Network Services
The Network Services in ix.Cloud include the following options to network services within ix.Cloud with each other and to connect external services with services in ix.Cloud:
| Service Name | Service Description |
|---|---|
| Firewall | Elementary security between different subnets |
| Server Proxy | Indirect and restrictive communication for ix.Cloud servers |
| Load Balancer | Distribution of incoming connections to applications or service endpoints |
| Web Application Firewall | Provides security for online services against malicious internet traffic and filters threats such as OWASP TOP 10 which negatively impact online applications |
| Private DNS | Resolution of IP addresses to DNS names within ix.Cloud |
| Secure Mail Relay | Secure email delivery from all your systems within ix.Cloud |
| Hosted Software Appliance | Virtual servers for software appliances, without support for Microsoft Hyper-V |
Firewall
The Firewall Service is a cloud-based network security service managed by Inventx that protects virtual network resources within ix.Cloud. This service is exclusively available in the Platinum SLA.
Policies for application and network connectivity are created and logged centrally across all ix.Cloud subscriptions and virtual networks. Networks and IP addresses can be enabled between different sources and destinations. Connections are restricted to defined services (particularly TCP/UDP ports).
Service Architecture
Service Scope
| Feature | Platinum |
|---|---|
| Initial Setup | ◻ |
| IT Basic Protection | ◼ |
| FQDN Application Filter Rules | ◼ |
| Filter Rules for Network Traffic | ◼ |
| SNAT Support | ◼ |
| Logging | ◼ |
| DNAT Support | ◻ |
| UTM Features | ◻ |
IT Basic Protection
Upgrade/Patching
The firewall infrastructure is updated twice yearly, unless critical security vulnerabilities occur that require immediate upgrades.
Logging
Logging is performed via a central instance to which all logs are sent for analysis and evaluation. Logs are retained live for 14 days and then archived for 800 days.
Malware Protection
Malware protection is based on hardened appliances that are checked for integrity during boot via secure boot. Secure Boot ensures that only trusted and signed firmware and software are loaded onto the hardware. The boot process starts with immutable code embedded in the hardware and verifies subsequent components. Devices regularly check the integrity of installed firmware through cryptographic signatures. Firewall ASICs are specially developed hardware security processors that accelerate many security functions such as encryption and Deep Packet Inspection (DPI) at the hardware level. System partitions that are responsible for executing the operating system and configuration data are isolated from user data and applications.
Service Options
With the Firewall Service, the customer can obtain additional services by arrangement:
Initial Setup
Implementation of the initial configuration of the Firewall Service is charged as part of a project. During this process, the customer-specific ruleset is specified in collaboration with the customer and then implemented. All changes must be requested via a "Generic Request".
FQDN Application Filter Rules
Customers can restrict outgoing HTTP/S traffic to a specified list of fully qualified domain names (FQDN), with wildcard entries needing to be implemented via the UTM Features option. The FQDN feature does not require SSL termination.
Filter Rules for Network Traffic
Customer-specific network filter rules for allowing or denying based on source and destination IP address, port, and protocol are maintained centrally by Inventx. The firewall is stateful, allowing distinction between legitimate packets for different types of connections. Rules are enforced and logged across all ix.Cloud subscriptions and virtual networks.
SNAT Support
All IP addresses for outgoing traffic from the virtual network in ix.Cloud are translated into the firewall's public IP address (Source Network Address Translation). You can identify and allow traffic from your virtual network to remote destinations on the Internet. SNAT functionality can optionally also be implemented for internal traffic within ix.Cloud.
Logging
All connections terminating at Inventx and for which Inventx is responsible are logged. This means that all incoming and outgoing connections from external and internal sources are recorded.
The retention period is 2 years. Log reporting to the customer can be requested as needed via "Generic Request".
DNAT Support
Incoming network traffic to the firewall's public IP address in ix.Cloud is translated into private IP addresses in the customer's virtual networks (Destination Network Address Translation) and filtered. DNAT functionality can optionally also be implemented for internal traffic within ix.Cloud.
