Ingress and Egress Filtering in Cloud Computing are used for restricting incoming and outbound packets on a network via Physical or Virtual Router. We have discussed about Router and Subnet settings for HP Helion Public Cloud. These terminologies and theories belongs to Networking and except Textbook, it is near impossible to discuss even the Basics. We are providing a basic idea about both the Ingress Filtering and Egress Filtering in Cloud Computing for practical usage, applicable both for Private and Public Cloud Computing (depending on Cloud Computing Software).
Ingress and Egress Filtering in Cloud Computing : Basics
Ingress Filtering in Cloud Computing
Networks are designed to receive packets from own or other networks. A packet will contain the IP address (or Subnet) of the computer or instance which originally sent to the target computer or instance. This method allows the devices or instances in the receiving network to understand the origin of data, allowing a possibility a reply to be routed back. But a sender IP address (or Subnet) can be faked or spoofed – which is named as spoofing attack. This can disguises the origin of the original device or instance where from the packets were sent, for example in a denial-of-service attack.
In case of ingress filtering, incoming packets into the network are filtered if the network sending it should not send packets from the originating IP address / Subnet. Network ingress filtering is a type of good neighborhood policy.
Ingress filter of the company can be created manually in an access list which will be included or they can be generated automatically from the routing table ( Reverse Path Filtering ). Improperly configured filters can cause legitimate IP packets to be blocked. Ingress filtering only offer limited protection. Attacks with an original IP address are completely ineffective if the fake IP addresses is from the subnet of the attacker.
Egress Filtering in Cloud Computing
In the same way, egress filtering is the monitoring and restricting the flow of information outbound from one network to another. Packets which are being sent out of the internal network are examined via a router, firewall, or similar edge device. Packets that do not meet security policies are not allowed to leave.
Egress filtering may require policy changes and administrative work whenever a new application requires external network access. This is mandatory and might need a higher level access than needed for the devices or computers or instances in networking mode.
Ingress and Egress Filtering in Cloud Computing : Example With OpenStack (HP Cloud)
The required settings are shown for Router and Subnet settings for HP Helion Public Cloud as an example with OpenStack Cloud Computing Software. However, most of the Public Cloud providers are fully careless about Ingress and Egress Filtering. Most uses a scripted and automated way to expose the ports of an instance fully publicly. So, in these cases, precaution must be taken to properly block the unwanted ports.
In case of Private Cloud and Virtual Private Cloud usually the settings are present, a private cloud can be networked to support delivery for internally and/or externally. On Hybrid Cloud, settings are complex as the router can be two in number.