Encryption of data in transit within a cluster
ThoughtSpot can encrypt data in transit within a cluster.
Overview
ThoughtSpot supports encryption of data in transit within a cluster (traffic flowing between multiple nodes in a cluster). Encryption in transit within the cluster is primarily needed for cloud deployments of ThoughtSpot. This is accomplished using IPSec.
IPSec operates in two modes: tunnel mode and transport mode. ThoughtSpot recommends using transport mode to set up IPSec for encrypting in-transit data.
| While IPSec provides additional security, it also reduces network bandwidth between nodes. |
ThoughtSpot supports IPSec encryption using strongSwan (an open-source IPSec-based VPN solution for Linux and other UNIX based operating systems).
Summary:
-
Use IPSec in Transport mode for host-to-host IPSec communication.
-
Use the strongSwan package.
-
Use AES-GCM for ESP protocol (since it provides authenticated encryption and provides better network bandwidth).
| IPSec is supported in ThoughtSpot software versions starting from 4.5.1.4 |
Deployment
-
Enabling IPSec: Run following command on any ThoughtSpot node after cluster has been configured and right built has been deployed:
# tscli ipsec enable. -
Disabling IPSec: Run following command on any node of the cluster:
# tscli ipsec disable. -
Checking status of IPSec: Run following command on any node of the cluster
# tscli ipsec status. -
IPSec configuration and settings are NOT persistent across cluster backup/restore and will have to be re-enabled.
-
Adding a node in an IPSec enabled cluster: IPSec settings are automatically configured across nodes as a nodes get added to a ThoughtSpot cluster that has IPSec enabled.
-
Removing a node in IPSec enabled cluster: IPSec settings are not impacted when nodes get removed from a ThoughtSpot cluster that has IPSec enabled. If any failure occurs during node removal, IPSec would need to re-enabled by using the following command:
tscli ipsec enable. -
Manually enable/disable IPSec on a single node(if any IPSec related failure occurs on that node):
Manually enable and start strongSwan:
sudo systemctl enable strongswan
sudo systemctl start strongswanManually stop and disable strongSwan:
sudo systemctl stop strongswan
sudo systemctl disable strongswanYou can check /etc/strongswan/ipsec.confand/etc/strongswan/ipsec.secretson each node to verify that they are consistent across all nodes.
Firewall configuration
The following ports and protocols must be open between nodes to allow IPSec encryption:
| Port | Protocol | Service Name | Direction | Source | Dest. | Description |
|---|---|---|---|---|---|---|
500 |
UDP |
Internet Key Exchange (IKE) |
bidirectional |
All nodes |
All nodes |
Required when using IPSec (encryption in transit) |
4500 |
UDP |
IPSec |
bidirectional |
All nodes |
All nodes |
Required when using IPSec (encryption in transit) |
IP protocol 50 |
Encapsulating Security Payload (ESP) |
bidirectional |
All nodes |
All nodes |
Required when using IPSec (encryption in transit) |
| If you deploy ThoughtSpot in Microsoft Azure, you cannot use the Azure web portal to add IP protocol 50. You must use the Azure CLI or Powershell. |
