VMware Telco Cloud Operations requires a secure and trusted environment. Reference the following use case recommendations as a guide for securing your environment.

Recommendation 1: When Smarts EDAA is Configured in a Non-Trusted Environment.

The Smarts collector leverages customer request notifications from Smarts. VMware Telco Cloud Operations uses a secure Java API to collect the data. When the collected data is used (for example, filing a help ticket), the customer takes action on the collected data and sends an unsecured request through REST to Smarts. The unsecured request exposes the Smarts Domain Manager and SAM to a non-trusted environment.

Use one or more of the following recommended steps to construct a secure and trusted production environment for VMware Telco Cloud Operations.
  • Create a software or a hardware firewall
  • Create a software or a hardware-based Layer 2 encryption
  • Create a software or a hardware VLAN isolation
  • Create a software or a hardware Layer 3 router

The following example references the commands to configure the firewall on the Smarts Domain Manager nodes. The commands are compatible with a CentOS 7 system and use iptables commands where the Smarts EDAA service is running. Any alternative ways to configure the firewall can be used on CentOS 7 or other OS platforms.

Example
  1. Backup iptables of the host where the Smarts EDAA service is running.

    sudo iptables-save > IPtablesbackup.txt

  2. Block all the traffic for Smarts EDAA service globally.

    sudo iptables -I INPUT -p tcp --dport EDAA-PORT-NUMBER -j DROP

  3. Add iptable rules for all VMware Telco Cloud Operations cluster nodes for Smarts EDAA access.
    sudo iptables -I INPUT -p tcp -s <CONTROL-PLANE-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
    sudo iptables -I INPUT -p tcp -s <ES-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
    sudo iptables -I INPUT -p tcp -s <ARONGO-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
    sudo iptables -I INPUT -p tcp -s <KAFKA-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
    sudo iptables -I INPUT -p tcp -s <DOMAIN-MGR-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
  4. Save iptables.

    sudo iptables save

  5. Verify the service is accessible only to the VMware Telco Cloud Operations nodes.
  6. Restore the iptable backup if the service works as expected and repeat steps 1 through 5.

    iptables-restore < IPtablesbackup.txt

Recommendation 2: When Edge Kafka is Configured in a Non-Trusted Environment.

VMware Telco Cloud Operations leverages Edge Kafka for external data exchange between Smarts/MnR and VMware Telco Cloud Operations services. Currently, SSL/TLS is not enabled for Kafka and exposes Edge Kafka in a non-trusted environment.

Use one or more of the following recommended steps to construct a secure and trusted production environment for VMware Telco Cloud Operations.
  • Create a software or a hardware firewall
  • Create a software or a hardware-based Layer 2 encryption
  • Create a software or a hardware VLAN isolation
  • Create a software or a hardware Layer 3 router
Note: Edge Kafka is running on the VMware Telco Cloud Operations Domain Manager node as 9092. It’s recommended to allow this port only between the Smarts Domain Manager/MnR nodes to the VMware Telco Cloud Operations Domain Manager node. Refer to the following example command to allow Edge Kafka port 9092 only to Smarts Domain Mangers and MnR nodes.
Example
  1. Backup iptables of the host where the Smarts EDAA service is running.

    sudo iptables-save > IPtablesbackup.txt

  2. Block all the traffic for Smarts EDAA service globally.

    sudo iptables -I INPUT -p tcp --dport EDAA-PORT-NUMBER -j DROP

  3. Add iptable rules for all VMware Telco Cloud Operations cluster nodes for Smarts EDAA access.
    sudo iptables -I INPUT -p tcp -s <CONTROL-PLANE-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
    sudo iptables -I INPUT -p tcp -s <ES-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
    sudo iptables -I INPUT -p tcp -s <ARONGO-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
    sudo iptables -I INPUT -p tcp -s <KAFKA-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
    sudo iptables -I INPUT -p tcp -s <DOMAIN-MGR-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
  4. Save iptables.

    sudo iptables save

  5. Verify the service is accessible only to the VMware Telco Cloud Operations nodes.
  6. Restore the iptable backup if the service works as expected and repeat steps 1 through 5.

    iptables-restore < IPtablesbackup.txt

Recommendation 3: When External Access for Debugging Exposes VMware Telco Cloud Operations Data in a Non-Trusted Environment.

VMware Telco Cloud Operations allows external access to the Elasticsearch, ArangoDB, analytics service ports for debugging purposes. The external access exposes VMware Telco Cloud Operations data in a non-trusted environment.

Use one or more of the following recommended steps to construct a secure and trusted production environment for VMware Telco Cloud Operations.
  • Create a software or a hardware firewall
  • Create a software or a hardware-based Layer 2 encryption
  • Create a software or a hardware VLAN isolation
  • Create a software or a hardware Layer 3 router
Analytics services, ArangoDB, and Elasticsearch use exposed ports. It’s recommended to allow the following ports only for use between the VMware Telco Cloud Operations Domain nodes:
Telco Cloud Operations Services Port
Analytics Services 7000
ArrangoDB 8529
Elasticsearch 9200

Recommendation 4: When the Connection to the Smarts Broker is Not Authenticated and Exposed to a Non-Trusted Environment.

VMware Telco Cloud Operations connects to the Smarts broker to locate Smarts Domain Managers. The VMware Telco Cloud Operations connection to Smarts Domain Managers are authenticated. The connection to the Smarts broker is not authenticated and is exposed to a non-trusted environment.

Use one or more of the following recommended steps to construct a secure and trusted production environment for VMware Telco Cloud Operations.
  • Create a software or a hardware firewall
  • Create a software or a hardware-based Layer 2 encryption
  • Create a software or a hardware VLAN isolation
  • Create a software or a hardware Layer 3 router

Example

To allow Smarts broker access only to the VMware Telco Cloud Operations nodes use the following commands:

  1. Backup iptables of the host where the Smarts EDAA service is running.

    sudo iptables-save > IPtablesbackup.txt

  2. Block all the traffic for Smarts EDAA service globally.

    sudo iptables -I INPUT -p tcp --dport EDAA-PORT-NUMBER -j DROP

  3. Add iptable rules for all VMware Telco Cloud Operations cluster nodes for Smarts EDAA access.
    sudo iptables -I INPUT -p tcp -s <CONTROL-PLANE-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
    sudo iptables -I INPUT -p tcp -s <ES-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
    sudo iptables -I INPUT -p tcp -s <ARONGO-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
    sudo iptables -I INPUT -p tcp -s <KAFKA-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
    sudo iptables -I INPUT -p tcp -s <DOMAIN-MGR-NODE-IP-ADDRESS> --dport <SMARTS-EDAA-PORT-NUMBER> -j ACCEPT
  4. Save iptables.

    sudo iptables save

  5. Verify the service is accessible only to the VMware Telco Cloud Operations nodes.
  6. Restore the iptable backup if the service works as expected and repeat steps 1 through 5.

    iptables-restore < IPtablesbackup.txt