Security

Compute Security

HTTPS-encrypted UI Login

The system supports HTTPS access to the management UI for enhanced security.

HTTPS is disabled by default.
When HTTPS is enabled, the system uses port 5443 by default and supports configuration of custom ports for access.
After enabling HTTPS, accessing the UI via HTTP on port 5000 will be automatically redirected to HTTPS. Currently, only automatic redirection from HTTP port 5000 is supported.
The system supports PKCS12 format certificates by default. Currently, only PKCS12 and JKS format certificates are supported. If you are using certificates in other formats, convert them to a supported format.

VM Instance Console

The VM instance console provides users with a streamlined entry point for monitoring and managing VM instances. You must have appropriate permissions to access the VM console. Two authentication methods are supported for console login: SSH key authentication and username/password.

SSH Key Authentication
- You can use SSH key authentication to log in to Linux VM instances.
- An SSH key is a pair of cryptographic keys generated by an algorithm: a public key, which is shared openly, and a private key, which is kept secure by the user.
- After a public key is attached to a VM instance, you can use the corresponding private key to SSH into the VM instance from another VM instance without requiring a password.
- To attach a public key during the VM instance creation, ensure that the VM image has cloud-init pre-installed. The recommended cloud-init versions are 0.7.9, 17.1, 19.4, or later.
- To attach a public key after the VM instance creation, ensure that the VM instance is running and has QEMU Guest Agent (QGA) installed and running. You can install QGA by installing the GuestTool. If you install QGA by using other methods, install version 2.5 or later.
Username/Password
- You can log into VM instances using a username and password.
- The fixed username for Linux VM instances is root, and the fixed username for Windows VM instances is administrator.
- After a password is injected into a VM instance, you can use the username or password to SSH into the VM instance from another VM instance.
- Ensure that the VM image has cloud-init pre-installed. The recommended cloud-init versions are 0.7.9, 17.1, 19.4, or later.

High Availability

VM Instance HA

VM instances support the high availability (HA) mode. This policy can trigger automatic VM restart when a VM is stopped due to routine maintenance (planned) or unexpected failures (unplanned), thereby improving VM availability.

NeverStop VM HA Mechanism:

The system uses polling and trigger-based mechanisms to monitor the VM instance status. If the VM instance is confirmed to be stopped, a VM configured with HA will be automatically restarted.
The system uses polling and trigger-based mechanisms to monitor the VM instance status. If the VM status cannot be definitively determined, the following detection process is initiated:
1. Based on the existing network configuration, select the most accurate method to probe the status of the host where the VM instance resides.
2. If the status of the host is abnormal, the HA-enabled VM instance will attempt to restart automatically.

Load Balancing

Multiple VM instances can use the load balancing service to form a cluster, eliminating single points of failure and improving application availability.

IP/MAC/ARP Spoofing Protection

In traditional networks, IP/MAC/ARP spoofing has always been a severe challenge. Through IP/MAC/ARP spoofing, attackers can disrupt the network environment and intercept network secrets.

The system isolates abnormal protocol access initiated by VM instances at the host's data link layer and blocks VM instance MAC/ARP spoofing. It also prevents VM instance IP spoofing at the host's network layer.

Images and Snapshots

Images

You can create images from VM instances or volumes. An image contains a complete data information of a VM instance or volume. You can use images to quickly replicate corresponding resources.

ZStack Cube Ultimate provides protection for image integrity and security:

Security: Image files are stored in slices in the ImageStore. The segmented image files must be reassembled by ZStack Cube Ultimate before their specific content can be read, thereby protecting image data security.
Integrity: Images use cryptographic algorithms to protect integrity.
- When you upload an image to the ImageStore, the system calculates the MD5 checksum of the uploaded image. You can compare this value to verify image integrity.
- When an image is downloaded from the ImageStore to primary storage, it must pass a cryptographic verification check. The download only proceeds if the verification is successful.

Snapshots

You can create snapshots for VM instances or volumes. A snapshot is essentially a data state file of a disk at a specific time. Before performing important operations, creating a snapshot for a VM instance or volume can retain the data state (including the memory state) at that specific time, facilitating quick rollback in case of failures. For long-term backup, it is recommended that you use the backup service.

