IBM Cloud โ€œSecurity Groupโ€ ์‚ฌ์šฉ์ž ๊ฐ€์ด๋“œ โ€œ1๋ถ€(๊ธฐ๋ณธํŽธ)โ€

 

Joon Park(IBM Cloud Engineer)

 

๋ณธ ๋ฌธ์„œ๋Š” IBM Cloud Public(IaaS)์˜ Firewall ์˜คํผ๋ง ์ค‘์—์„œ Software Defined Firewall ๋ฐฉ์‹์ธ โ€œSecurity Groupโ€ ์— ๋Œ€ํ•œ ์‚ฌ์šฉ์ž ๊ฐ€์ด๋“œ ์ž…๋‹ˆ๋‹ค. ๋ณธ ๊ฐ€์ด๋“œ๋Š” ์ด 2ํŽธ์œผ๋กœ ์ด๋ฃจ์–ด์ ธ ์žˆ์œผ๋ฉฐ, 1ํŽธ โ€œ๊ธฐ๋ณธํŽธโ€ ์—์„œ๋Š” Security Group ์— ๋Œ€ํ•œ ๊ธฐ๋ณธ์ ์ธ ๊ฐœ๋…๊ณผ ์„ค์ • ๊ฐ’์— ๋Œ€ํ•œ ์ดํ•ด, ๊ทธ๋ฆฌ๊ณ  ์‚ฌ์ „์— ์ •์˜๋˜์–ด ์žˆ๋Š” โ€œSecurity Groupโ€ ์— ๋Œ€ํ•˜์—ฌ ์‹ค์ œ ๊ฐ€์ƒ ์„œ๋ฒ„์— ํ•ธ์ฆˆ์˜จ(Hands-on)์œผ๋กœ ์ ์šฉํ•˜์—ฌ ํ…Œ์ŠคํŠธ ๋ฐ ๊ฒฐ๊ณผ๋ฅผ ํ™•์ธํ•˜๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

 

2ํŽธ โ€œ์‘์šฉํŽธโ€ ์—์„œ๋Š” ์ƒˆ๋กญ๊ฒŒ โ€œSecurity Groupโ€ ์„ ์ง์ ‘ ์ƒ์„ฑํ•˜๊ณ , Rule ์„ค์ •์„ ํ•˜์—ฌ์„œ 2๊ฐœ ์ด์ƒ์˜ Security Group ์„ 2๊ฐœ ์ด์ƒ์˜ ๊ฐ€์ƒ์„œ๋ฒ„์— ๊ต์ฐจํ•˜์—ฌ ์ ์šฉํ•˜์—ฌ ์ง์ ‘ ํ…Œ์ŠคํŠธํ•ด ๋ณด๋Š” ํ•ธ์ฆˆ์˜จ(Hands-on) ๊ฐ€์ด๋“œ๋กœ ์ง„ํ–‰ํ•  ์˜ˆ์ •์ž…๋‹ˆ๋‹ค.

 

IBM Cloud Security Group ย ๊ณต์‹ ๊ฐ€์ด๋“œ(ํ•œ๊ธ€ ๊ฐ€๋Šฅ, ํŽ˜์ด์ง€ ํ•˜๋‹จ์—์„œ ์–ธ์–ด์„ ํƒ)๋Š”https://console.bluemix.net/docs/infrastructure/security-groups/sg_index.html ์—์„œ ํ™•์ธ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

 

1. Security Group ์— ๋Œ€ํ•œ ์ดํ•ด

IBM Cloud ํ™˜๊ฒฝ์—์„œ ๊ฐ€์ƒ์„œ๋ฒ„(Virtual)์„œ๋ฒ„์˜ ์ ‘๊ทผ์ œ์–ด(Access Control)๋ฅผ ํ•˜๋Š” ๋ฐฉ๋ฒ•์œผ๋กœ๋Š” ๋‹ค์–‘ํ•œ ๋ฐฉ๋ฒ•์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค. ์ผ๋‹จ, Server Levelย  ์—์„œ๋Š” Software Firewall(Windows Firewall, APF), Shared Hardware Firewall์ ์šฉ์ด ๊ฐ€๋Šฅํ•˜๋ฉฐ, Network Level ์—์„œ๋Š” Dedicated Hardware Firewall, FSA(Fortigate Security Appliance)์ด ์žˆ์Šต๋‹ˆ๋‹ค.

