully
isolated elastic compute service. It provides dedicated physical servers and cores and a network within
an Oracle data center. Thus, customers get complete IO, CPU, and network isolation. The dedicated
compute service uses the same virtualization technology used by the elastic compute service.
The elastic compute service also provides API namespace separation to ensure resources are not
misused across accounts.
Guest Operating System
You have full administrative access and root access over your instances. Oracle doesn’t access
customer data in customer instances. Oracle supports the use of SSH to enable you and your users to
securely log in to your Oracle Linux instances. Oracle recommends that you generate unique SSH key
pairs for every user. These keys shouldn’t be shared with Oracle or other organizations.
You control the updating and patching your guest OS, including security updates. Oracle-provided
Oracle Linux machine images are updated regularly with the latest patches.
Secure Access to Instances Using SSH
Oracle supports the use of the SSH network protocol to enable you to securely log in to your Oracle
Linux instances. If you created your instance using an Oracle-provided Oracle Linux image, then you
can log in to your instance using SSH as the opc user, which is the default user on instances that are
created using an Oracle-provided Oracle Linux instance.
Before creating a compute instance, you must generate at least one SSH key pair and upload the SSH
public key. You can disable, enable, and delete an existing SSH public key. After logging in to your
instance, you can add users on your instance. This requires that you generate a new SSH key pair for
the new user and that you log in to your instance and become the root user. Then, you can create a
new user and associate the SSH public key with the new user.
19 ORACLE INFRASTRUCTURE AND PLATFORM CLOUD SERVICES SECURITY WHITE PAPER Dynamic Firewall
Oracle Cloud Infrastructure Compute Classic provides a complete firewall solution to control network
traffic for your instances. The firewall is configured in the default deny-all mode. This means when you
create an instance, by default, it doesn’t allow any network traffic to and from other instances or an
external host. You can implement fine-grained control over network access to your Oracle Cloud
Infrastructure Compute Classic instances, both from other instances and from external hosts. The
firewall can be configured in groups, which lets different classes of instances have different rules.
To enable unrestricted communication among some of your instances (for example, to enable all the
instances hosting your development environment to communicate with each other), you can create a
security list and add the instances to that security list. When you add an instance to a security list, the
instance can communicate with all the other instances in the same security list. By default, the
instances in a security list are isolated from hosts outside the security list. You can override this default
by creating security rules. Each security rule defines a specific source, a destination, and a protocol
port combination over which communication is allowed. Security rules are essentially firewall rules,
which you can use to permit traffic between Oracle Cloud Infrastructure Compute Classic instances in
different security lists, as well as between instances and external hosts. The source and destination
specified in a security rule can be either a security IP list (that is, a list of external hosts) or a security
list. A security application is a protocol-port mapping that you can use in security rules. You can either
create a security application by specifying the port type and port, or you can use one of the predefined
security applications (such as SSH, HTTPS, SNMP-TCP) in security rules. As an example, you can set
up a security rule to permit SSH access over port 22 from a set of external hosts (specified in a
security IP list) to all the instances in a security list.
When you create an instance by using the web console, you can specify that the instance be
configured to allow SSH access from hosts on the Internet. When you select this option, your instance
is added to a default security list, and a security rule called DefaultPublicSSHAccess is created to
enable SSH access to instances in the default security list. If you don’t enable SSH access during
instance creation, then to enable SSH access to your instance later, you must create a security list,
add the instance to it, and set up a security rule to permit SSH traffic to the security list. The following
diagram shows these communication paths:
» Instances in Security-list-a can send traffic to instances in Security-list-b over any protocol, as
defined by Security rule-a.
20 ORACLE INFRASTRUCTURE AND PLATFORM CLOUD SERVICES SECURITY WHITE PAPER » Instances in Security-list-a can receive HTTPS traffic from any host on the Internet, as defined
by Security rule-b.
» Instances in Security-list-b can receive traffic over SSH from any of the IP addresses specified
in Security IP List-a, as defined by Security rule-c.
If no security rules are defined for a security list, then, by default, instances in that security list can’t
receive traffic from hosts outside the security list. However, instances in the security list can still
access other instances in the same security list. When you remove an instance from a security list, the
instance can no longer communicate with other instances in that security list, and traffic to and from
that instance is no longer controlled by the security rules defined for that security list. A security IP list
specifies a set of IP addresses that can be used as a source in security rules. A security IP list or a
security list can be used in multiple security rules. In case of conflicts in the policy, the most restrictive
policy takes precedence.
