Network Security
This guide covers network security configuration including firewalls, IP whitelisting, TLS, and network segmentation.
Network Architecture
Section titled “Network Architecture”Recommended Topology
Section titled “Recommended Topology”┌─────────────────────────────────────────────────────────────────┐│ External Network ││ (Untrusted / Internet) │└────────────────────────────┬────────────────────────────────────┘ │ ┌────────┴────────┐ │ Edge Firewall │ │ Port 443 only │ └────────┬────────┘ │┌────────────────────────────┴────────────────────────────────────┐│ DMZ ││ (Semi-trusted zone) ││ ┌──────────────────────────────────────────────────────────┐ ││ │ Reverse Proxy │ ││ │ (nginx / HAProxy) │ ││ │ - SSL termination │ ││ │ - Rate limiting │ ││ │ - WAF rules │ ││ └──────────────────────────┬───────────────────────────────┘ │└─────────────────────────────┼───────────────────────────────────┘ │ ┌─────────┴─────────┐ │ Internal Firewall │ │ Ports 3000, 8080 │ └─────────┬─────────┘ │┌─────────────────────────────┴───────────────────────────────────┐│ Application Zone ││ (Trusted zone) ││ ┌────────────────────┐ ┌────────────────────┐ ││ │ License Server │ ←─→ │ License Monitor │ ││ │ Detail (:3000) │ │ (:8080) │ ││ └────────────────────┘ └─────────┬──────────┘ │└─────────────────────────────────────────┼────────────────────────┘ │┌─────────────────────────────────────────┴───────────────────────┐│ License Server Zone ││ (Restricted access) ││ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ││ │ FlexLM │ │ RLM │ │ sesinetd │ ││ │ (:27000) │ │ (:5053) │ │ (:1715) │ ││ └──────────────┘ └──────────────┘ └──────────────┘ │└─────────────────────────────────────────────────────────────────┘Firewall Configuration
Section titled “Firewall Configuration”iptables (Linux)
Section titled “iptables (Linux)”#!/bin/bash# Firewall rules for License Monitor server
# Flush existing rulesiptables -Fiptables -X
# Default policiesiptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT ACCEPT
# Allow loopbackiptables -A INPUT -i lo -j ACCEPTiptables -A OUTPUT -o lo -j ACCEPT
# Allow established connectionsiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH (restrict to admin network)iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j ACCEPT
# License Monitor API (from application zone only)iptables -A INPUT -p tcp --dport 8080 -s 10.0.1.0/24 -j ACCEPT
# License server queries (outbound to license servers)iptables -A OUTPUT -p tcp --dport 27000:27009 -d 10.0.2.0/24 -j ACCEPTiptables -A OUTPUT -p tcp --dport 5053 -d 10.0.2.0/24 -j ACCEPTiptables -A OUTPUT -p tcp --dport 1715 -d 10.0.2.0/24 -j ACCEPT
# ICMP (ping)iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Log dropped packetsiptables -A INPUT -j LOG --log-prefix "DROPPED: "
# Save rulesiptables-save > /etc/iptables/rules.v4#!/bin/bash# Firewall rules for License Server Detail
# Flush existing rulesiptables -Fiptables -X
# Default policiesiptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT ACCEPT
# Allow loopbackiptables -A INPUT -i lo -j ACCEPT
# Allow established connectionsiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH (restrict to admin network)iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j ACCEPT
# Web dashboard (from reverse proxy only)iptables -A INPUT -p tcp --dport 3000 -s 10.0.0.10 -j ACCEPT
# Allow connections to License Monitoriptables -A OUTPUT -p tcp --dport 8080 -d 10.0.1.0/24 -j ACCEPT
# Allow HTTPS outbound (Okta, Convex)iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
# Save rulesiptables-save > /etc/iptables/rules.v4Windows Firewall
Section titled “Windows Firewall”# License Monitor API inbound ruleNew-NetFirewallRule ` -DisplayName "License Monitor API" ` -Direction Inbound ` -Protocol TCP ` -LocalPort 8080 ` -Action Allow ` -Profile Domain,Private ` -RemoteAddress 10.0.1.0/24
# Block public accessNew-NetFirewallRule ` -DisplayName "License Monitor Block Public" ` -Direction Inbound ` -Protocol TCP ` -LocalPort 8080 ` -Action Block ` -Profile PublicUFW (Ubuntu)
Section titled “UFW (Ubuntu)”# Reset UFWsudo ufw reset