UTM Features
Optional UTM Features (Unified Threat Management) are specified together with the customer and then operated by Inventx.
Server Proxy
If servers in the ix.Cloud should not communicate directly with the Internet to increase IT security, the Server Proxy enables server systems in the ix.Cloud to call only certain addresses on the Internet via defined rules. Access to this explicit proxy is controlled and restricted through various technologies such as web filters, virus filters, categories, and application control. All accesses (exceptions possible) are checked using Deep-Inspection (breaking down traffic), with Inventx adhering to legal data protection requirements.
The Server Proxy is available as a Shared Service exclusively in the Platinum SLA and must be ordered and managed via the "Generic Request". The Server Proxy can only be used by server-based systems and is not available for clients.
Service Architecture
Service Scope
| Feature | Platinum |
|---|---|
| Initial Setup | ◻ |
| IT Basic Protection | ◼ |
| Default Policy for Protocols and Ports | ◼ |
| Default Policy for Web Filter | ◼ |
| Default Policy for Virus Filter | ◼ |
| Default Policy for Application Control | ◼ |
| Default Policy for Deep-Inspection | ◼ |
IT Basic Protection
See description in section Firewall IT Basic Protection.
Service Options
Currently, customers cannot obtain optional services with the Server Proxy Service.
Initial Setup
The Server Proxy as a Shared Service cannot be individually customized to customer requirements and only global filter configurations are available.
If individual configuration of the Server Proxy Service is desired, this will be developed within the scope of a project and charged accordingly. During the project, the customer-specific ruleset is specified in cooperation with the customer based on the Inventx Standard Ruleset and implemented on a private Server Proxy.
Default Policy for Protocols and Ports
Inventx maintains a standard policy for all server-based systems in the ix.Cloud. The Inventx standard permits the following services and ports:
| Protocol | Proxy Port(s) | Socks Port(s) |
|---|---|---|
| HTTP | 80 | ⁃ |
| HTTPS | 443 | ⁃ |
| SSH | ⁃ | 22 |
Default Policy for Web Filter
The web filter categorizes all Internet pages based on predefined algorithms (manufacturer specification), which are either allowed or blocked. The global configuration is based on Inventx standards, with the following categories being permitted:
| Web Category | Allowed |
|---|---|
| Business | ◼ |
| Finance and Banking | ◼ |
| Information Technology | ◼ |
| Information and Computer Security | ◼ |
Default Policy for Virus Filter
Inventx's global standard policy determines which incoming and outgoing content is scanned for viruses, thus preventing the introduction of malicious software, with all HTTP and FTP traffic being analyzed.
Default Policy for Application Control
Using Application Control, unwanted features of websites are disabled. For example, streaming of audio and video files, chatting, and uploading and downloading of files can be prevented. Inventx's global ruleset is defined as follows:
| Web Category | Blocked |
|---|---|
| Webmail (e.g. Gmail or GMX) | ◼ |
| Game | ◼ |
| Mobile | ◼ |
| P2P | ◼ |
| Remote Access | ◼ |
| Social Media | ◼ |
| Video/Audio | ◼ |
| VOIP | ◼ |
| Unknown Applications | ◼ |
Default Policy for Deep-Inspection
The Server Proxy inspects HTTPS packets, with the categories "Health and Wellness" and "Finance and Banking" not being analyzed for data protection reasons. The HTTPS traffic is decrypted, inspected, re-encrypted, and forwarded to the destination.
Load Balancer
A load balancer distributes the data traffic of a specific service endpoint across multiple targets. It detects faulty targets and forwards data traffic only to intact targets. This allows the availability and performance of an application to be optimized.
For HTTP/HTTPS applications, a Layer 7 load balancer is recommended, while for applications using TCP/UDP protocols, a Layer 4 load balancer is recommended.
This service is only available in the Platinum SLA. Layer 4 load balancers can be ordered and managed via the portal in self-service. The remaining load balancers must be ordered and managed via the "Load Balancer" service request.
