Network Security

 Security Lists (SL)

  • A common set of firewall rules associated with a subnet and applied to all instances inside the subnet.
  • Security List (SL) consists of rules that specify the types of traffic allowed in and out of the subnet
  • To use a given security list with a particular subnet, you associate the security list with the subnet either during subnet creation or later.
  • Can be defined in two locations:
    • Subnet level, each subnet has its own firewall called a Security List (SL)
    • NIC Level: Network Security Group (NSG)
  • Ingress: rules for Inbound to subnet
  • Egress: rules for Outbound from the subnet.
  • If you define rules at both SL and NSG, the result will be the union of both. They are more open than either.
  • Security lists apply to a given instance whether its talking with another instance in the VCN or a host outside the VCN.
  • In SL, you specify a CIDR as the source or destination.

Network Security Group

  • NSG consists of a set of rules that apply only to a set of VNICs of your choice in a single VCN.

  • When defining a rule, you can specify an NSG as a source or destination.

  • Oracle recommends using NSGs



Security Rules State


Stateful

  • Inbound traffic of a response of an outbound call is allowed by default.

  • Connection Tracking: when an instance receives traffic matching the stateful ingress rule, the response is tracked and automatically allowed regardless of any egress rules.



Stateless

  • The response Traffic is not allowed automatically.

  • To allow the response traffic for stateless ingress rule, you must create a corresponding stateless egress rule



Summary


  • Instances cannot communicate with other instances in the same subnet until you permit then to (SL or NSG).
  • Oracle recommends using NSGs instead of SLs because NSGs let you separate the VCN's subnet architecture from your application security requirements.

Comments

Post a Comment

Popular posts from this blog

Exam Study

 In the left side sections (Study Guide), you will find a list of subjects that helps in the exam study.  I will be adding more pages to cover other subjects. Being an OCI Architect requires practical experience. I advise you to get a free account to practice your knowledge. To get OCI free access, follow this link Using the Oracle documentation, this study guide and practicing in your free Oracle OCI instance should help you to accomplish your goals and pass the OCI Architect Exam.  If you have questions, let me know in the comments and I will try to help.
Read more