默认情况下,由 NSX Advanced Load Balancer Controller 管理并与 SE 关联的安全组将具有同时允许 TCP 端口 22 (SSH) 和所有 ICMP 输入流量的规则。在故障排除场景中,这非常有用,因为支持人员可以直接通过 SSH 访问 NSX Advanced Load Balancer SE。但在某些客户环境中,可能需要进一步锁定 TCP 端口 22。本主题介绍了如何使用 NSX Advanced Load Balancer 云配置标记 wildcard_access,来实现这一额外的安全保护措施。

使用以下 CLI,列出相关安全组的安全详细信息。

OpenStack 中的默认用例

root@node-17:~# neutron security-group-list
+--------------------------------------+---------------------------------------------+-----------------------------------------------------+
| id                                   | name                                        | security_group_rules                                |
+--------------------------------------+---------------------------------------------+-----------------------------------------------------+
| e1e3f96e-cc9d-4fd4-bb01-4db9480621d8 | avi-se-3cf0f25c-8b25-4b6c-94db-ab59ae8f2f23 | egress, IPv4                                        |
|                                      |                                             | egress, IPv6                                        |
|                                      |                                             | ingress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0  |
|                                      |                                             | ingress, IPv4, icmp, remote_ip_prefix: 0.0.0.0/0    |
+--------------------------------------+---------------------------------------------+-----------------------------------------------------+

停用端口 22 通配符访问

以下 CLI 命令序列首先显示 wildcard_access 配置默认设置为 True。后续命令将其更改为 False

注:

所做更改仅对新创建的 SE 生效。

[admin:10-10-22-142]: > configure cloud avi-os
Updating an existing object. Currently, the object is:
+---------------------------+--------------------------------------------+
| Field                     | Value                                      |
+---------------------------+--------------------------------------------+
| uuid                      | cloud-c62d3177-ca44-4565-a167-62d783a34be9 |
| name                      | avi-os                                     |
| vtype                     | CLOUD_OPENSTACK                            |
| openstack_configuration   |                                            |
|   username                | admin                                      |
|   security_groups         | True                                       |
|   auth_url                | http://10.10.22.23:5000/v2.0               |
|   wildcard_access         | True                                       |

...  DETAILS OMITTED ...

| tenant_ref                | admin                                      |
+---------------------------+--------------------------------------------+
[admin:10-10-22-142]: cloud:openstack_configuration>
[admin:10-10-22-142]: cloud:openstack_configuration> no wildcard_access
[admin:10-10-22-142]: cloud:openstack_configuration> save
[admin:10-10-22-142]: cloud> save
[admin:10-10-22-142]: cloud> save
+---------------------------+--------------------------------------------+
| Field                     | Value                                      |
+---------------------------+--------------------------------------------+
| uuid                      | cloud-c62d3177-ca44-4565-a167-62d783a34be9 |
| name                      | avi-os                                     |
| vtype                     | CLOUD_OPENSTACK                            |
| openstack_configuration   |                                            |
|   username                | admin                                      |
|   security_groups         | True                                       |
|   auth_url                | http://10.10.22.23:5000/v2.0               |
|   wildcard_access         | False                                      |
...
| tenant_ref                | admin                                      |
+---------------------------+--------------------------------------------+

确认是否已实施严格安全保护

可使用 neutron security-group-list 命令来检查是否已实施严格安全保护。

root@node-17:~# neutron security-group-list
+--------------------------------------+---------------------------------------------+---------------------------------------------------+
| id                                   | name                                        | security_group_rules                              |
+--------------------------------------+---------------------------------------------+---------------------------------------------------+
| fafaf765-9d88-42d0-ae48-76b839177b52 | avi-se-095fa798-d643-4a7b-849b-910e33421f11 | egress, IPv4                                      |
|                                      |                                             | egress, IPv6                                      |
|                                      |                                             | ingress, IPv4, icmp, remote_ip_prefix: 0.0.0.0/0  |
+--------------------------------------+---------------------------------------------+---------------------------------------------------+