Network Configuration

It is important to properly design the server network when using the gateway in a PCI DSS environment. The Gateway is highly configurable and allows you to enable and disable many different settings, startup parameters, and services on the appliance. Observe the following guidelines to maintain PCI DSS compliance with configuring the Gateway.
gateway10
It is important to properly design the server network when using the
Layer7 API Gateway
in a PCI DSS environment. The Gateway is highly configurable and allows you to enable and disable many different settings, startup parameters, and services on the appliance. Observe the following guidelines to maintain PCI DSS compliance with configuring the Gateway.
Contents:
Network Interface Configuration
The Gateway appliance comes with a built-in firewall and is designed to have network interfaces independent of each other, allowing for easy network segmentation. Ideally, the Gateway will straddle a network boundary, but it can also be deployed entirely within the DMZ.
For security reasons the Gateway should not be deployed fully outside the DMZ.
The Gateway appliance is designed to use specific network interfaces for specific functions, to provide optimal security for the appliance itself.
Predictable Network Device Naming Considerations
If you are running Gateway 10.0+ on CentOS 7, your network interface names may have changed. "eth0" has been renamed to "ssg_eth0" and "eth1" has been renamed to "ssg_eth1" for the hardware appliance Gateway. The OVA Gateway also adopts a similar naming convention but with exceptions related to the predictable (consistent) network device naming scheme of CentOS 7. To learn more, see the Network Deployment Guide.
eth0
The eth0 network interface is designed to be the primary “secure zone” interface. It is meant to be exposed to internal resources only and will allow connections on the following ports by default:
8080 – standard HTTP port
8443 – standard HTTPS port
9443 –HTTPS port without client certificate support
3306 – JDBC communication port
3307 – JDBC redirect port
2124 – Gateway inter-node communication port
8777 Hazelcast communication port
22 – default SSH port
This network interface should never be exposed to the public internet. It should be protected by the firewall to be accessible only from internal sources. Port 8080 can be closed if you want to restrict access to secure access only. Port 22 can be closed if you do not want to allow SSH access to the Gateway appliance. If the Gateway is not in a clustered environment, the JGroups ports can also be disabled. All other ports must remain open for the Gateway to operate correctly.
eth1
The eth1 interface is designed to be the primary public-facing Ethernet connection. It is meant to receive incoming requests for the Gateway to process from either internal or external sources. As such, it is protected by the firewall, and only the following ports are open by default:
8080 – standard HTTP port
8443 – standard HTTPS port
9443 – HTTPS port without client certificate support
To maintain PCI DSS compliance, do not open other ports on eth1 unless you need the Gateway to receive additional request traffic (FTP, SMTP). Further, the standard HTTPS port should be limited to message traffic only.
Additional network configuration (Hardware Appliance Gateways only)
The
Layer7 API Gateway
is equipped with four network interfaces. These can be enabled for various specific requirements, used as additional inbound traffic interfaces, or bonded with existing NIC’s for greater bandwidth. Contact Support for assistance with configuring additional network interfaces.
All the ports that the Gateway appliance uses are configurable within the application, in terms of numbering, usage, and resourcing. As PCI DSS limits access to the box over secure connections only, consider disabling port 8080 on eth1 and only allow SSL connections into the Gateway.