Best Practice: Securing Shinydocs Indexer (Elasticsearch) access

Access to the Shinydocs Indexer on port 9200 (or the port you configured) should be extremely limited. Using a firewall to secure access is integral for keeping your data safe and secure. While there are many different firewall products out there, this guide will cover how to set up access so the Cognitive Toolkit can access the index but other computers or users cannot. The method used here is sometimes referred to as IP whitelisting.

This is the standard method of securing the Indexer. Your organization may have other means of securing web applications.

Assumptions

1. The servers Shinydocs Cognitive Suite (Analytics Engine, Cognitive Toolkit) do not allow inbound connections (they should be all blocked)

2. These servers are located in the same domain

3. The default port of 9200 is being used for the Indexer

4. The Indexer is bound to the network host 0.0.0.0

For deployments with more than one Analytics Engine, each Analytics Engine server should have these rules applied. If you are using a coordinator node in your deployment, all Analytics Engine servers need to communicate with eachother on port 9200 & 9300. The same logic applied here can be used to secure those servers, effectivly allowing only the IP addresses of all Analytic Engine servers to communicate on port 9200 & 9300.

Example

• Cognitive Toolkit Server 1:
  IP: 10.1.243.242

• Analytics Engine Server 1:
  IP: 10.1.243.243
  Inbound rule: Allow 10.1.243.244, 10.1.243.245 on port 9200, 9300

• Analytics Engine Server 2:
  IP: 10.1.243.244
  Inbound rule: Allow 10.1.243.243, 10.1.243.245 on port 9200, 9300

• Coordinator Node Server 1:
  IP: 10.1.243.245
  Inbound rule: Allow 10.1.243.243, 10.1.243.244 on port 9200, 9300
  Allow 10.1.243.242 on port 9200

Firewall rules (for other firewall products)

The target of this rule will be the server running the Shinydocs Indexer and Visualizer. For large deployments that use a coordinator node, these rules would apply to only the coordinator node.

1. All inbound ports are blocked

   1. Your organization may require additional ports to remain open for other services (like RDP)

2. Inbound rule

   1. Allow port 9200

   2. Only for machines with the IP address(s) of the machines running Cognitive Toolkit

This will effectively block any access from external computers/users and only allow the set IP address source (Cognitive Toolkit server(s)) to communicate with the index on port 9200

Windows firewall guide

1. Open Windows Defender Firewall with Advanced Security and select Inbound Rules
   

   

2. Select New Rule

3. In the New Inbound Rule Wizard, select Port and click Next
   

   

4. Select TCP and Specific local ports and enter 9200 (or the port you configured for the Indexer service), click Next
   

   

5. Select Allow the connection, click Next
   

   

6. Select Domain and Private (meaning this rule would not apply on a public connection, where all access should be blocked by your existing firewall rules), click Next
   

   

7. Give your rule a name and description, click Finish
   

   

8. Double-click on the newly created rule (or click Properties with your new rule selected)
   

   

9. In the new window, select the Scope tab. Under Remote IP Address select These IP addresses and click Add
   

   

10. In the new window, select This IP address or subnet and enter the IP address of the machine running Cognitive Toolkit. Click OK
    

    

11. Repeat steps 9 and 10 for additional machines you need to add (for additional Cognitive Toolkit machines)

12. Once all IP addresses have been added to the list, click OK
    

    

13. Access to the Indexer is now secured from unauthorized access