Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ACL refers to a list IP addresses, both origin and destination, and ports where traffic is permitted to pass. The *router* does this? Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. How are they different from firewalls, is at all? Is the ACL just the "firewall settings"?
Link to How to Request Firewall Changes

VLANs and Firewalls

Introduction

At AppNexus every customer has a private VLAN, or Virtual Local Area Network, in each datacenter where they reserve servers.  Your VLAN is a list of sequential IP addresses that you control. This means that you can control access to those IP addresses. You can assign these addresses as you like. Traffic within a VLAN is encrypted (question) How?

Relevant tickets: #4128 /#4625/#3952

1. What do you want customers to know about AppNexus VLANs and VLAN requests and migrations?
2. How does it work to have a VLAN in NY and a VLAN in LA?
3. What do you do when you want a bigger VLAN?
4. What's the migration process?
5. Will migrating be available through the API in the future?
6. Can you add IPs to a VLAN or connect two VLANs?6. Multinetting?? Does it turn two VLANs into one?
7. OK so looks like multinetting is nixed by Peak. So how to two VLANs interact? How does that work? And what's the optimal solution here?
8. VPNs??? What are they exactly. Customer VPN question and answer:

What is the capacity of our VPN hardware?
Currently there is no customer-allocated VPN hardware. If you need VPN capabilities, please let us know and we may be able to provide them to you for a fee.

Stateful vs. non stateful inspection.

These questions are also answered on the wiki FAQ but may be helpful here.

1. Why do you use ACLs instead of a stateful firewall?

Stateful inspection is most useful for protecting outbound traffic, but with hosting, the servers tend to receive traffic instead of initiate it. Also, because we are dealing with an unknown amount of traffic, the ability to scale is very important. Stateful inspection is an expensive task for a device to perform and therefore subject to strict capacity limitations (we're talking sub Gigabit for most firewalls). On the other hand, Cisco routers perform ACL packet filtering at line rate with absolutely no performance hit. So, while stateful inspection is appropriate for small, stable amounts of outbound traffic or for protecting niche pieces of the network, (like e-commerce databases), ACLs are more scalable and efficient for protecting inbound traffic to servers. If a customer still desires a stateful firewall, we can add it for a fee.

2. What are the security implementations at each relevant layer of the OSI Reference Model?

  • Layer 1 - (Physical Layer) All your network gear and servers are protected in secure, locked colocation facilities.
  • Layer 2 - (Data Link Layer) Extensive use of VLANs provides segregation of each customer's traffic from AppNexus traffic and other customers' traffic.
  • Layer 3 - (Network Layer) Bi-directional ACLs are applied on every routing interface with a Default Deny policy, meaning only explicitly permitted traffic is allowed to pass.
  • Layer 4 - (Transport Layer) The use of TCP-based protocols provides connection reliability and allows for session protection via ACLs and host firewalling.
  • Layer 7 - (Application Layer) There is extensive use of encryption (SSH, SSL-VPN) throughout the network.

3. How do you detect, prevent, and manage DDoS attacks and application-level attacks?

Preemptive protection against DDoS attacks is difficult, because we have no way of knowing when, where, or what type to expect. Also, please note that AppNexus does not manage nor monitor the customer's applications (even their OS). That said, in the event of an attack the use of Cisco ACLs allows us to apply deny statements for the source of the attack without affecting performance of the rest of the network. Also, we highly recommend that our customers utilize the F5 server load balancing technology for front-ending their web applications, as the F5s provide built-in DDoS protection when it performs full-proxy session offload.to be assigned to the instances you launch in the AppNexus environment.  Your VLAN can consist of 8, 24, 56, ..., (2^N-8) IP addresses; eight addresses in each range are reserved for networking equipment so it can behave as though it was part of your individual VLAN.

IP Addresses

  • You can assign specific IP addresses to your equipment by using the optional "--ip" parameter for the manage-instance launch command.  If no specific IP is selected, the next available IP in the range will be automatically assigned.  For more information, see manage-instance.
  • Instance IPs are static; if the server reboots or the instance goes offline, the IP will remain the same.

ACLs/Firewall

VLANs provide security by segregating each customer's traffic from AppNexus and other customers' traffic and also by regulating traffic from the Internet according to a customer-controlled Access Control List (ACL).  You can view your current ACLs in the customer portal at https://portal.appnexus.com/networking.php?index=acl.

  • By default all inbound traffic from the Internet to your IP block is denied except for ping (ICMP Echo---used to verify that the host is up).  With your ACL, you can explicitly permit TCP, UDP, or ANY traffic for particular source and destination IPs and ports.
  • You'll set your inital ACL via the customer questionnaire, and you can change it at any time. At the moment, ACL changes must go through Support.  Please see How to Set Firewall Rules for more information.  Soon there will be an API for ACLs and you will also be able to use the customer portal.
  • All traffic within a VLAN is allowed so all instances can freely communicate with each other.
  • All outgoing traffic from your VLAN is allowed.
  • By default, all ports/traffic between same-customer VLANs in different datacenters is open.  (Note that traffic between LAX1 and NYM1 travels over the Internet and is not encrypted.)

If you run out of IP addresses in your VLAN

If you outgrow a VLAN, AppNexus will assign you a larger one.  This can take up to one workday as support staff configures the ACL for the new VLAN.  You will then need to migrate instances from the old VLAN to the new one.  This can be done without downtime; you will assign each item in your VLAN a second IP address for the duration of the migration.  Detailed instructions on VLAN migration will be provided when you make your request to Support.

Note: We assume that customer IP requests are for usable IP addresses; the eight addresses used for network gear have already been accounted for when an IP range is allocated.

Further Information

Network Architecture
How to Set Firewall Rules
Enabled Port Ranges
Direct Connection to 3rd Party Datacenters
Software VPN
VLAN Tagging and Instance Security
manage-vlan CLI tool

Troubleshooting

Connectivity Issues

As always, please create a ticket at https://portal.appnexus.com/ or contact us at support@appnexus.com if you have any questions or concerns.