SovereignCloudStack · josephineSei · Jun 12, 2024 · Mar 15, 2024 · Mar 15, 2024 · Mar 18, 2024
diff --git a/Standards/scs-XXXX-v1-default-rules-for-security-groups.md b/Standards/scs-XXXX-v1-default-rules-for-security-groups.md
@@ -0,0 +1,116 @@
+---
+title: Default Rules for Security Groups
+type: Standard
+status: Draft
+track: IaaS
+---
+
+## Introduction
+
+Security Groups in IaaS (OpenStack) are part of the network security mechanisms provided for the users.
+They resemble sets of virtual firewall rules allowing specific network traffic at a port of a VM that connects it to a network.
+They are project-bound, which means that all Security Groups that are newly created are only available to the project in which they were created.
+This is also the case for the default Security Group that is created for each project as soon as the project itself is created.
+
+## Terminology
+
+Security Group (abbr. SG)
+  Set of ip table rules, used for tenant network security.
+
+Security Group Rule (abbr. SG Rule)
+  A single ip table rule, that is part of a SG.
+
+Administrator (abbr. Admin)
+  Operator = User of an OpenStack cloud with the admin role.
+
+## Motivation
+
+The rules of a Security Group can be edited by default by any user with the member role within a project.
+But when a Security Group is created it automatically incorporates a few SG rules that are configured as default rules.
+Since the 2023.2 release, this set of default rules can be adjusted by administrators only[^1][^2].
+In combination with the OpenStack behavior that when a VM is created with no Security Group specified, the default SG of the project is automatically applied to the ports of the VM,
+a user cannot be sure which firewall rules are applied to such a VM.
+
+Therefore this standard proposes default Security Group rules that MUST be set by administrators to avoid differences in default network security in different IaaS environments.
+
+[^1]: [Tracking of development for editable default SG rules](https://bugs.launchpad.net/neutron/+bug/1983053)
+[^2]: [Release Notes of Neutron 2023.2](https://docs.openstack.org/releasenotes/neutron/2023.2.html)
+
+## Design Considerations
+
+Up to the 2023.1 release (antelope) the default Security Group rules are hardcoded in the OpenStack code.
+We should not require to change this behavior through code changes in deployments.
+
+Beginning with the 2023.2 release (bobcat) the default Security Group rules can now be edited by administrators through an API.
+All rules that should be present as default in Security Groups have to be configured by admins through this API.
+
+There are two ways to approach a standard for the default rules of security groups.
+
+1. There could be a set of rules standardized that has to be configured by admins.
+OpenStacks default rules for security groups already provide a good baseline for port security, because they allow all egress traffic and for the default security group only ingress traffic from the same group.
+Allowing more rules would not benefit the security level, while reducing or limiting the existing rules would barely improve it.
+Nevertheless a standard could hold up the current security level against possible future release with more open default rules.
+Changing the default rules will not change the rules any existing security groups.
+
+2. With the already strict OpenStack default rules users are required in most use cases to create and manage their own security groups.
+This has the benefit that users need to explicitly think about the port security of their VMs and may be less likely to apply security groups which rules open up more ports than needed.
+There is also a guide from the SCS on how to set up a security group that also focuses on having a good port security[^3].
+
+With the default OpenStack behavior of having already strict rules, which in most cases require users to manage their own security groups, this standard should mandate a middle way:
+It should allow adjusting the default rules, but only to stricter version.
+Allowing all outgoing traffic in the default rules in combination with blocking all incoming traffic would be strict enough from a security point of view.
+And it would make it necessary for users to check and change the rules of their security group to a meaningful set.
+
+[^3]: [Guide for Security Groups](https://docs.scs.community/docs/iaas/guides/user-guide/security-groups/)
+
+### Open questions
+
+The requirement to not change the default code of earlier OpenStack releases is difficult to test.
+It should be considered to only apply this standard onto versions of OpenStack that implement the new endpoint for the default Security Group rules, which would only include 2023.2 or higher releases.
+
+It is possible to have different default Security Group rules for the default SG and custom SGs.
+And it is arguable to have a more strict standard for default rules for the default Security Group than for the custom Security Groups.
+Because the latter ones are not automatically applied to a VM but are always edited by the users to apply to their requirements.
+
+The allowlisting concept of Security Group rules makes it hard to allow traffic with an exception of certain ports.
+It would be possible to just define many rules to achieve what a blocklist would achieve.
+But having many rules may confuse users and they may not disable unnecessary default rules in their SGs.
+
+## Standard
+
+The default Security Group rules for the default Security Groups SHOULD allow incoming traffic from the same Security Group.
+The default Security Group rules for ALL Security Groups MUST NOT allow any other incoming traffic. Neither IPv4 nor IPv6.
+This can be achieved through having ingress rules in the default Security Group rules that allow ingress traffic from the Remote Security Group "PARENT" but are only used in the default Security Group.
+
+The default Security Group rules for ALL Security Groups SHOULD allow egress Traffic for both IPv4 and IPv6.