# Default policiessudo ufw default deny incomingsudo ufw default allow outgoing
# SSH from admin networksudo ufw allow from 10.0.0.0/24 to any port 22
# License Monitor API from app zonesudo ufw allow from 10.0.1.0/24 to any port 8080
# Enable UFWsudo ufw enable
# Check statussudo ufw status verboseIP Whitelisting
Section titled “IP Whitelisting”Application Level
Section titled “Application Level”Configure IP restrictions in License Monitor:
[api]enabled = truebind_address = "0.0.0.0"bind_port = 8080
# IP whitelist (when behind reverse proxy)allowed_ips = [ "10.0.1.10", # Dashboard server "10.0.1.20", # Monitoring server "192.168.1.0/24" # Admin network]
# Trust X-Forwarded-For from these proxiestrusted_proxies = [ "10.0.0.10" # Reverse proxy]Reverse Proxy Level
Section titled “Reverse Proxy Level”# nginx IP whitelistgeo $allowed { default 0; 10.0.1.0/24 1; 192.168.1.0/24 1;}
server { location /api/ { if ($allowed = 0) { return 403; } proxy_pass http://license_monitor; }}TLS Configuration
Section titled “TLS Configuration”Requirements
Section titled “Requirements”| Setting | Minimum | Recommended |
|---|---|---|
| Protocol | TLS 1.2 | TLS 1.3 |
| Key Size (RSA) | 2048-bit | 4096-bit |
| Key Size (ECDSA) | 256-bit | 384-bit |
| Certificate | Domain validated | Organization validated |
nginx TLS Configuration
Section titled “nginx TLS Configuration”# Modern TLS configurationssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;ssl_prefer_server_ciphers off;
# Session settingsssl_session_timeout 1d;ssl_session_cache shared:SSL:50m;ssl_session_tickets off;
# OCSP Staplingssl_stapling on;ssl_stapling_verify on;resolver 8.8.8.8 8.8.4.4 valid=300s;resolver_timeout 5s;
# HSTSadd_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;Certificate Management
Section titled “Certificate Management”# Generate Let's Encrypt certificatecertbot certonly --nginx -d api.example.com
# Set up auto-renewalecho "0 0 * * * root certbot renew --quiet" >> /etc/crontab
# Verify certificateopenssl s_client -connect api.example.com:443 -servername api.example.comNetwork Segmentation
Section titled “Network Segmentation”VLAN Configuration
Section titled “VLAN Configuration”| VLAN | ID | Subnet | Purpose |
|---|---|---|---|
| Management | 10 | 10.0.0.0/24 | Admin access |
| Application | 20 | 10.0.1.0/24 | Web/API servers |
| License Servers | 30 | 10.0.2.0/24 | License daemons |
| Database | 40 | 10.0.3.0/24 | Data storage |
Inter-VLAN Routing Rules
Section titled “Inter-VLAN Routing Rules”# Allow Application → License Servers (monitoring)VLAN 20 → VLAN 30: TCP 27000-27009, 5053, 1715
# Allow Application → DatabaseVLAN 20 → VLAN 40: TCP 5432 (Postgres)
# Deny all other inter-VLAN traffic by defaultVPN Integration
Section titled “VPN Integration”Site-to-Site VPN
Section titled “Site-to-Site VPN”For distributed deployments across multiple sites:
┌─────────────────┐ IPsec Tunnel ┌─────────────────┐│ Main Site │◄─────────────────────►│ Remote Site ││ │ │ ││ License Monitor │ │ License Server ││ Dashboard │ │ │└─────────────────┘ └─────────────────┘Remote Access VPN
Section titled “Remote Access VPN”Require VPN for administrative access:
# Only allow SSH over VPNiptables -A INPUT -p tcp --dport 22 -s 10.8.0.0/24 -j ACCEPT # VPN subnetiptables -A INPUT -p tcp --dport 22 -j DROPMonitoring Network Security
Section titled “Monitoring Network Security”Connection Tracking
Section titled “Connection Tracking”# View active connectionsss -tunapl | grep license_monitor
# Monitor connection stateswatch -n 1 'ss -s'
# Log new connectionsiptables -A INPUT -p tcp --dport 8080 -m state --state NEW -j LOG \ --log-prefix "NEW_CONN: "Intrusion Detection
Section titled “Intrusion Detection”# Install fail2banapt install fail2ban
# Configure jail for License Monitorcat > /etc/fail2ban/jail.d/license-monitor.conf << 'EOF'[license-monitor]enabled = trueport = 8080filter = license-monitorlogpath = /var/log/license-monitor/license_monitor.logmaxretry = 5bantime = 3600EOF
# Create filtercat > /etc/fail2ban/filter.d/license-monitor.conf << 'EOF'[Definition]failregex = AUTH_FAILED.*from <HOST>ignoreregex =EOF
# Restart fail2bansystemctl restart fail2banNext Steps
Section titled “Next Steps”- CORS Configuration - Cross-origin settings
- Rate Limiting - Request throttling
- Reverse Proxy - Proxy configuration