 

์ด๋ฒˆ์— ์ƒˆ๋กญ๊ฒŒ ์ถœ์‹œํ•œ โ€œSecurity Groupโ€ ์€ Server Level ์—์„œ ์ ‘๊ทผ์ œ์–ด(Access Control)๋ฅผ ์„ค์ •ํ•˜๋Š” ๋ฐฉํ™”๋ฒฝ์ด๋ฉฐ, ์š”๊ธˆ์€ ๋ฌด๋ฃŒ์ž…๋‹ˆ๋‹ค. Security Group ์€ ๊ธฐ๋ณธ์ ์œผ๋กœ โ€œAll Denyโ€ ์ •์ฑ…์„ ๊ฐ–๊ณ  ์žˆ์œผ๋ฉฐ, Security Group ์—์„œ ์ •์˜ํ•œ ์ ‘๊ทผ์ œ์–ด ์ •์ฑ…(Rule)์— ๋Œ€ํ•ด์„œ๋งŒ ํ—ˆ์šฉ(Allow)ํ•ฉ๋‹ˆ๋‹ค. ๊ฑฐ๊พธ๋กœ, Security Group ์—์„œ SSH(TCP 22)์— ๋Œ€ํ•ด์„œ โ€œRuleโ€ ์„ค์ •์„ ํ–ˆ๋‹ค๋ฉด SSH ์ด์™ธ์˜ ํ”„๋กœํ† ์ฝœ๊ณผ ํฌํŠธ์— ๋Œ€ํ•ด์„œ๋Š” โ€œ๋ชจ๋‘ ์ฐจ๋‹จ(All Deny)โ€๊ฐ€ ๋ฉ๋‹ˆ๋‹ค. ์ด์ œ Security Group ์— ๋Œ€ํ•˜์—ฌ ์ž์„ธํ•˜๊ฒŒ ์•Œ์•„ ๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

 

Security Group ์€ ๊ณ ์œ ํ•œ โ€œ์ด๋ฆ„(Name)โ€์„ ์„ค์ •ํ•˜๋ฉฐ, ํ•ด๋‹น Security Group ์—๋Š” ์ ‘๊ทผ์ œ์–ด๋ฅผ ์œ„ํ•œ ์ •์ฑ…(Rule)์„ ์„ค์ •ํ•  ์ˆ˜๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. Rule ์„ค์ •์— ๋Œ€ํ•œ ์„ธ๋ถ€์ ์ธ ๋‚ด์šฉ์€ ์•„๋ž˜์™€ ๊ฐ™์Šต๋‹ˆ๋‹ค.

 

Direction: Security Group ๊ธฐ์ค€์—์„œ IBM Cloud ์™ธ๋ถ€์—์„œ ๋“ค์–ด์˜ค๋Š” ํŠธ๋ž˜ํ”ฝ์€ โ€œInboundโ€, ๋ฐ˜๋Œ€๋กœ IBM Cloud ๋‚ด๋ถ€์—์„œ ์™ธ๋ถ€๋กœ ๋‚˜๊ฐ€๋Š” ํŠธ๋ž˜ํ”ฝ์€ โ€œOutboundโ€๋กœ ๊ตฌ๋ถ„ํ•ฉ๋‹ˆ๋‹ค.

IP Type: IP(Internet Protocol)์— ๋Œ€ํ•œ Version ์„ ์„ ํƒํ•ฉ๋‹ˆ๋‹ค. โ€œIPv4โ€, โ€œIPv6โ€ IBM Cloud ๋Š” ๋‘๊ฐœ์˜ ๋ฒ„์ „์„ ๋ชจ๋‘ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค.

Protocol: TCP, UDP, ICMP ํ”„๋กœํ† ์ฝœ์— ๋Œ€ํ•˜์—ฌ ์„ค์ •์ด ๊ฐ€๋Šฅํ•˜๋ฉฐ, ALL ์„ ์„ ํƒํ•  ๊ฒฝ์šฐ ๋ชจ๋“  ํ”„๋กœํ† ์ฝœ๊ณผ ๋ชจ๋“  ํฌํŠธ์— ๋Œ€ํ•˜์—ฌ ์„ค์ •์ด ๋ฉ๋‹ˆ๋‹ค. ๋˜ํ•œ, TCP ๋ฅผ ์„ ํƒํ•  ๊ฒฝ์šฐ ํŠน์ • Port Range ์„ ํƒ์ด ๊ฐ€๋Šฅํ•˜๋ฉฐ, ALL TCP ์„ ํƒ ์‹œ์—๋Š” TCP ๋ชจ๋“  Port(1 โ€“ 65536)๋ฅผ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค.

Port Range: TCP, UDP ๋ฅผ ์„ ํƒํ•  ๊ฒฝ์šฐ ํŠน์ • ํฌํŠธ์— ๋Œ€ํ•œ Range ์„ ํƒ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

Source, Destination Type: Security Group ์˜ Direction ์ด Inbound ์ผ ๊ฒฝ์šฐ์—๋Š” โ€œSourceโ€์— ๋Œ€ํ•˜์—ฌ ์„ค์ •ํ•˜๋ฉฐ, Outbound ์ผ ๊ฒฝ์šฐ์—๋Š” โ€œDestinationโ€์— ๋Œ€ํ•˜์—ฌ ์„ค์ •์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