Snapshots include manual snapshots and automatic snapshots:

Manual Snapshots: You can manually create a snapshot for the root volume or data volume of a VM instance at any time.
Automatic Snapshots: The system creates snapshots through scheduled tasks or triggers one-time automatic snapshots in specific scenarios.

The snapshot feature is applied in the following scenarios:

Quick Failure Recovery: If an unexpected failure occurs in the production environment, you can use the snapshot rollback feature to quickly restore the environment to the normal state. This method is a temporary solution. For comprehensive long-term data protection, it is recommended that you use the backup service.
Data Development: By creating snapshots of production data, you can acquire near real-time authentic production data for applications such as data mining, report query, and development testing.
Improve Operation Fault Tolerance: Before major operations such as system upgrades or business data migration, we recommend that you create one or more snapshots. If any problem occurs during the upgrade or migration process, you can use snapshots to restore the normal system data state in time.

Encrypted Password Storage

ZStack Cube Ultimate supports encrypted storage of all plaintext passwords to protect the privacy and autonomy of user data.

Supported scenarios for encrypted password storage include, but are not limited to:

Host passwords: Not displayed in plaintext.
Primary storage passwords: Not displayed in plaintext.
Database passwords: Encrypted and stored by using keys and hidden from users directly.
Log passwords: All platform log passwords are either not displayed in plaintext or are hidden from users.

Resource Deletion Protection

Deletion Policy

ZStack Cube Ultimate supports configuring deletion policies for critical resources to reduce the risk of accidental deletion.

The current deletion policies include Direct, Delay, and Never.

Direct: Resources are physically deleted directly and removed from the database. Deleted resources cannot be recovered.
Delay: Resources are first marked as deleted in the database but are not physically deleted. Within a certain period, you can recover resources from the recycle bin in the UI or using APIs. During this period, resources still exist physically and occupy physical space (for example, disk space). After a certain period, resources are physically deleted and cannot be recovered.
Never: Resources are marked as deleted in the database but are never physically deleted. They occupy physical space all the time.

Resources that currently support deletion policy include VM instances, volumes, images, baremetal instances, and elastic baremetal instances.

VM Instance Deletion Policy: Direct, Delay, and Never. The default policy is Delay.
Volume Deletion Policy: Direct, Delay, and Never. The default policy is Delay.
Image Deletion Policy: Direct, Delay, and Never. The default policy is Delay.
Baremetal Instance Deletion Policy: Direct, Delay, and Never. The default policy is Delay.
Elastic Baremetal Instance Deletion Policy: Direct, Delay, and Never. The default policy is Delay.
Note:
An elastic baremetal instance is a customized VM instance. Elastic baremetal instances and VM instances are controlled by the same set of deletion policies. If the VM instance deletion policy changes, the elastic baremetal instance deletion policy changes accordingly.

UI Deletion Reminder

The UI provides a protection mechanism for deleting important resources. The system displays the consequences of deleting the resource and shows the number of directly associated VM instances and volumes. You must confirm the deletion to proceed, reducing the risk of accidental operation.

Monitoring and Alarm

The monitoring and alarm feature is primarily delivered through an monitoring system and the notification system. The monitoring system monitors time-series data and events, and the notification system pushes alarms to specified endpoints.

The monitoring system provides monitoring data metrics, including system performance and resource utilization, in forms such as large-screen monitors, dashboards, graphical charts, and banner notifications, allowing you to fully understand platform resource utilization, operational status, and health indicators. You can also customize alarms and endpoints to achieve flexible and fine-grained monitoring, promptly discover and diagnose related issues.

Characteristics:

Time-Series Monitoring: The system currently supports monitoring two types of time-series data.
- Resource Load Data: For example, VM instance CPU utilization and host memory utilization.
- Resource Capacity Data: For example, the number of available IP addresses and the total number of running VM instances.
Event Collection: Collects predefined events that occur in ZStack Cube Ultimate, such as host disconnection and VM instance high availability activation.
Alerting: Generates alarms for time-series data or events and provides global notifications for important resources, such as available physical capacity of primary storage.
Auditing: Records all operations and provides search functionality.
Customization: Allows you to customize alarms and alert message templates.

Characteristics:

Pushes alarm messages to specified endpoints.
The system provides a system endpoint by default. You can set email, DingTalk, HTTP application, SMS, or Microsoft Teams endpoints.

