Securing Network Firewall

To use Network Firewall securely, learn about your security and compliance responsibilities.

In general, Oracle provides security of cloud infrastructure and operations, such as cloud operator access controls and infrastructure security patching. You are responsible for securely configuring your cloud resources. Security in the cloud is a shared responsibility between you and Oracle.

Oracle is responsible for the following security requirements:

• Physical Security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.

Your security responsibilities are described on this page, which include the following areas:

• Access Control: Limit privileges as much as possible. Users should be given only the access necessary to perform their work.
• Encryption and Confidentiality: Use encryption keys and secrets to protect your data and connect to secured resources. Rotate these keys regularly.

Use this checklist to identify the tasks you perform to secure Service_Name in a new Oracle Cloud Infrastructure tenancy.

After getting started with Service_Name use this checklist to identify security tasks that we recommend you perform regularly.

Use policies to limit access to Network Firewall.

We recommend that you give DELETE permissions to a minimum set of IAM users and groups. This practice minimizes loss of data from inadvertent deletes by authorized users or from malicious actors. Only give DELETE permissions to tenancy and compartment administrators.

Allow group FirewallPolicyUsers to use firewallpolicies in tenancy
 where target.display-name='MyFirewallPolicy'

Allow group FirewallPolicyUsers to use firewallpolicies in tenancy
 where target.display-name=/ProjectA_*/

For more information about Network Firewall policies and to view more examples, see Network Policy Rules and Rule Components.

Use the Vault service to manage and rotate secret credentials that you use with Network Firewall.

A vault includes the encryption keys and secrets that you use to protect your data and connect to secured resources. Secrets are encrypted using master encryption keys, and store credentials such as passwords, certificates, SSH keys, or authentication tokens. Before you create and use secrets, you must create a vault and a master encryption key if they don't exist.

• Managing Vaults
• Managing Keys
• Managing Vault Secrets

Each secret is automatically assigned a secret version. When you rotate a secret, you generate a new secret version by providing new secret contents to the Vault service. Periodically rotating secret contents reduces the impact in case a secret is exposed.

Locate access logs and other security data for Network Firewall.

The Audit service automatically records all API calls to Oracle Cloud Infrastructure resources. You can achieve your security and compliance goals by using the Audit service to monitor all user activity within your tenancy. Because all Console, SDK, and command line (CLI) calls go through our APIs, all activity from those sources is included. Audit records are available through an authenticated, filterable query API or they can be retrieved as batched files from Object Storage. Audit log contents include what activity occurred, the user that initiated it, the date and time of the request, as well as source IP, user agent, and HTTP headers of the request. See Viewing Audit Log Events.

Enable Logging on specific network firewalls to monitor traffic to the firewall. For more information, see Network Firewall Logs.