Yeah, we've changed the default so that at very least you can ssh to the vm.
If all you provide is a completely locked or a completely open sg, users will choose the completely open one every time. :/ Putting a few common cases might go a long way to keep things more secure by default. Thanks, Kevin ________________________________________ From: Jeremy Stanley [fu...@yuggoth.org] Sent: Wednesday, March 02, 2016 1:12 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [neutron] - Changing the Neutron default security group rules On 2016-03-03 07:49:03 +1300 (+1300), Xav Paice wrote: [...] > In my mind, the default security group is there so that as people > are developing their security policy they can at least start with > a default that offers a small amount of protection. Well, not a small amount of protection. The instances boot completely unreachable from the global Internet, so this is pretty significant protection if you consider the most secure system is one which isn't connected to anything. Unfortunately this is not, I think, what most users want as an end state for most of their instances. I simply wonder if there's a default which can be useful to at least some majority, rather than having to make things equally complex for everyone. Hard to identify, rife with opinion, and not a solution I'm holding my breath for... but probably still more attainable than world peace. > Disabling that protection means I'd have to be dealing with a vast > number of customers with instances that have been compromised > because they didn't add to the security groups. Sure, and that's I think how we've arrived at the default indecision. It's easier to tell customers that they have to adjust their firewall rules before they can do anything at all (and risk some of them going elsewhere for an easier out-of-the-box experience), than to bear the liability and reputation loss from customers getting compromised because they assumed wrongly that they shouldn't have to secure their systems "in the cloud." That said, there _are_ providers whose default behavior is to not filter you. In IRC I tried to draw comparisons to colocation, where my default expectation is a routed network I can put my servers on with no risk that the provider is surreptitiously blocking my traffic. If I want packet filtering, I can bring a firewall into the colo and plug it in, then configure it to my liking, but the default bare-bones experience is a _less_ complex one (no firewall appliance) and if I want separate filtering that's additional complexity I opt into by choice. -- Jeremy Stanley __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