CIDR Block: Source ํ˜น์€ Destination ์— ๋Œ€ํ•˜์—ฌ IP Address ์˜ CIDR(Classless Inter-Domain Routing) ๋ฐฉ์‹์œผ๋กœ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค. 0.0,0,0/0 ์œผ๋กœ ์„ค์ •์„ ํ•˜๋ฉด โ€œAnyโ€๋กœ ์„ค์ •์ด ๋˜๋ฉฐ ๋ชจ๋“  IP ์ฃผ์†Œ์—์„œ Allow ๋ฅผ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค. ๋ฐ˜๋Œ€๋กœ, ํŠน์ • IP ์ฃผ์†Œ๋กœ ์„ค์ •ํ•˜๊ณ  ์‹ถ๋‹ค๋ฉด, 192.168.0.0/16(192.168.0.1 โ€“ 192.168.255.254 ๊นŒ์ง€์˜ IP Range) ์™€ ๊ฐ™์ด CIDR ํ˜•์‹์œผ๋กœ ์„ค์ • ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. CIDR ํ˜•์‹์€ ๋‹ค์Œ URL ์ฐธ์กฐ ๋ถ€ํƒ ๋“œ๋ฆฝ๋‹ˆ๋‹ค. https://ko.wikipedia.org/wiki/์‚ฌ์ด๋”_(๋„คํŠธ์›Œํ‚น)

Security Group: Source, Destination ์— ๋Œ€ํ•˜์—ฌ IP ์ฃผ์†Œ๊ฐ€ ์•„๋‹Œ IBM Cloud โ€œSecurity Groupโ€์„ ์ฐธ์กฐํ•˜์—ฌ์„œ Rule ์„ค์ •์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

[ ICMP ์˜ ๊ฒฝ์šฐ์—๋Š” Port ๊ฐ€ ์•„๋‹Œ โ€œTypeโ€ ๊ณผ โ€œCodeโ€ ๋กœ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค. ํ•ด๋‹น ๋ถ€๋ถ„์€ โ€œ2๋ถ€ ์‘์šฉํŽธโ€์—์„œ ๋‹ค๋ฃจ๊ฒ ์Šต๋‹ˆ๋‹ค.

 

Security Group ์€ ๊ฐ€์ƒ์„œ๋ฒ„์˜ ์กด์žฌํ•˜๋Š” ๊ฐ๊ฐ์˜ Public Network, Private Network ์ธํ„ฐํŽ˜์ด์Šค์— ๋Œ€ํ•˜์—ฌ ์ ์šฉ ์—ฌ๋ถ€์— ๋Œ€ํ•˜์—ฌ ๊ฐ๊ฐ ์„ค์ •์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ๊ฐ€์ƒ์„œ๋ฒ„์˜ ํŠน์ • ๋„คํŠธ์›Œํฌ ์ธํ„ฐํŽ˜์ด์Šค(NIC)์—๋งŒ ์ ์šฉ์„ ํ•  ์ˆ˜๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.

 

2. Security Group ๊ตฌ์„ฑ์— ๋Œ€ํ•œ ์œ ์˜์ 

IBM Cloud ํ™˜๊ฒฝ์—์„œ Security Group ์ƒ์„ฑ ๋ฐ ์ ์šฉ์‹œ ์•„๋ž˜์™€ ๊ฐ™์ด ์‚ฌ์ „์— ์ฐธ๊ณ ํ•ด์•ผ ๋  ์‚ฌํ•ญ์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค. ์•„๋ž˜ ๋‚ด์šฉ์„ ๋ฐ˜๋“œ์‹œ ์ˆ™์ง€ํ•˜์‹  ํ›„์— Security Group ์— ๋Œ€ํ•˜์—ฌ ์ ์šฉ์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

– Security Group ์€ ๊ฐ€์ƒ์„œ๋ฒ„(Virtual Server)์—๋งŒ ์ ์šฉ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ๋ฒ ์–ด๋ฉ”ํƒˆ(Baremetal)์—๋Š” ์ ์šฉ ๋ถˆ๊ฐ€

– ๋‹จ์ผ IBM Cloud ๊ณ„์ •์—์„œ Security Group ์€ ์ตœ๋Œ€ 100๊ฐœ ๊นŒ์ง€ ์ ์šฉ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

– ๋‹จ์ผ Security Group ์—์„œRule ์„ค์ •์€ ์ตœ๋Œ€ 40๊ฐœ ๊นŒ์ง€ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

– ๋‹จ์ผ Security Group ์—์„œ ์ ์šฉ ๊ฐ€๋Šฅํ•œ Network Interface(Public, Private ํ•ฉ๊ณ„) ๋Š” ์ตœ๋Œ€ 100๊ฐœ์ž…๋‹ˆ๋‹ค.

– ๋‹จ์ผ ๊ฐ€์ƒ์„œ๋ฒ„์— ์ ์šฉ ๊ฐ€๋Šฅํ•œ ์ตœ๋Œ€ Security Group ์€ ์ด 5๊ฐœ ์ž…๋‹ˆ๋‹ค.

