Hardening Guidelines

The Thales Data Platform should be deployed into as secure an environment as possible. Every effort has been made to make the Thales Data Platform as secure as possible, however, additional precautions should be taken especially when the Thales Data Platform is deployed into an untrusted environment.

Securing Hadoop

Here are some general guidelines on securing your TDP deployment. These recommendations are general and apply to any Hadoop cluster.

• The Hadoop cluster should only be deployed inside a corporate or trusted network. You must use a VPC network if deploying to a cloud.

• None of the Hadoop nodes should be exposed to the Internet.

• To access services from the Internet, it is recommended to use VPN access. If VPN is not available, it is recommended to use jump servers or bastion hosts. For example, to access SSH (port 22), do not expose it directly to the Internet. Instead, use a jump server or a bastion host.

• To access web services, such as DDC or Ambari, use a reverse proxy or some kind of a load balancer. These devices normally sit in a DMZ (demilitarized zone) and forwards only a specific TCP port to the Hadoop cluster.

• For Hadoop clusters configure the replication channels to use transport level encryption.

• Make sure that you configure a firewall to forbid external access to any IP/port other than those of Knox (by default it is listening on port 8443) unless the source machine is another TDP node. The SSH and Ambari ports should only be accessible to trusted source IPs.

Additionally for the DDC-TDP configuration, below you can find some guidelines that will help you set secure credentials and secure TLC configuration. For details and instructions, refer to your Hadoop documentation.

• Secure credentials

  • Hadoop credentials must be rotated regularly.

  • Credentials must be different for every installation.

  • Password must meet the security requirements described below:

    • At least 10 characters in length.

    • Contains both uppercase (A-Z) and lowercase (a-z) alphabetic characters.

    • Has at least one numeric (0-9) character.

    • Has at least one special character (! @ # $ % ^ & * ( ) _ - + = , . / < > ? ; ' : \" [ ] \\ { } | ~ `).

    • Does not contain spaces or tabs.

• Secure TLS configuration

  • Disable SSL and TLS 1.0 and 1.1.

  • Use secure renegotiation or disable renegotiation.

  • Disable TLS compression.

  • Use Authenticated Encryption cipher suites.

  • Use cipher suites with strong key exchange.

  • Do not use cipher suites with known vulnerabilities.

  • Cipher suites order must be defined by the user.

  • Use Perfect Forward Secrecy (PFS).

  • Download the tool from https://testssl.sh/ to check the configuration.

References

Thales strongly recommends appropriately configuring and securing your Hadoop environment according to industry best practices and your organization’s security policies.

The following references are not comprehensive, but are intended to provide a starting point for background, tools, and best practices that may be applied to your Hadoop environment:

• HDP Security Overview

• Introduction to Hadoop Security

• Securing Hadoop: Security Recommendations for Hadoop (Paper)

• Hadoop Security (O’Reilly Book)

System Administrative Key

The SSH Private Key, used to access the System Administrative account root, is extremely sensitive and should be kept in a secure environment.