Can a multi-node Cassandra cluster be secured in the DO cloud?

May 2, 2016 1.5k views
Networking Security Ubuntu
donbranson
By:
donbranson

I'm configuring the internode connection for Cassandra 3.5, though the same question applies to older versions, also.

In cassandra.yaml, there's this:

# SSL port, for encrypted communication.  Unused unless enabled in
# encryption_options
# For security reasons, you should not expose this port to the internet.  Firewall it if needed.
ssl_storage_port: 7001

...

server_encryption_options:
    internode_encryption: all

Now, binding to a non-routable NIC will ensure that it's not exposed outside DO, but it will be exposed to other DO VMs. Is there a way within DO to make this more secure? I don't see anything about private networking support from DO.

I've read Introducing Private Networking, but that doesn't block others' droplets from seeing my traffic, so it's not what I would consider private networking.

1 comment
Log In to Comment
1 Answer
asb MOD May 2, 2016

The most straightforward method would be to setup an IPtables firewall that only allows connections from the other Cassandra nodes. Using UFW, it is pretty straight forward to set up manually. If you set it up to deny incoming connections by default, you can whitelist a specific IP address on a specific port using:

  • sudo ufw allow from 111.111.111.111 to any port 7001

There's also a nifty utility that can be used to to automate this a bit if you expect new nodes to join and leave the cluster:

How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server
by Shaun Lewis
Learn how to setup a firewall with UFW on an Ubuntu / Debian cloud server.
Reply
  • donbranson May 3, 2016

    I have considered this option, but it has a couple minor drawbacks. They might not be showstoppers, a truly private network would be better. The two drawbacks are 1) susceptibility to IP spoofing, and, 2) unwieldy scaling.

    On #1 - this might not be a huge issue, in that the connection is encrypted. So, a determined hacker has to spoof the IP and break the encryption.

    On #2 - as nodes are added, every box has to know every other box's IP. Ansible makes this reasonably straightforward, so if private networking isn't available, this seems doable.

    I'm curious why the Cassandra team added this comment on the encrypted port in the first place, and how big they think the risk is.

Have another answer? Share your knowledge.

Related Questions