Service Architecture
Service Scope
| Feature | Layer 4 | Layer 7 |
|---|---|---|
| Initial Setup | ◻ | ◻ |
| IT Basic Protection | ◼ | ◼ |
| Service Management | ◼ | ◼ |
| Bandwidth (5 MBit/s) | ◼ | ◼ |
| Service IP Address | ◼ | ◼ |
| Service FQDN | ⁃ | ◼ |
| Protocols/Ports | ◼ | ◼ |
| Load Balancing | ◼ | ◼ |
| Persistence | ◼ | ◼ |
| X-Forwarded-For | ◼ | ◼ |
| Default DDoS Profile | ◼ | ◼ |
| Health Monitoring | ◼ | ◼ |
| Error Page | ⁃ | ◼ |
| Maintenance Page | ⁃ | ◼ |
| SSL Offloading/Bridging | ⁃ | ◼ |
| Host Header Forwarding/Rewriting/Redirecting | ⁃ | ◼ |
IT Basic Protection
Patch Management
The load balancer infrastructure is updated at least twice yearly, unless critical security vulnerabilities occur that require immediate upgrades.
Malware Protection
Malware protection is based on hardened appliances that are checked for integrity during boot. The load balancer infrastructure uses Secure Boot and Image Signing to ensure that only signed and trusted software components are executed. The load balancers support RASP functionality (Runtime Application Self-Protection) that monitors and protects applications during runtime.
Service Options
Through the options listed in this section, a load balancer can be configured in different ways.
Initial Setup
The effort required to set up a load balancer is heavily dependent on the customer's desired individual requirements. Therefore, the initial setup of a load balancer is charged on a time-and-materials basis.
Service Management
Service management includes updating the software components and security patterns used, resource management, and backup of the infrastructure. Certificate Lifecycle Management (creation/request, integration, replacement/renewal of certificates) is charged separately on a time-and-materials basis.
Bandwidth
Bandwidth (data throughput) is individually configurable per service. A bandwidth of 5 megabits per second (MBit/s) is included in the base price. In steps of 5 MBit/s, the service can be scaled up to a maximum of 40 MBit/s according to a separate price list and ordered according to requirements (see table below). Billing is based on the number of 5 Mbit/s units ordered.
If more data is transported via the load balancer than the ordered bandwidth allows, packet losses (packet drops) are generated. If packet losses are detected, a bandwidth increase can be ordered. For a Layer 4 load balancer, the bandwidth increase can be made directly in the portal. For a Layer 7 load balancer, the bandwidth increase must be requested via a Load Balancer service request.
| Bandwidth | Layer 4 | Layer 7 |
|---|---|---|
| 5 MBit/s | ◼ | ◼ |
| 10 MBit/s | ◻ | ◻ |
| 15 MBit/s | ◻ | ◻ |
| 20 MBit/s | ◻ | ◻ |
| 25 MBit/s | ◻ | ◻ |
| 30 MBit/s | ◻ | ◻ |
| 35 MBit/s | ◻ | ◻ |
| 40 MBit/s | ◻ | ◻ |
Service IP Address
One IP address can be assigned per service. If it is a private IP address, this is free of charge. A public IP address incurs additional costs according to the price list. Private IP addresses are not routed on the internet and can only be used within a local network. Public IP addresses are routed on the internet.
Service FQDN
One or more URLs can be pointed to (DNS entry) a Layer 7 service IP address (VIP). A DNS entry for the respective URL is a prerequisite for end-to-end (client-server) communication.
Protocols/Ports
Unless otherwise specified at the time of order, Layer 4 will use standard ports 80/443 and Layer 7 will use the HTTPS protocol for service setup.