+
+### Example
+
+In the following table, there is only ingress traffic between the same default security groups allowed plus all egress traffic:
+
+```bash
+$ openstack default security group rule list
++--------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+--------------------------------+-------------------------------+
+| ID                       | IP Protocol | Ethertype | IP Range  | Port Range | Direction | Remote Security Group | Remote Address Group | Used in default Security Group | Used in custom Security Group |
++--------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+--------------------------------+-------------------------------+
+| 47b929fd-9b39-4f22-abc5- | None        | IPv6      | ::/0      |            | egress    | None                  | None                 | True                           | True                          |
+| 7d4f64d10909             |             |           |           |            |           |                       |                      |                                |                               |
+| 92a79600-5358-4fef-a390- | None        | IPv4      | 0.0.0.0/0 |            | egress    | None                  | None                 | True                           | True                          |
+| 822665f46070             |             |           |           |            |           |                       |                      |                                |                               |
+| 93e35d0c-2482-4ec1-9fbd- | None        | IPv4      | 0.0.0.0/0 |            | ingress   | PARENT                | None                 | True                           | False                         |
+| fd8c9a21a04e             |             |           |           |            |           |                       |                      |                                |                               |
+| ed5cd662-add2-4e42-b0a7- | None        | IPv6      | ::/0      |            | ingress   | PARENT                | None                 | True                           | False                         |
+| 3b585d348820             |             |           |           |            |           |                       |                      |                                |                               |
++--------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+--------------------------------+-------------------------------+
+```
+
+## Related Documents
+
+The spec for introducing configurability for the default Security Groups Rules can be found [here](https://specs.openstack.org/openstack/neutron-specs/specs/2023.2/configurable-default-sg-rules.html).
+
+More about Security Groups as a resource in OpenStack can be found [here](https://docs.openstack.org/nova/latest/user/security-groups.html).
+
+## Conformance Tests
+
+The conformance tests should check for the absence of any ingress traffic rules in the `openstack security group rule list`.
+As having egress rules is allowed by this standard, but not forced and can be set in various ways, there will not be any tests for such rules.
diff --git a/Tests/iaas/security-groups/default-security-group-rules.py b/Tests/iaas/security-groups/default-security-group-rules.py
@@ -0,0 +1,97 @@
+"""Default Security Group Rules Checker
+
+This script tests the absence of any ingress default security group rule.
+"""
+
+import openstack
+import os
+import argparse
+
+
+def connect(cloud_name: str) -> openstack.connection.Connection:
+    """Create a connection to an OpenStack cloud
+
+    :param string cloud_name:
+        The name of the configuration to load from clouds.yaml.
+
+    :returns: openstack.connnection.Connection
+    """
+    return openstack.connect(
+        cloud=cloud_name,
+    )
+
+
+def test_rules(cloud_name: str):
+    try:
+        connection = connect(cloud_name)
+        rules = connection.network.default_security_group_rules()
+    except Exception as e:
+        print(str(e))
+        raise Exception(
+            f"Connection to cloud '{cloud_name}' was not successfully. "
+            f"The default Security Group Rules could not be accessed. "
+            f"Please check your cloud connection and authorization."
+        )
+
+    # count all overall ingress rules and egress rules.
+    ingress_rules = 0
+    ingress_from_same_sg = 0
+    egress_rules = 0
+    if not rules:
+        print("No default security group rules defined.")
+    else:
+        for rule in rules:
+            if rule.direction == "ingress":
+                ingress_rules += 1
+                # we allow ingress from the same security group
+                # but only for the default security group
+                r_group_id = rule.remote_group_id
+                r_non_def_sg = rule.used_in_non_default_sg
+                if (r_group_id == "PARENT" and not r_non_def_sg):
+                    ingress_from_same_sg += 1
+            elif rule.direction == "egress":
+                egress_rules += 1
+
+    # test whether there are no other than the allowed ingress rules
+    assert ingress_rules == ingress_from_same_sg, (
+        f"Expected only ingress rules for default security groups, "
+        f"that allow ingress traffic from the same group. "
+        f"But there are more - in total {ingress_rules} ingress rules. "
+        f"There should be only {ingress_from_same_sg} ingress rules.")
+
+    result_dict = {
+        "Ingress Rules": ingress_rules,
+        "Egress Rules": egress_rules
+    }
+    return result_dict
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="SCS Default Security Group Rules Checker")
+    parser.add_argument(
+        "--os-cloud", type=str,
+        help="Name of the cloud from clouds.yaml, alternative "
+        "to the OS_CLOUD environment variable"
+    )
+    parser.add_argument(
+        "--debug", action="store_true",
+        help="Enable OpenStack SDK debug logging"
+    )
+    args = parser.parse_args()
+    openstack.enable_logging(debug=args.debug)
+
+    # parse cloud name for lookup in clouds.yaml
+    cloud = os.environ.get("OS_CLOUD", None)
+    if args.os_cloud:
+        cloud = args.os_cloud
+    assert cloud, (
+        "You need to have the OS_CLOUD environment variable set to your cloud "
+        "name or pass it via --os-cloud"
+    )
+
+    print(test_rules(cloud))
+
+
+if __name__ == "__main__":
+    main()