Security Configuration Templates

ZStack Cube Ultimate provides one-click security configuration templates, enabling rapid deployment of standardized security settings across the environment to meet production security requirements.

Name	Description
IP Allowlist/Blocklist	Default: false. Specifies whether to enable IP allowlist or blocklist for logins. If set to true, the platform filters IP addresses of login clients based on the configured IP allowlist or blocklist entries.
Host Login Password Encrypted Storage	Default: None. Specifies whether and how to encrypt the login password of hosts in the database. Valid values: None, LocalEncryption. None: Does not encrypt the login password of hosts. LocalEncryption: Encrypts the login password of hosts by using the built-in encryption feature. Note: If you enabled Platform Cryptography Security Compliance, the current effective value will change to SecurityResourceEncryption, indicating that the login password of hosts is encrypted by using HSMs. In this case, the encryption method cannot be changed.
Multiple Connection Session Disallowance of One User	Default: false. Specifies whether to disallow simultaneous connection sessions established by one user. If set to true, one user can establish only one connection session with the platform. If a user establishes a new connection session, the previous session will be forcibly closed.
Session Timeout Period	Default: 7200. Unit: second/minute/hour/day. Note: If a session times out, the system becomes unavailable. You need to log in to the system again.
SSL Certificate Check Skipping	Default: false. Determines whether to skip all checks for LDAP SSL certificates. If set to true, all checks for LDAP SSL certificates are skipped.
Platform Verification Code Policy	Default: false. Specifies whether to enable verification by verification code if logins continuously fail. Default: false. If set to true, you can set the maximum number of continuous login failures that trigger verification by verification code. If the verification is triggered, you must enter the correct account name, password, and the verification code before you can log in to the platform.
Platform Login Password Update Policy	Default: false. Determines whether to enable periodic password change. If set to true, after the password usage time reaches the set password update cycle, you are prompted to change the password upon re-login.
Lock Account Policy Upon Continuous Failed Login	Default: false. Determines whether to enable user lockout due to consecutive login failures. If set to true, a user account is locked for a period of time after several consecutive login failures.
Password Strength Policy	Default: false. If set to true, you can manually set the password length and choose whether to enable a policy combining digits, uppercase letters, lowercase letters, and special characters.
Two-factor Verification	Default: false. Specifies whether to enable two-factor verification for platform login.
VNC Console Password Strength Policy	Default: false. Determines whether to enable password login for the VNC console. Note: The VNC password length range follows the format m~n. The value range is an integer that ranges from 6 to 8 and the default value is 6 to 8. You can choose whether to enable a policy combining digits, uppercase letters, lowercase letters, and special characters.
VM Password Strength Policy	Default: false. Determines whether to enable password login for VM instances. Note: The VM instance password length range follows the format m~n. The value range is an integer that ranges from 8 to 18 and the default value is 8 to 18. You can choose whether to enable a policy combining digits, uppercase letters, lowercase letters, and special characters. To set a VM instance password, ensure that the VM image has cloud-init pre-installed. The recommended cloud-init versions are 0.7.9, 17.1, 19.4, and later versions.

Backup Service

The backup service is business-centric and integrates various backup technologies such as scheduled incremental and full backup into the platform. The backup service supports multiple disaster recovery solutions, including local, remote, and Public Cloud disaster recovery. You can choose an appropriate backup method based on your business characteristics. The backup service is provided as a separate functional module.

Typical Scenarios

Local Backup:

You can use a locally deployed ImageStore as a local backup server to store scheduled backups of local VM instances, volumes, and management node databases (hereinafter referred to as databases). The local backup server supports seamless active-standby failover, effectively ensuring business continuity.
If local data is accidentally deleted or data in the local primary storage is damaged, you can restore the data from the local backup server to the local environment.
If a disaster occurs in the local data center, you can rely entirely on the local backup server to rebuild the data center and restore services.

Remote Backup:

You can use a storage server in a remote computer room as a remote backup server to store scheduled backups of local VM instances, volumes, and databases. The backup data must be synchronized from a local backup server to the remote backup server.
If local data is accidentally deleted or data in the local primary storage is damaged, you can restore the data from the remote backup server to the local environment.
If a disaster occurs in the local data center, you can rely entirely on the remote backup server to rebuild the data center and restore services.