 

์œ„์˜ ๊ทธ๋ฆผ์€ IBM Cloud ๊ณ„์ •์—์„œ ๊ธฐ๋ณธ์ ์œผ๋กœ ์ œ๊ณตํ•˜๋Š” Security Group ์ธ โ€œallow_sshโ€ ์™€ โ€œallow_outboundโ€ ์— ๋Œ€ํ•˜์—ฌ ์ด 3๊ฐœ์˜ ๊ฐ€์ƒ์„œ๋ฒ„(1๋ฒˆ, 2๋ฒˆ, 3๋ฒˆ)์— ๋Œ€ํ•˜์—ฌ ์ ์šฉ์„ ํ•˜๊ณ  ๊ตฌ์„ฑ์„ ์„ค๋ช… ๋“œ๋ฆฌ๊ธฐ ์œ„ํ•œ ์˜ˆ์‹œ์ž…๋‹ˆ๋‹ค.

 

๋จผ์ €, โ€œallow_sshโ€ ์˜ Rule ์„ค์ •์„ ๋ณด๊ฒ ์Šต๋‹ˆ๋‹ค. ํŠธ๋ž˜ํ”ฝ์€ ๋ฐฉํ–ฅ์€ User -> IBM Cloud ๋ฐฉํ–ฅ์ธ, โ€œInboundโ€ ํŠธ๋ž˜ํ”ฝ์— ๋Œ€ํ•œ ์ ‘๊ทผ์ œ์–ด ์ •์ฑ…์ž…๋‹ˆ๋‹ค. Security Group name ์—์„œ ๋‚˜์˜จ ๊ฒƒ ์ฒ˜๋Ÿผ SSH ๋ฅผ ์œ„ํ•œ ์ ‘์†์„ ์œ„ํ•œ TCP Protocol ์˜ 22 ๋ฒˆ ํฌํŠธ์— ๋Œ€ํ•˜์—ฌ ์„ค์ •์ด ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค. ๋˜ํ•œ, Source ์ชฝ์ด โ€œ0.0.0.0/0โ€ ์œผ๋กœ ๋˜์–ด ์žˆ๋Š” ๊ฒƒ์œผ๋กœ ๋ณด์•„, ๋ชจ๋“  IPv4, IPv6 ์ฃผ์†Œ์—์„œ SSH ์ ‘๊ทผ์ด ๊ฐ€๋Šฅํ•œ Security Group ์ •์ฑ…์ž…๋‹ˆ๋‹ค. โ€œallow_sshโ€ ์ •์ฑ…(๊ฒ€์€์ƒ‰ ์‹ค์„ )์€ ๊ฐ€์ƒ์„œ๋ฒ„ 1๋ฒˆ์˜ Public Network Interface ์— ์ ์šฉ์ด ๋˜์–ด ์žˆ์œผ๋ฉฐ, ๊ฐ€์ƒ์„œ๋ฒ„ 3๋ฒˆ์˜ Private Network Interface ์— ์ ์šฉ์ด ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค. ์ฆ‰, IBM Cloud ์™ธ๋ถ€์—์„œ SSH ๋ฅผ ํ†ตํ•˜์—ฌ ๊ฐ€์ƒ์„œ๋ฒ„1๋ฒˆ์˜ Public IP Address ๋กœ ์ ‘๊ทผ์ด ๊ฐ€๋Šฅํ•˜๋ฉฐ, ๊ฐ€์ƒ์„œ๋ฒ„ 3๋ฒˆ์€ Private IP Address ๋กœ๋งŒ ์ ‘๊ทผ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ๊ฑฐ๊พธ๋กœ, ๊ฐ€์ƒ์„œ๋ฒ„1๋ฒˆ์˜ Private IP Address, ๊ฐ€์ƒ์„œ๋ฒ„ 2๋ฒˆ์˜ Public, Private IP Address, ๊ฐ€์ƒ์„œ๋ฒ„ 3๋ฒˆ์˜ Public IP Address ๋กœ๋Š” SSH ์ ‘์†์ด ๋ถˆ๊ฐ€(Deny)ํ•ฉ๋‹ˆ๋‹ค.

 

์ฐธ๊ณ ๋กœ, ์„œ๋ฒ„ ๊ด€๋ฆฌ๋ฅผ ์œ„ํ•œ SSH(TCP 22), RDP(TCP 3389) ํฌํŠธ์˜ ๊ฒฝ์šฐ ์‚ฌ์„ค๋„คํŠธ์›Œํฌ(Private IP Address)๋ฅผ ํ†ตํ•˜์—ฌ ์ ‘์†ํ•˜์‹œ๋Š” ๊ฒƒ์„ ๊ถŒ์žฅ ํ•˜์˜ค๋ฉฐ, ๋ถˆ๊ฐ€ํ”ผํ•˜๊ฒŒ ๊ณต์ธ๋„คํŠธ์›Œํฌ(Public IP Address)๋ฅผ ํ†ตํ•˜์—ฌ ์ ‘๊ทผํ•ด์•ผ ๋  ๊ฒฝ์šฐ์—๋Š” ๋ฐ˜๋“œ์‹œ ๋ณด์•ˆ์Šคํฌ๋ฆฝํŠธ ์ ์šฉ์„ ํ•˜์…”์•ผ๋งŒ, ๋ฌด์ฐจ๋ณ„ ๋Œ€์ž… ๊ณต๊ฒฉ(Brute-force Attack)์œผ๋กœ ๋ถ€ํ„ฐ ์•ˆ์ „ํ•  ์ˆ˜๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.

