The Good Tech Companies - A Closer Look Into the MinIO Enterprise Object Store Firewall
Episode Date: June 26, 2024This story was originally published on HackerNoon at: https://hackernoon.com/a-closer-look-into-the-minio-enterprise-object-store-firewall. The MinIO Enterprise Object S...tore Firewall is designed specifically to work with applications using MinIO object store and its API endpoints. Check more stories related to cloud at: https://hackernoon.com/c/cloud. You can also check exclusive content about #minio, #minio-blog, #enterprise, #object-storage, #security-layers, #minio-object-store-firewall, #object-store-firewall, #good-company, and more. This story was written by: @minio. Learn more about this writer by checking @minio's about page, and for more stories, please visit hackernoon.com. In the modern enterprise, data is what must be protected and an S3-aware firewall doesn’t exist. The MinIO Enterprise Object Store Firewall is designed specifically to work with applications using MinIO object store and its API endpoints. The Firewall doubles as a LoadBalancer, negating the need for a separate load balancer between firewall and MinIO nodes.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
A closer look into the Minio Enterprise Object Store Firewall.
By Minio. In our previous discussion, we introduced the Minio Object Store Firewall,
a novel security component that goes beyond traditional network and application security
layers. Neither IP-based firewalls nor application firewalls are designed for data.
That is why we built the Minio Enterprise Object Store Firewall, because in the modern enterprise,
data is what must be protected and an S3-aware firewall doesn't exist.
This S3-aware data firewall is crucial for modern data protection,
operating at the storage layer to safeguard your data comprehensively.
The Minio Enterprise Object Store Firewall is
designed specifically to work with applications using Minio Object Store and its API endpoints.
The Enterprise Firewall is lightweight, powerful, flexible and extensible. Let's delve into setting
up this advanced firewall, designed to secure your data in today's increasingly complex digital
landscape. Enable and configure firewall. Let's use the enterprise
console to set up the firewall. Follow the below steps to enable and configure the firewall.
Configure TLS for secure communication. As part of the Minio Enterprise suite,
we've always recommended to ensure you enable TLS on Minio Enterprise Object Store so that
even inter-cluster communications are encrypted.
With that same spirit, we support TLS for the Enterprise Firewall as well.
This ensures that any connection to the MinIO Object Store via the firewall is encrypted end-to-end.
For enhanced security, configure TLS settings when launching the firewall with Let's Encrypt.
Precedents of Anonymous Rul line are Minio Enterprise Firewall configuration.
You'll encounter two distinct rules for anonymous access. Global anonymous setting. At the start when you enable firewall, we specify a global setting that allows anonymous access across all
buckets unless a more specific rule denies it. Bucket specific anonymous. After configuring the
global setting, under each individual rules, we can set a more specific rule that overrides the global setting, effectively denying anonymous access in this case, even though we initially toggled global anonymous to allow for all buckets, because we set another more specific rule below it, which also apliesto all buckets, the one we set later takes precedence over the global setting.
In other words, anonymous bucket access
will be denied for all buckets. Load balance across Minio nodes. As an added bonus, because
we need to define all the Minio nodes as a backend for the firewall, the firewall doubles as a load
balancer, negating the need for a separate load balancer between the firewall and Minio nodes.
This eliminates further complexity and ensures there is no single point of failure
in case one of the Minio backend goes offline.
Please note, you need to hobby another level of redundancy
to ensure when connecting to Enterprise Firewall
the incoming connections are also distributed to multiple Enterprise Firewall instances.
This configuration is beyond the scope of this blog
but it's something to keep in mind.
Health checks and monitoring The health check enabled you to see if the firewall is in a healthy
state. You can check the health and liveliness as follows. If everything is green that will
indicate that the firewall is functioning properly. Final thoughts. With the Minio Enterprise
Firewall, gone are the days of wrestling with complex ITAB and unclear access policies.
Our firewall solution simplifies your security by focusing exclusively on the essential rules required for your object store and API interactions. It is optimized to ensure
there are no latency or enforcing rules, blocking access to your Minio object store.
Moreover, the enterprise firewall is fully supported by our awesome team at Subnet where
we can help you by architecting the enterprise Firewall the right way to work with Minio
Object Store and troubleshoot any future issues.
So what are you waiting for?
If you have any questions on Minio Enterprise Object Store Firewall be sure to reach out
to us on Slack or hello at min.io.
Thank you for listening to this Hackernoon story, read by Artificial Intelligence.
Visit hackernoon.com to read, write, learn and publish.