Previous: Inspect network traffic
Set up workload firewalls
Workload Firewall Management
CloudPassage Halo automatically deploys, updates, and monitors host-based Windows or Linux firewalls for your cloud servers. Host-based firewalls can provide better protection for your cloud servers than traditional perimeter firewalls, because they can be tailored to the exact purpose of each type of server that you use. With Halo, you can design policies to facilitate inter-communication among the different categories of servers in your cloud, while simultaneously preventing malicious agents from gaining access.
Halo host firewalls also deploy themselves automatically and elastically, as your cloud-server population dynamically grows and shrinks. No servers are left uncovered and vulnerable to attack.
To implement Halo firewalls, you use the Halo portal to create a firewall policy that is appropriate for protecting a group of servers. The policy is a list of connection rules, controlling what specific kinds of inbound and outbound connections are permitted (or prohibited).
When you assign the policy to the group, Halo installs individual Windows or iptables firewalls based on that policy on all of the group's servers. Halo also automatically updates the servers with any later policy updates and any changes to server IP addresses. Halo also automatically deploys new firewalls to any servers that are added to the group in the future, such as through cloning or reactivation.
Firewall policies control what Internet traffic is allowed into and out of your servers. Unlike traditional network firewalls, Halo firewall policies apply only to the servers for which they are defined. But you build and manage them centrally, leveraging server groups and IP zones to create dynamic, auto-updating rules.
All servers in the group you assign your policy to will have host firewalls activated with that policy. New servers launched or moved into the group will get policy updates dynamically, and all servers will get updates when their policy changes.
Note: Because every customer's needs are different, Halo does not provide firewall policy templates for you. You will need to create your own policy from scratch, as shown here.
- Navigate to Policies or to Policies > Policies List to display the All Policies screen.
- On the All Policies screen, click New > Policy. The Create New Policy screen appears:
Enter a name for the policy, select "Firewall" as the policy type, specify the platform it should run on, and optionally enter a description.
- Click Create Policy. The Edit Firewall Policy screen appears:
- Create a few inbound and possibly outbound rules. In each case, Halo will remind you to specify a default rule, which applies when no other rules match.
(This example does not walk you through the steps of adding rules; see Create Inbound Rules and Create Outbound Rules in the Workload Firewall Management Setup Guide for instructions and cautions when adding firewall rules. See also Example Firewalls for simplified examples of firewall policies that might apply to a distributed web application.)
- After adding rules, click Save. Your policy appears on the Firewall Policies page.
Now that you have created a firewall policy, your next step is to activate it by assigning it to a server group.
- Back on the Environment page of the portal, select a group to which you want to assign this firewall policy, then click the Settings button and open the group's Policies subtab.
- From either the Linux or Windows drop-down list, select the firewall that you just created, then click Save. The firewall is assigned to your group and is now protecting each of its servers.
// <![CDATA[ var pdfTitle="Halo QuickStart and Tour"; var pdfURL="http://res.cloudinary.com/ljufltxil/image/upload/document_images/quickstart2/halo-quickstart-and-tour.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>