– SSH ๋ฌด์ฐจ๋ณ„ ๋Œ€์ž…๊ณต๊ฒฉ ๊ด€๋ จ ๋ณด์•ˆ์Šคํฌ๋ฆฝํŠธ ์ ์šฉ ๊ฐ€์ด๋“œ

https://developer.ibm.com/kr/cloud/softlayer-bluemix-infra/security/2017/08/16/ssh_security_policy_script/

– RDP(์›๊ฒฉ๋ฐ์Šคํฌํƒ‘) ๋ฌด์ฐจ๋ณ„ ๋Œ€์ž…๊ณต๊ฒฉ ๊ด€๋ จ ๋ณด์•ˆ์Šคํฌ๋ฆฝํŠธ ์ ์šฉ ๊ฐ€์ด๋“œ

https://developer.ibm.com/kr/cloud/softlayer-bluemix-infra/security/2017/08/31/rdp-security-script/

 

โ€œSecurity Groupโ€ ์„ค์ •์œผ๋กœ ์‚ฌ๋ฌด์‹ค์ด๋‚˜ ์žํƒ์˜ ํŠน์ • IP ๋Œ€์—ญ์—์„œ๋งŒ ์ ‘์†์ด ๊ฐ€๋Šฅํ•˜๋„๋ก ์„ค์ •ํ•˜๋Š” ๋ฐฉ์‹์ธ โ€œWhite Listโ€๋Š” Security Group โ€œ2๋ถ€ ์‘์šฉํŽธโ€ ์—์„œ ์„ค๋ช… ๋“œ๋ฆฌ๊ฒ ์Šต๋‹ˆ๋‹ค.

 

๋‹ค์Œ์œผ๋กœ, โ€œallow_outboundโ€ ์˜ Rule ์„ค์ •์€ โ€œallow_sshโ€ ์™€ ๋ฐ˜๋Œ€๋กœ ์™ธ๋ถ€์—์„œ IBM Cloud ๋กœ ์œ ์ž…๋˜๋Š” ํŠธ๋ž˜ํ”ฝ์ด ์•„๋‹Œ, IBM Cloud ์—์„œ ์ธํ„ฐ๋„ท(Internet)์„ ํ†ตํ•ด์„œ ์™ธ๋ถ€๋กœ ๋‚˜๊ฐ€๋Š” ํŠธ๋ž˜ํ”ฝ(Outbound)์— ๋Œ€ํ•˜์—ฌ ์ ‘๊ทผ์ œ์–ด๋ฅผ ํ•˜๋Š” Direction ์œผ๋กœ ์„ค์ •์ด ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค. โ€œallow_outboundโ€ Security Group ์€ โ€œ๊ฐ€์ƒ์„œ๋ฒ„ 1๋ฒˆ์˜ Private Network Interface, ๊ฐ€์ƒ์„œ๋ฒ„ 2๋ฒˆ์˜ Public Interface ์— ์ ์šฉ์ด ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค. Outbound ๋ฐฉํ–ฅ์ด๋ฏ€๋กœ, ์ฃผ์†Œ์˜ ๋Œ€์ƒ์ด Source ๊ฐ€ ์•„๋‹ˆ๋ผ, Destination Address ์ธ ๊ฒƒ์ด ์ฐจ์ด์ ์ž…๋‹ˆ๋‹ค.

 

์ด์™€ ๊ฐ™์ด, ๋‹จ์ผ Security Group ์€ ๋ณต์ˆ˜๊ฐœ์˜ ๊ฐ€์ƒ์„œ๋ฒ„์— ์ ์šฉ์ด ๋  ์ˆ˜๊ฐ€ ์žˆ์œผ๋ฉฐ, ์šด์˜ ํ™˜๊ฒฝ์— ๋”ฐ๋ผ์„œ Public ํ˜น์€ Private Network Interface ์— ์„ ํƒํ•˜์—ฌ ํ˜น์€ ๋™์‹œ์— ์„ค์ •์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. โ€œ2๋ถ€ ์‘์šฉํŽธโ€์—์„œ ๋‹ค๋ฃฐ ์˜ˆ์ • ์ด์˜ค๋‚˜, ์‹ ๊ทœ๋กœ โ€œSecurity Groupโ€์„ ์ƒ์„ฑ์‹œ์—๋Š” Default ๋กœ Outbound ์— ๋Œ€ํ•˜์—ฌ All Allow ์—ฌ๋ถ€์— ๋Œ€ํ•˜์—ฌ ์ฒดํฌํ•˜๊ฒŒ ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

