Encryption of data in transit within a cluster

ThoughtSpot can encrypt data in transit within a cluster.

Overview

ThoughtSpot supports encryption of data in transit within a cluster (traffic flowing between multiple nodes in a cluster). Encryption in transit within the cluster is primarily needed for cloud deployments of ThoughtSpot. This is accomplished using IPSec.

IPSec operates in two modes: tunnel mode and transport mode. ThoughtSpot recommends using transport mode to set up IPSec for encrypting in-transit data.

While IPSec provides additional security, it also reduces network bandwidth between nodes.

ThoughtSpot supports IPSec encryption using strongSwan (an open-source IPSec-based VPN solution for Linux and other UNIX based operating systems).

Summary:

  1. Use IPSec in Transport mode for host-to-host IPSec communication.

  2. Use the strongSwan package.

  3. Use AES-GCM for ESP protocol (since it provides authenticated encryption and provides better network bandwidth).

IPSec is supported in ThoughtSpot software versions starting from 4.5.1.4

Deployment

  1. Enabling IPSec: Run following command on any ThoughtSpot node after cluster has been configured and right built has been deployed: # tscli ipsec enable.

  2. Disabling IPSec: Run following command on any node of the cluster: # tscli ipsec disable.

  3. Checking status of IPSec: Run following command on any node of the cluster # tscli ipsec status.

  4. IPSec configuration and settings are NOT persistent across cluster backup/restore and will have to be re-enabled.

  5. Adding a node in an IPSec enabled cluster: IPSec settings are automatically configured across nodes as a nodes get added to a ThoughtSpot cluster that has IPSec enabled.

  6. Removing a node in IPSec enabled cluster: IPSec settings are not impacted when nodes get removed from a ThoughtSpot cluster that has IPSec enabled. If any failure occurs during node removal, IPSec would need to re-enabled by using the following command: tscli ipsec enable.

  7. Manually enable/disable IPSec on a single node(if any IPSec related failure occurs on that node):
    Manually enable and start strongSwan:
    sudo systemctl enable strongswan
    sudo systemctl start strongswan

    Manually stop and disable strongSwan:
    sudo systemctl stop strongswan
    sudo systemctl disable strongswan

    You can check /etc/strongswan/ipsec.conf and /etc/strongswan/ipsec.secrets on each node to verify that they are consistent across all nodes.

Firewall configuration

The following ports and protocols must be open between nodes to allow IPSec encryption:

Port Protocol Service Name Direction Source Dest. Description

500

UDP

Internet Key Exchange (IKE)

bidirectional

All nodes

All nodes

Required when using IPSec (encryption in transit)

4500

UDP

IPSec

bidirectional

All nodes

All nodes

Required when using IPSec (encryption in transit)

IP protocol 50

Encapsulating Security Payload (ESP)

bidirectional

All nodes

All nodes

Required when using IPSec (encryption in transit)

If you deploy ThoughtSpot in Microsoft Azure, you cannot use the Azure web portal to add IP protocol 50. You must use the Azure CLI or Powershell.