Public Cloud Backup:

You can use a storage server on a Public Cloud as a Public Cloud backup server to store scheduled backups of local VM instances, volumes, and databases. The backup data must be synchronized from a local backup server to the Public Cloud backup server.
If local data is accidentally deleted or data in the local primary storage is damaged, you can restore the data from the Public Cloud backup server to the local environment.
If a disaster occurs in the local data center, you can rely entirely on the Public Cloud backup server to rebuild the data center and restore services.

CDP Service

The CDP service delivers second-level, granular continuous data protection for critical business systems running on VM instances. The CDP service enables you to restore VM data to a specific point in time or retrieve files without performing a full system restoration. CDP recovery supports two strategies: creating a new VM instance and restoring to the original VM instance. You can choose an appropriate recovery method based on your business requirements. The CDP service is provided as a separate functional module.

Typical Scenarios

Local CDP Recovery | Restore to Original VM Instance

Supports using a locally deployed ImageStore as a local backup server to store local VM instance data.
Supports creating CDP tasks for multiple VM instances to provide unified CDP protection for VM instances. When creating a CDP task, you can set the RPO in seconds or minutes. During important business adjustments, you can mark and lock recovery points to preserve important recovery point data for a long time.
In scenarios involving accidental local data deletion or data damage caused by sudden failures, due to hardware-based licensing requirements of the business application, to quickly validate service availability, you can locate a locked recovery point and restore the data to the original VM instance to check if the application functions correctly. Recovery to the original VM instance by creating new volumes is supported. And the volumes before recovery can all be retained and reattached to the VM instance, maximizing data security.
During CDP recovery, the VM instance is rapidly restored with an RTO that can be as low as seconds, effectively ensuring business continuity.

Local CDP Recovery | Create New VM Instance

Supports using a locally deployed ImageStore as a local backup server to store local VM instance data.
Supports creating CDP tasks for multiple VM instances to provide unified CDP protection for VM instances. When creating a CDP task, you can set the RPO in seconds or minutes.
During important recovery tests, you can create a new VM instance based on the selected recovery point without affecting the normal operation of the current VM instance. After confirming that the data is correct, you can then restore to the original environment.
During CDP recovery, the VM instance is rapidly restored with an RTO that can be as low as seconds, effectively ensuring business continuity.

Advantages

Simple:

This service is software-defined, hardware-independent, and scalable.
Supports previewing and downloading backed up files without performing a full system restoration.
Guided workflows with intelligent parameter recommendations minimize operational complexity and error rates.

Powerful:

No agent installation is required for VM instances, eliminating OS dependencies and imposing no performance overhead on VM instances.
Delivers second-level, granular continuous data protection for VM instances with an RPO that can be as low as one second.
Instant VM instance recovery from any recovery point ensures business continuity with an RTO that can be as low as one second.
Streamlined backup intelligently identifies disk partitions and valid data, backing up valid data with a smaller consumed storage space and at a faster speed.

Flexible:

Supports flexible settings such as backup frequency, RPO, and retention policy to meet different needs.
Supports multiple recovery levels, such as full VM recovery and file-level recovery.
Full VM recovery supports multiple strategies, including creating a new VM instance and restoring to the original VM instance.
Not limited by the type of primary storage, meeting CDP requirements in different storage scenarios.

Reliable:

The UI provides a CDP overview, supporting unified viewing of CDP status and related alerts.
Data recovery supports retaining current volume data, maximizing data security and facilitating post-failure analysis.
Supports creating a new VM instance based on the selected recovery point and restoring to the original environment after confirming the data is correct, meeting recovery test requirements.
Supports marking and locking recovery points for long-term preservation of important recovery point data.
Provides a recovery task list and supports viewing recovery records and progress, facilitating subsequent auditing and tracing.

Network Security

Security Group

Security groups provide L3 network security control for VM instances, effectively filtering ingress and egress TCP/UDP/ICMP packets for NICs based on specified security rules.

VPC Firewall

You can configure firewalls for VPC vRouters. After a VPC firewall is created, the system automatically configures an ingress rule set for the VPC vRouter, and you can flexibly configure the egress rule set. Each interface direction on a VPC router can have one rule set applied. By filtering north-south traffic at the VPC vRouter interfaces, the VPC firewall effectively protects the communication security of the entire VPC and the VPC vRouter itself. The VPC firewall provides complementary protection to security groups. These security groups operate at the VM's virtual NICs, with primary focus on securing east-west traffic within the VPC.