 

3. Security Group ์ ์šฉ ํ…Œ์ŠคํŠธ

Security Group ํ…Œ์ŠคํŠธ๋ฅผ ์œ„ํ•˜์—ฌ ๊ฐ€์ƒ์„œ๋ฒ„๋ฅผ ๋ฐฐํฌํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. ๊ฐ€์ƒ์„œ๋ฒ„ ์ฃผ๋ฌธ 2๋ฒˆ์งธ ๋‹จ๊ณ„์—์„œ ์•„๋ž˜์™€ ๊ฐ™์ด Security Group ์— ๋Œ€ํ•˜์—ฌ ์„ ํƒ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. (2017๋…„ 11์›” 26์ผ ๊ธฐ์ค€์œผ๋กœ APAC ์—์„œ๋Š” SNG01, TOK02, HKG02 PoD ์—์„œ Security Group ์„ ํƒ ๊ฐ€๋Šฅ)

ย 

๊ฐ€์ƒ์„œ๋ฒ„ ์ฃผ๋ฌธ์‹œ ๋„คํŠธ์›Œํฌ ์ธํ„ฐํŽ˜์ด์Šค ๊ตฌ์„ฑ์— ๋”ฐ๋ผ์„œ Public Network, Private Network ์— ๋Œ€ํ•˜์—ฌ ๊ฐ๊ฐ Security Group ์„ ์„ ํƒํ•  ์ˆ˜๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ๊ธˆ๋ฒˆ ๊ฐ€์ด๋“œ์—์„œ๋Š” Private Network ๋งŒ ์„ ํƒ์„ ํ•ด์„œ ์ง„ํ–‰ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. Private Network ์ ‘๊ทผ์„ ์œ„ํ•œ VPN ์„ค์ •์€ ๋‹ค์Œ URL ์ฐธ๊ณ  ๋ถ€ํƒ ๋“œ๋ฆฝ๋‹ˆ๋‹ค. https://developer.ibm.com/kr/cloud/softlayer-bluemix-infra/2016/09/08/์„œ๋ฒ„-vpn-์ ‘์†-๋ฐฉ๋ฒ•/

ย 

์ฐธ๊ณ ๋กœ, ์„œ๋ฒ„ ๋ฐฐํฌ์‹œ์— Security Group ์„ ์ ์šฉํ•˜๋ฉด ์„œ๋ฒ„ ๋ฐฐํฌ์™€ ๋™์‹œ์— Security Group ์— ์„ค์ •๋œ ์ ‘๊ทผ์ œ์–ด ์ •์ฑ…(Rules)์ด ์ฆ‰์‹œ ์ ์šฉ์ด ๋ฉ๋‹ˆ๋‹ค. ๋‹ค๋งŒ, ๊ธฐ์กด์— Security Group ์„ ์ ์šฉํ•˜์ง€ ์•Š๊ณ  ๋ฐฐํฌํ•œ ๊ฐ€์ƒ์„œ๋ฒ„์— Security Group ์„ ์ ์šฉํ•˜๋ ค๋ฉด, Security Group ์ ์šฉ ์ดํ›„ ํ•ด๋‹น ๊ฐ€์ƒ์„œ๋ฒ„๋ฅผ โ€œRebootโ€ ํ•˜์…”์•ผ โ€œRulesโ€ ์„ค์ •์ด ์ ์šฉ ๋ฉ๋‹ˆ๋‹ค.

 

์„œ๋ฒ„ ๋ฐฐํฌ๋ฅผ ๊ธฐ๋‹ค๋ฆฌ๋ฉด์„œ, Security Group ํ™”๋ฉด์œผ๋กœ ๊ฐ€๋ณด๊ฒ ์Šต๋‹ˆ๋‹ค. ์ดˆ๊ธฐ ๋ฉ”๋‰ด์—์„œ Security -> Network Security -> Security Group ์„ ์„ ํƒํ•ฉ๋‹ˆ๋‹ค.

 

– ๊ธฐ๋ณธ์ ์œผ๋กœ ์ œ๊ณตํ•˜๋Š” Default Security Group ์ด 5๊ฐœ๊ฐ€ ๋ณด์ž…๋‹ˆ๋‹ค. ATTACACHED INTERFACES ํ•ญ๋ชฉ์„ ๋ณด๋ฉด ํ•œ๊ฐœ์˜ Security Group ๋‹น ์ตœ๋Œ€ 100๊ฐœ ๊นŒ์ง€ Network Interface ํ• ๋‹น์ด ๊ฐ€๋Šฅํ•˜๋‹ค๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.