The following table shows the possible protocols and ports per service and layer.
| Protocol/Port | Layer 4 | Layer 7 |
|---|---|---|
| TCP (all possible ports) | ◼ | ◻ |
| HTTP | ⁃ | ◻ |
| HTTPS | ⁃ | ◼ |
Load Balancing
By default, None (Round-Robin) is enabled. The load balancing option serves to distribute the load with the goal of equally loading the end systems.
| Load Balancing Option | Layer 4 | Layer 7 |
|---|---|---|
| None (Round Robin) Each new request is sent to a server in the pool, then top-down from the beginning again. |
◼ | ◼ |
| Least Connection Connections are sent to the server that currently has the fewest open connections. |
◻ | ◻ |
| Least Load Connections are sent to the server that is currently least loaded. |
◻ | ◻ |
| Fastest Response Connections are sent to the server that responds the fastest. |
◻ | ◻ |
| Fewest Servers An algorithm calculates how many servers are needed to handle the request. Requests are only sent to the first server in the pool; once it reaches its capacity limit, traffic is passed top-down to the next server in line. |
◻ | ◻ |
Persistence
By default, no "Persistence" is configured. By using the Persistence option, the session is bound to a specific end system. This ensures that requests during a session are always processed by the same end system.
| Persistence Option | Layer 4 | Layer 7 |
|---|---|---|
| Client IP The client IP is used as an identifier and assigned to the server. |
◻ | ◻ |
| TLS The information is embedded in the client's SSL/TLS ticket ID. |
⁃ | ◻ |
| APP Cookie Reads existing server cookies or embedded URI data such as JSessionID. |
⁃ | ◻ |
| HTTP Cookie Inserts a cookie into the HTTP response(s). |
⁃ | ◻ |
| Custom HTTP Header The customer can create custom specifications for mapping header values to specific servers. |
⁃ | ◻ |
X-Forwarded-For
With X-Forwarded-For, it is possible to transmit client IP addresses (original IP) to the target system via the header. The target system can use this information to, for example, show where the request originates from or to enable server-side black/white lists. This option can only be used with Layer 7 load balancer.
Default DDoS Profile
By default, a DDoS profile (built-in) is enabled, which detects and prevents network attacks on Layer 3, 4, and Layer 7.
| Default DDoS Profile | Layer 4 | Layer 7 |
|---|---|---|
| Layer 3 SMURF, ICMP Flood, Unknown Protocol, Tear Drop, IP Fragmentation |
◼ | ◼ |
| Layer 4 SYN Flood, LAND, Port Scan, X-mas Tree, Bad RST Flood, Fake Session, Bad Sequence Number, Malformed/Unexpected Flood, Zero/Small Window, Rate Limiting CPS per IP, SSL Errors, SSL Renegotiation |
◼ | ◼ |
| Layer 7 Request Idle Timeout (10,000ms), SlowPost (30,000ms), SlowLoris (30,000ms), Invalid Requests |
⁃ | ◼ |
Health Monitoring
With Health Monitoring, the load balancer sends requests to the target system at intervals and expects a response within a set time window for each request.
If the respective requests to a target system are not answered, the target system is marked as unreachable. Consequently, client-server requests are no longer forwarded to that target system.
| Health Monitoring Option | Layer 4 | Layer 7 |
|---|---|---|
| TCP (custom-client-request/custom-server-response) Waits for a complete TCP connection on a specifically requested port. |
◻ | ◻ |
| ICMP Sends a ping and expects a response from the "pinged" server. |
⁃ | ◻ |
| DNS (request/response) Checks whether the "name server" can correctly resolve a name to a specified entry. |
⁃ | ◻ |
| HTTP/S (custom-client-request-header/-body, custom-server-response) Checks the specified "response code" for correctness. |
⁃ | ◻ |
| External Customer-specific health checks can be performed via script command. (wget, netcat, curl, dig, mysql-client, snmpget) |
⁃ | ◻ |
Error Page
By default, a "Default Error Page" is displayed for a Layer 7 service, which informs the client about the connection error. If the layout or content of the page does not meet requirements, a "Custom Error Page" can be created and provided to Inventx for integration.
Maintenance Page
If a maintenance page should be displayed for maintenance mode, this can be arranged via a request to Inventx or by the customer themselves. In the latter case, a script-based solution approach must be used; please inform us of your specific use case.
SSL Offloading/Bridging
When a Layer 7 service is ordered, SSL offloading is enabled by default. This option enables the load balancer to decrypt encrypted traffic to, for example, detect network attacks and prevent them based on WAF policies.