You can connect your instances to the Internet and access Oracle Cloud resources from anywhere
using reserved IPs.
21 ORACLE INFRASTRUCTURE AND PLATFORM CLOUD SERVICES SECURITY WHITE PAPER API Access
Oracle Cloud Infrastructure Compute Classic provides a REST application programming interface
(API) that you can use to programmatically provision and manage instances and the associated
resources. API calls to Oracle Cloud Infrastructure Compute Classic can be done using basic
authentication (user name and password) or token-based authentication. If the authentication request
succeeds, then the server returns a cookie that contains an authentication token that is valid for 30
minutes. The client making the API calls must include this cookie in the API calls. You can extend the
expiration of the authentication token by 5 minutes from the time you run the refresh_token
command. Refreshing the token extends the session, but not beyond the session’s expiration time. A
session is 3 hours.
Users and Roles
You can use the MyServices Users page to manage identity domain administrators, service
administrators, users, roles, and passwords. (See the 5. Shared Identity and Access Management
section in this document.)
You can use the following predefined roles for Oracle Cloud Infrastructure Compute Classic:
» TenantAdminGroup (identity domain administrator): Users who are assigned this role can
perform all the tasks in the MyServices application, including user and role management
tasks.
» Service-instance-name.Compute_Operations (service administrator): Users who are
assigned this role can view, create, update, and delete Oracle Cloud Infrastructure Compute
Classic resources. The identity domain administrator can create additional service
administrators, as required, by assigning this role in Oracle Cloud MyServices. For business
continuity, consider creating at least two users with the Compute_Operations role. These
users must be IT system administrators in your organization.
» Service-instance-name.Compute_Monitor: Users who are assigned this role can view
Oracle Cloud Infrastructure Compute Classic resources. The identity domain administrator
can create users with this role in Oracle Cloud MyServices.
Block Storage Security
A storage volume is a virtual disk that provides persistent block storage space for instances. Oracle
Cloud Infrastructure Compute Classic allows you to create storage volumes from 1 GB to 2 TB. You
22 ORACLE INFRASTRUCTURE AND PLATFORM CLOUD SERVICES SECURITY WHITE PAPER can attach up to 10 storage volumes to each Oracle Cloud Infrastructure Compute Classic instance. A
storage volume can be attached to only one instance at a time. You can attach one or more storage
volumes to an instance either while creating the instance or later when the instance is running. After
creating an instance, you can easily scale up or scale down the block storage capacity for the instance
by attaching or detaching storage volumes. However, you can’t detach a storage volume that was
attached during instance creation. Note that, when a storage volume is detached from an instance or
when the instance is deleted, data stored on the storage volume isn’t lost.
Storage volume access is restricted to the Oracle Cloud account that created the volume and to the
Oracle Cloud users, which have the authorization to view or access the volume. Granting access to
these users must be done via roles that were created using Oracle Shared Identity Management. (See
the 5. Shared Identity and Access Management section in this document.) Oracle Cloud Infrastructure
Compute Classic requires roles to perform the following storage volume operations:
» Creating and attaching a storage volume: You can create storage volumes and attach them to
instances to provide block storage capacity for storing data and applications. You can also
associate a storage volume with a machine image, and then use the storage volume as the
boot disk for an instance. To complete this task, you must have the Compute_Operations role.
» Viewing details of a storage volume: You can use the web console to view details of a storage
volume, such as the status, size, and the instance to which it is attached. This task requires
the Compute_Monitor or Compute_Operations role.
» Deleting a storage volume: If you delete a storage volume, then all the data and applications
that were saved on that storage volume are lost. Delete a storage volume only when you’re
sure that you no longer need any of the data that’s stored on that volume. To complete this
task, you must have the Compute_Operations role.
Encryption of sensitive virtual machine disks is generally a good security practice. You can use any in
guest encryption solution to encrypt your data within your virtual machines using any third-party in
guest encryption solution. Most of these solutions offer key management capabilities that you can use
to implement a key management policy.

本文标签： InfrastructureCloudORACLESecurityClassic