Israeli security company Dome9 provides a hosted firewall for protecting servers in both private or public clouds. It enables customers to lockdown SSH access or admin panels until they’re specifically opened via the web-based Dome9 console. Today the company released an iPhone app that will provide more convenient access to the console.
Usually you would leave your means of remotely administrating a server open all the time, otherwise you wouldn’t be able to access it when you needed to. That leaves your servers open to “brute force” (password guessing) attacks, as well as exploitation of security vulnerabilities in control panels or access protocols.
Admins have tried to deal with this issue by changing the default port numbers for different services (for example, changing the SSH port from 22 to some other number), or by restricting remote access to specific IP addresses. Dome9 provides a new approach.
Dome9 installs a client on your server that manages which ports are open and for how long (Amazon EC2 users don’t even need to install the client, it just works). Once you’ve installed it on your servers you can log in to Dome9 through the web or the iPhone client to turn on SSH or a control panel as needed. You can set your session to expire after a given amount of time in case your forget to close the port when you’re done.
It reminds me a bit of Cloudflare‘s service in that all your traffic will be routed through Dome9’s servers. But while Cloudflare is designed specifically for public facing web servers, Dome9 works with virtually any type of server and provides more granular controls. In fact, it can be used in conjunction with Cloudflare. For example, you could prevent attackers from routing around Cloudflare by preventing your server from allowing access to any visitor not coming from Cloudflare’s proxy server.
The obvious security risk here is that if someone gained access to your Dome9 account they could open any port they liked. Also, it’s conceivable that someone could find a way to exploit the port that Dome9 uses to manage access. But even once the ports are open the attackers would still need to have passwords to gain access.
But availability is probably the biggest concern — if Dome9 goes haywire, you might find yourself completely locked out of your servers. To protect against this, the Dome9 client has a built in “emergency mode” that will revert back to your default settings if it loses contact with the Dome9 service for a pre-determined amount of time.
Dome9 was founded in 2010 and raised a $2 million Series A found of funding last year from Opus Capital. The company claims to already have over 1,400 customers, along with partnerships with several major cloud providers, including Amazon Web Services, Rackspace and HP.