VPC vRouter HA Group

ZStack Cube Ultimate supports the VPC vRouter high availability (HA) groups. You can deploy a pair of active-standby VPC vRouters in a VPC vRouter HA group. If the active VPC vRouter becomes abnormal, an HA failover is triggered within seconds, automatically switching to the standby VPC vRouter to ensure continuous and stable business operation.

Netflow

The VPC vRouter supports directed Netflow export for network flow monitoring and analysis. By analyzing the ingress and egress traffic on VPC vRouter NICs through Netflow, you can quickly locate network-wide bottlenecks, optimize network topology and bandwidth, and mitigate malicious attacks, thereby enhancing overall network security. Currently, the supported versions of output data flows are V5 and V9.

Port Mirroring

ZStack Cube Ultimate supports port mirroring. Port mirroring forwards the ingress and egress traffic of a VM instance NIC to another VM instance. This enables you to capture and analyze packets from the source port without affecting its normal business throughput. Port mirroring facilitates internal network monitoring and management, allowing for rapid troubleshooting of network issues. Port mirroring requires a dedicated traffic network and this network cannot be shared with other networks to ensure transmission efficiency.

Access Control Security

Three-Role Separation

ZStack Cube Ultimate supports a Three-Role Separation model, which is an implementation of the Separation of Duties. This model decomposes the super administrator (admin) privileges and assigns them to three distinct roles: the System Administrator, the Security Administrator, and the Security Auditor. The System Administrator is responsible for managing platform resources. The Security Administrator is responsible for managing platform permissions. The Security Auditor is responsible for platform auditing ad compliance. These three roles operate independently and provide checks and balances on each other's authority.

By distributing the comprehensive privileges of the super administrator among three separate roles, this model effectively mitigates security risks associated with over-concentrated super-administrator access and significantly enhances the overall security posture of the platform.

Tenant Management Permissions

Tenant management provides enterprise users with organizational structure management, project-based resource access control, ticket management, independent zone management, and other functions. The tenant management module is offered as an independent feature, which requires a separate license.

Characteristics:

User-Role Separation: Roles, defined as collections of permissions, can be flexibly assigned to or removed from users in the tenant management.
Roles are categorized into system roles and custom roles. System roles are predefined by the platform with fixed permission scopes, while custom roles can be created by users to meet specific requirements.
The UI supports API-level permission control, enabling flexible adaptation to various permission configuration scenarios.

Two-Factor Authentication

ZStack Cube Ultimate supports two-factor authentication (2FA) as an additional layer of security beyond static passwords. When 2FA is enabled, you must correctly enter a 6-digit dynamic security code from your authenticator app during each login attempt to gain access.

After 2FA is enabled and you successfully log in for the first time, the login QR code is no longer displayed. This helps prevent malicious login attempts and further enhances system security.

AccessKey Authentication

ZStack Cube Ultimate supports AccessKey authentication.

AccessKeys include:

Local AccessKey, consisting of AccessKey ID and AccessKey Secret, is a secure credential issued by ZStack Cube Ultimate. Local AccessKey authorizes third-party users to cal the ZStack Cube Ultimate's APIs and access its resources. These credentials must be kept strictly confidential.
Third-Party AccessKey, consisting of AccessKey ID and AccessKey Secret, is a secure credential provided by a third-party service. Third-party AccessKey authorizes you to call the third-party's APIs and access resources within that external platform. These credentials must be kept strictly confidential.

Operation Auditing

ZStack Cube Ultimate provides unified operation log management, recording user logins and resource operations performed under various accounts. The logs capture details such as operation description, task result, operator, client IP, task creation and completion time, and operation return details. Through operation log auditing, you can meet requirements for security analysis, intrusion detection, resource change tracking, and compliance auditing.

Note: If operation requests are forwarded to ZStack Cube Ultimate through a load balancer, you need to correctly configure X-Forwarded-For forwarding on the load balancing device so that ZStack Cube Ultimate can obtain the actual client IP.

上一篇Operational Management 下一篇Openness and Compatibility