Best practice

External Cloud Tenancy additional notes

Best practice guides for “server hardening” of Linux machines facing the internet:

And particularly for web servers:

Additional notes regarding JASMIN External Cloud environment:

  • The Shield NAT/Firewall device is the only isolation between Tenant VMs and the raw internet.
    • We monitor network traffic at the gateway/router but
    • Security is the responsibility of the tenant. Please follow suggested security hardening guidelines for all VMs with connections to 192.171.139.0/25
  • Access to other JASMIN hosts and services from the external cloud, is the same as access from internet to these services.
  • The default CentOS public catalog template is configured to use DNS, NTP and yum repo network services from the internet, not from the RAL site.
    • SMTP (mail) server/relay configuration is the responsibility/choice of the tenant.
      • We recommend tenants choose a hosted email server with virus and SPAM filtering and not attempt to configure their own email pipelines.
    • Reverse DNS (IP to hostname) for 192.171.129.0/25 is managed by NERC DNS servers along with ( shortly ) default forward A name records.

Tenants may setup forward A or CNAME DNS records (hostname to IP) for any domainnames they own/control via their own DNS or institutional name servers

Still need help? Contact Us Contact Us