In the openstack-installations there are usually two external networks. "ntnu-internal" provides NTNU-RFC1918 adresses, which are reachable from all of NTNU, but global access is only through VPN. "ntnu-global" provides globally reachable IP addresses, making your virtual machine available globally. The following table lists the IP prefixes used in the platform:
| Platform | ntnu-internal | ntnu-global |
|---|---|---|
| SkyHiGh | 10.212.136.0/21 10.212.168.0/21 | 128.39.143.128/25 129.241.150.0/24 |
| StackIT | 10.212.24.0/22 | 129.241.152.0/23 |
| SkyLow | 10.212.131.0/25 | 128.39.45.0/26 |
| PileIT | 10.212.36.0/22 | N/A |
Using ntnu-global
Access to globally available addresses are given on request, if you have a legitimate use for it. Access is given on a per-project basis, and even after the access is given we encourage you to use ntnu-internal where global addresses is not strictly needed.
...
- Use security-groups to limit access to your services:
- Administrative interfaces (SSH, Remote-Desktop, VNC etc.) should ONLY be allowed from known networks.
- NTNU uses many address-ranges but allowing access from 129.241.0.0/16 and 10.0.0.0/8 should cover the majority.
- Check the addresses used at your systems if they are not covered by these ranges.
- Access to services should only be given globally to the specific ports needed.
- For web-applications this typically means TCP port 80 (HTTP) and 443 (HTTPS).
- You should not give global access to services intended for internal use in your applications, like databases, message-queues, cache-layers etc.
- Administrative interfaces (SSH, Remote-Desktop, VNC etc.) should ONLY be allowed from known networks.
- Keep your services updated
- It is particularly important to keep services available to the global internet updated, to avoid having knows security bugs that can be exploited.
- We recommend to enable automatic updates to automaticly keep things somewhat up to date.
Practical implementation
...