How should I restrict access to gatekeeper servers?

[ShawnLeung87]

How should I do security, restrict other people from accessing the gatekeeper server, I use iptables or ufw, will it cause ip flow to be rejected？

[AltraMayor]

Hi @ShawnLeung87,

A more accurate answer requires understanding your deployment environment and the kind of scenarios you want to protect against. In general, one is concerned with protecting the management channel of the machines where Gatekeeper runs. A simple approach is to have a NIC on each Gatekeeper or Grantor server dedicated to management. One can plug this NIC at a dedicated segment of the network, use any management tool, employ any filtering tool such as iptables and ufw, and follow any security protocol already employed in the deployment environment.

Notice that the NICs allocated to Gatekeeper to filter DDoS attacks are not available to the Linux kernel, so one cannot use iptables or ufw on them. The control of the flows that Gatekeeper allows through is done in the policy located on Grantor servers. If you are not familiar with the general architecture of Gateekeper, see our NANO 82 presentation on our Publications page.