 

– ์•ž์„œ ์„ค๋ช…์—์„œ ์‚ฌ์šฉํ–ˆ๋˜ โ€œallow_sshโ€ ์„ ์„ ํƒํ•ด ๋ด…๋‹ˆ๋‹ค. ๋จผ์ € Rule ํ•ญ๋ชฉ์ž…๋‹ˆ๋‹ค. Inbound ํŠธ๋ž˜ํ”ฝ์ด๋ฉฐ, IPv4, IPv6 ๋ชจ๋‘ ์ ์šฉ ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค. SSH ์„œ๋น„์Šค ํฌํŠธ์ธ TCP 22 ๋ฒˆ์ด๋ฉฐ, Source Address ๋Š” Any(0.0.0.0/0)์œผ๋กœ ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค. ์ฆ‰, โ€œallow_sshโ€ ๋ฅผ ์ ์šฉํ•œ ๊ฐ€์ƒ์„œ๋ฒ„(์ •ํ™•ํžˆ๋Š” ์ธํ„ฐํŽ˜์ด์Šค)๋Š” ์–ด๋–ค IP Address ์—์„œ๋„ SSH ์ ‘์†์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

 

– ์ด์ œย  โ€œAssigned Instancesโ€ ํ•ญ๋ชฉ์œผ๋กœ ๊ฐ€๋ด…๋‹ˆ๋‹ค. ๋ฐฉ๊ธˆ ์ฃผ๋ฌธํ•œ ๊ฐ€์ƒ์„œ๋ฒ„๊ฐ€ ์ ์šฉ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค. PRIVATE INTERFACE ์ชฝ์— โ€œvโ€ ํ‘œ์‹œ๊ฐ€ ๋˜์–ด ์žˆ์Œ์„ ํ™•์ธ ํ•  ์ˆ˜๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.

 

– ํ•ด๋‹น ๊ฐ€์ƒ์„œ๋ฒ„(10.132.105.81)๊ฐ€ ๋ฐฐํฌ๊ฐ€ ์™„๋ฃŒ ๋œ ๊ฒƒ์„ ํ™•์ธํ›„์—, Security Group โ€œallow_sshโ€ ์—์„œ ์ ‘๊ทผ์ œ์–ด ์ •์ฑ…์„ ์ •์˜ํ•œ ๋Œ€๋กœ SSH(TCP 22)์ ‘์†์ด ๊ฐ€๋Šฅํ•œ ๊ฒƒ์„ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค.

 

– ์ด์ œ ๋‹ค์‹œ โ€œallow_sshโ€ Security Group ์— ๊ฐ€์„œ, ๋™์ผ ๊ฐ€์ƒ์„œ๋ฒ„๋ฅผ ์ฒดํฌ ํ•ด์ œ ํ•˜๊ณ , โ€œSaveโ€๋ฅผ ์„ ํƒํ•˜์—ฌ ์ €์žฅ์„ ํ•ฉ๋‹ˆ๋‹ค. Security Group โ€œallow_sshโ€ ์—์„œ ๊ฐ€์ƒ์„œ๋ฒ„(10.132.105.81)๋Š” ์ œ๊ฑฐ๊ฐ€ ๋˜์–ด์„œ SSH ์ ‘๊ทผ์ด ๋ถˆ๊ฐ€๋Šฅํ•œ ์ƒํƒœ์ž…๋‹ˆ๋‹ค.

 

– ์ •๋ง๋กœ Security Group ์ •์ฑ… ์ ์šฉ์ด ํ•ด์ œ๊ฐ€ ๋˜์—ˆ๋Š”์ง€ ํ™•์ธ์„ ์œ„ํ•˜์—ฌ, ๋‹ค์‹œ ๊ฐ€์ƒ์„œ๋ฒ„(10.132.105.81)๋กœ SSH ์ ‘์†์„ ํ•ด๋ด…๋‹ˆ๋‹ค. TCP 22๋ฒˆ ํฌํŠธ๊ฐ€ Block ๋˜์–ด ์žˆ๊ธฐ ๋•Œ๋ฌธ์—, ์ ‘์†์ด ๋˜์ง€ ์•Š๋Š” ๊ฒƒ์„ ํ™•์ธ ํ•  ์ˆ˜๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.

 

– ์ด๋ฒˆ์—๋Š”HTTP ํ”„๋กœํ† ์ฝœ์— ๋Œ€ํ•˜์—ฌ ํ…Œ์ŠคํŠธ๋ฅผ ์ง„ํ–‰ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. ํ…Œ์ŠคํŠธ๋ฅผ ์œ„ํ•œ ๊ฐ€์ƒ์„œ๋ฒ„์— ์›น์„œ๋น„์Šค๋ฅผ ์„ค์น˜ํ•˜๊ณ  ์›น์„œ๋น„์Šค ๋ฐ๋ชฌ(ํ”„๋กœ์„ธ์Šค)์„ ์‹œ์ž‘ํ•ฉ๋‹ˆ๋‹ค.

