Creating Firewalls Using Roles
Even within a private network like DN, it's a good idea to restrict the types of communication which can occur between different kinds of devices. For example, web server machines might need to communicate with database machines over certain ports, but they should not be able to ssh into user laptops. These access rules are managed in DN through the use of roles. This guide will explain what roles are and how they are used to manage both identity and access within a DN network.
In DN, a role represents the primary purpose and group-identity of a host. For example, you might create roles such as
Admin Endpoint, User Endpoint, WWW Server, etc. Each machine that you create should be assigned a role when it is
created. Firewall rules are configured for inbound traffic at the role level. Newly created roles allow only ICMP
traffic so that
ping requests can be used for troubleshooting. All other inbound traffic is denied by default, and the
rules can be configured to allow other kinds of traffic from machines belonging to specific roles.
Note that currently, due to the way identity is securely managed in DN, role names cannot be changed after they are created, and hosts cannot be edited to change their role. The firewall rules of roles can be changed at any time, and updates will be sent out to all affected machines automatically.
To create a role, visit the Roles page of your DN admin panel. A default “Lighthouse”
role was created automatically when your account was provisioned. Let's create a new
www-internal role to use for web
servers of an internal website. Start by clicking the
Add button on the top right of the page and filling out the role
name (required) and a description (optional).
We'll create two more roles for
endpoint-admin. We can see that they have been added to the
list of roles, and that they all have one rule.
Let's click on
www-internal to open that role's page.
Now, we want to allow inbound TCP traffic on port 443 from both kinds of endpoints, so that HTTPS requests to the internal page from administrators and employees are allowed. First, click the “Add firewall rule” button, then choose TCP for the protocol, type 443 as the port range, and select the endpoint-employee role from the Allowed role dropdown. We've entered a description as well, which is a good idea to help provide context for rules.
We'll add the same rule for
endpoint-admin so they can access the website, as well as one final rule to allow TCP:22
for admins, so that they can also ssh into web server boxes. The final result looks like this:
Changes to roles are not saved until the “Save role” button is clicked, to minimize the number of updates sent to hosts on the network.
After saving, let's add a web server host. Visit the Hosts page, and click the “Add” button. Choose a name, and click on the Role dropdown. Hosts (as well as lighthouses and relays) are only allowed to have one role.
Note, that it's also possible to create new roles along with the host, by choosing the “Add new role” option. Roles added this way will only allow ICMP traffic, but the firewall rules can be edited as shown above.
Roles can be deleted so long as there are no hosts, lighthouses, or relays using the role. To delete a role, choose the “Delete role” option from the role's three-dot menu on the Roles page, and then confirm your decision in the confirmation dialog.