With SSL offloading, traffic is decrypted:
- Client to load balancer = encrypted
- Load balancer to target = unencrypted
With SSL bridging, traffic is decrypted and then re-encrypted:
- Client to load balancer = encrypted
- Load balancer to target = encrypted
For certificate issuance/integration, an existing PKI infrastructure in the customer environment is required. If this is not available, the customer must provide the required certificates to Inventx.
Certificate Lifecycle Management is not part of this service and must be ensured by the customer.
Host Header Forwarding/Rewriting/Redirecting
If a Layer 7 service is ordered, it is possible to perform forwarding, rewrites, and redirects based on host header information. Additionally, HTTP to HTTPS redirection can be performed upon request.
Web Application Firewall
The Web Application Firewall (WAF) operated by Inventx supports service connectivity via the load balancer by checking incoming HTTP traffic for security vulnerabilities or unauthorized data transmission before it reaches the application server. Thus, the WAF service serves as an enforcement point for security policies that take place between the web application and the client application.
The WAF intercepts all HTTP requests and checks them using the previously defined rule set (security model) to identify whether it is unwanted data traffic (cross-site scripting, SQL injection, etc.). This approach prevents L7-DDoS attacks, which attempt to exploit security vulnerabilities in web-based applications or negatively impact the service.
This service is only available in the Platinum SLA and must be ordered and managed via the standard service request "Web Application Firewall".
Service Architecture
Service Scope
| Service Feature | Platinum |
|---|---|
| Initial Setup | ◻ |
| IT Basic Protection | ◼ |
| Load Balancer Layer 7 | ◼ |
| Service Management | ◼ |
| OWASP TOP 10 Rule-Set | ◼ |
| Customer-Specific Rule-Set | ◻ |
| Operating Mode Enforcement | ◼ |
IT Basic Protection
See description in chapter Load Balancer IT Basic Protection.
Service Options
With the WAF service, customers can obtain additional services by arrangement.
Initial Setup
The effort required to set up a WAF service is highly dependent on the desired individual requirements of the customer, especially regarding the rule sets to be defined. Therefore, the initial setup of a WAF is charged based on actual effort.
Load Balancer Layer 7
The basic configuration for the WAF consists of a Load Balancer Layer 7. Corresponding service options are described in the Load Balancer section in the Layer 7 variant.
Service Management
Service Management includes, among other things, the updating of the software components and security patterns used, resource management, and infrastructure backup.
WAF lifecycle management (analysis/adaptation of rule sets) is charged separately based on actual effort.
OWASP TOP 10 Rule-Set
The standard rule set consists of the OWASP Top 10 vulnerabilities. The Open Web Application Security Project (OWASP) is an international non-profit organization dedicated to the security of web applications. Its most well-known project is called OWASP Top 10. This is a report that covers the 10 most critical risks.
Customer-Specific Rule-Set
Certain applications require individual configuration of the rule set for proper operation. For this purpose, for example, exceptions are created for the OWASP rule set for unwanted detections. Modifications to the rule set must be requested via a "Generic Request".
Operating Mode Enforcement
The WAF service operates in Enforcement mode. The configured rule set is applied in production and web applications are protected accordingly, whether the WAF service is used for the test or production environment.
Private DNS
The Private DNS (Domain Name System) Service enables server and client systems to perform authoritative/reverse resolution of IP addresses to DNS names and vice versa. A customer's access is mapped in a private view (zone) of the global DNS system, which is maintained and operated by Inventx.
The Private DNS Service is available exclusively in the Platinum SLA and must be ordered via "Generic Request".
Service Architecture
Service Scope
| Feature | Platinum |
|---|---|
| Initial Setup | ◻ |
| Authoritative Zone | ◼ |
| Forwarding | ◼ |
Service Options
The DNS Service can be operated in different ways through the service elements listed in this chapter.
Initial Setup
The implementation of the initial configuration of the Private DNS Service is billed as part of a project. The configuration is specified in collaboration with the customer and then implemented.