 

– Default Security Group ์ค‘์— ํ•˜๋‚˜์ธ โ€œallow_httpโ€ Security Group ์„ ํ™•์ธํ•ด ๋ด…๋‹ˆ๋‹ค. Security Group ์ด๋ฆ„๊ณผ ๊ฐ™์ด, Inbound ํŠธ๋ž˜ํ”ฝ์œผ๋กœ HTTP ์„œ๋น„์Šค๋ฅผ ์œ„ํ•˜์—ฌ TCP 80 ์œผ๋กœ Any(0.0.0.0/0)์œผ๋กœ ์ ‘๊ทผ์ œ์–ด ์ •์ฑ…์ด ์„ค์ • ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

 

– โ€œAssigned Instancesโ€ ํ™”๋ฉด์œผ๋กœ ์ด๋™ ํ›„์—, ๊ฐ€์ƒ์„œ๋ฒ„(10.132.105.81)์— โ€œvโ€ ์ฒดํฌํ•˜๊ณ  โ€œSaveโ€ ํ•ฉ๋‹ˆ๋‹ค.

 

– ๋ณธ์ธ์˜ PC ๊ฐ€ IBM Cloud Private Network ์— SSL VPN ๋“ฑ์„ ํ†ตํ•˜์—ฌ ์—ฐ๊ฒฐ์ด ๋˜์–ด ์žˆ๋Š”์ง€ ํ™•์ธ์„ ํ•˜์˜€์œผ๋ฉด, ์›น๋ธŒ๋ผ์šฐ์ €๋ฅผ ์—ด๊ณ ์„œ, Security Group โ€œhttp_allowโ€์—์„œ ์ ์šฉํ•œ Network Interface ์˜ IP์ฃผ์†Œ๋ฅผ ์ž…๋ ฅํ•ฉ๋‹ˆ๋‹ค.

์•„๋ž˜์™€ ๊ฐ™์ด ์›น์„œ๋น„์Šค์˜ ํ…Œ์ŠคํŠธ ํŽ˜์ด์ง€๊ฐ€ ์ •์ƒ์ ์œผ๋กœ ๋กœ๋”ฉ์ด ๋˜๋Š” ๊ฒƒ์„ ํ™•์ธ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

 

– ์•ž์„œ โ€œssh_allowโ€ Security Group ์—์„œ ํ…Œ์ŠคํŠธ ํ–ˆ๋˜ ๊ฒƒ๊ณผ ๋™์ผํ•˜๊ฒŒ, ์ด์ œ โ€œhttp_allowโ€ Security Group ์—์„œ ๊ฐ€์ƒ์„œ๋ฒ„(10.132.105.81)๋ฅผ ์ œ์™ธ ์‹œ์ผœ ๋ด…๋‹ˆ๋‹ค. ์˜ˆ์ƒ ๋Œ€๋กœ, TCP 80 ํฌํŠธ๊ฐ€ Block ๋˜์–ด์„œ ์„œ๋น„์Šค๊ฐ€ ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.

์ด์ƒ์œผ๋กœ IBM Cloud Public(IaaS) ์˜ โ€œSecurity Groupโ€ ์— ๋Œ€ํ•œ ์‚ฌ์šฉ์ž ๊ฐ€์ด๋“œ โ€œ1๋ถ€ ๊ธฐ๋ณธํŽธโ€์„ ๋งˆ์นฉ๋‹ˆ๋‹ค. ๊ณง โ€œ2๋ถ€ ์‘์šฉํŽธโ€์œผ๋กœ ๋‹ค์‹œ ์ฐพ์•„ ๋ต™๊ฒ ์Šต๋‹ˆ๋‹ค. ํ•ด๋‹น ๊ฐ€์ด๋“œ๋Š” ํ–ฅํ›„ ์ง€์†์ ์œผ๋กœ ์—…๋ฐ์ดํŠธ ์˜ˆ์ •์ด๋ฉฐ IBM ํด๋ผ์šฐ๋“œ ๊ธฐ์ˆ ํฌ๋Ÿผ(https://developer.ibm.com/kr/cloud/bluemix-_infrastructure)์—์„œ ํ™•์ธ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

 

๋Œ€๋‹จํžˆ ๊ฐ์‚ฌํ•ฉ๋‹ˆ๋‹ค. Joon Park

์— ๋Œ€ํ•œ ๋Œ“๊ธ€์ด 1๊ฑด ์žˆ์Šต๋‹ˆ๋‹ค"IBM Cloud โ€œSecurity Groupโ€ ์‚ฌ์šฉ์ž ๊ฐ€์ด๋“œ โ€œ1๋ถ€(๊ธฐ๋ณธํŽธ)โ€"

  1. ์œ ์šฉํ•œ ์ •๋ณด๋„ค์š”. ๊ฐ์‚ฌํ•ฉ๋‹ˆ๋‹ค.

ํ† ๋ก  ์ฐธ๊ฐ€

์ด๋ฉ”์ผ์€ ๊ณต๊ฐœ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ํ•„์ˆ˜ ์ž…๋ ฅ์ฐฝ์€ * ๋กœ ํ‘œ์‹œ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.