Authoritative Zone
An authoritative zone is a zone for which the local (primary or secondary) DNS server references its own data when responding to queries. The local DNS server is responsible for the data in this zone and responds to queries without referring to another server. There are two zone types:
- Forward-Mapping: A forward-mapping zone is an area of the domain name space for which one or more nameservers are responsible for responding to name-to-IP-address queries.
- Reverse-Mapping: A reverse-mapping zone is an area of the network space for which one or more nameservers are responsible for responding to IP-address-to-name queries.
The following record types are possible per zone type:
| Record Type | forward-mapping | reverse-mapping |
|---|---|---|
| Host Record | ◼ | ⁃ |
| A Record | ◼ | ⁃ |
| CNAME Record | ◼ | ⁃ |
| Alias Record | ◼ | ◼ |
| MX Record | ◼ | ⁃ |
| NS Record | ◼ | ⁃ |
| PTR Record | ◼ | ◼ |
| SRV Record | ◼ | ⁃ |
| TXT Record | ◼ | ⁃ |
Forwarding
In a hybrid architecture, DNS forwarding can logically connect the ix.Cloud with a customer's on-premises environment. Through this option, customers can continue to use their existing local DNS servers as authoritative.
Secure Mail-Relay
With the Secure Mail-Relay Service operated by Inventx, customers can securely send email (SMTP syntax) from ix.Cloud to the internet, with an Inventx address listed as the sender of the message.
Service Architecture
N/A
Service Scope
| Feature | Platinum |
|---|---|
| Initial Setup | ◻ |
| Source and Destination | ◼ |
| Malware Protection | ◼ |
| Content Filtering | ◼ |
| Session Handling | ◼ |
| Addressing | ◼ |
| Shipping over Internet | ◼ |
Service Options
The Secure Mail-Relay Service of ix.Cloud has the following features:
Initial Setup
The Mail-Relay Service is commissioned as part of a project. The service is specified in collaboration with the customer and then integrated. Orders and all changes must be requested via a "Generic Request".
Source and Destination
The Mail-Relay Service is only accessible within ix.Cloud, as all messages are received based on IP range and sender address. Any email address can be specified as the recipient.
Malware Protection
After receiving the message, a malware scan is performed. If a positive finding is detected, the message is rejected. Additionally, an antivirus outbreak filter with a 20-minute window is in place to enable timely malware identification.
Content Filtering
For security reasons, all messages are filtered. Files of type video, audio, archive as well as executables, scripts and encrypted files are filtered and replaced with an error text file. To prevent unauthorized data leakage, the following rules apply:
- Number of attachments per message: Maximum 5
- Message size: Maximum 10 MB
- Compression level of attachment: Maximum 12
Session Handling
A maximum of 1,200 messages per 30 minutes is possible, and a maximum of three parallel EHLO commands per SMTP connection. If these values are exceeded, throttling is automatically applied.
Addressing
Before sending to the destination, the sender is rewritten with a generic Inventx address (noreply@ixcloud.ch).
Shipping over Internet
Messages are always sent via the internet. Encrypted shipping (TLS) is strongly recommended (preferred), but not enforced.
Hosted Software-Appliance
For operating software appliances, virtual servers based on VMware ESX virtualization can be procured in cases where the software vendor does not offer support for Microsoft Hyper-V. Such VMs are provided exclusively in the SLA Rhodium and cannot be managed via the ix.Cloud Portal or the ix.Cloud API.
Service Architecture
See Virtual Machine representation SLA Rhodium.
Service Scope
Virtual servers based on VMware can be ordered in the Standard Hardware Profiles according to Virtual Machine. Such VMs are delivered without an operating system (OS). The customer is responsible for licensing, operation and maintenance of the OS (see "Customer Owned OS" under Virtual Machine). The Off functionality is not available.
Such VMs must be ordered via "Standard Service Request" - mutations and decommissioning via "Generic Request". Image import is performed according to the description for "Customer Owned OS" under Virtual Machine.
Service Options
No options available.