The PNAP network provides significant protection against traditional network security issues and the customer can implement further protection. The following are a few examples:
Unauthorized port scans by PNAP customers are a violation of the phoenixNAP Acceptable Use Policy. Violations of the phoenixNAP Acceptable Use Policy are taken seriously, and every reported violation is investigated.
When unauthorized port scanning is detected, it is stopped and blocked. Port scans of phoenixNAP instances are generally ineffective because, by default, all inbound ports on phoenixNAP Cloud instances are closed and are only opened by the customer. The customer’s strict management of security groups can further mitigate the threat of port scans. If the customer configures the security group to allow traffic from any source to a specific port, then that specific port will be vulnerable to a port scan. In these cases, the customer must use appropriate security measures to protect listening services that may be essential to their application from being discovered by an unauthorized port scan. For example, a web server must clearly have port 80 (HTTP) open to the world, and the administrator of this server is responsible for the security of the HTTP server software, such as Apache.
phoenixNAP Application Programming Interface (API) endpoints are hosted on large, Internet-scale, world-class infrastructure. Proprietary & 3rd party DDoS mitigation techniques are used. We protect a minimum of 1.5 Gbps and up to 20 Gbps attacks. Our system will assess an attack and determine if there is a risk of exceeding 20Gbps. If the attack poses a threat to the network, the IP’s will be null routed automatically. Additionally, phoenixNAP’s networks are multi-homed across a number of providers to achieve Internet access diversity.
phoenixNAP instances cannot send spoofed network traffic. Our proprietary, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While customers can place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic. Attacks such as ARP cache poisoning do not work within PNAP's network. While phoenixNAP does provide ample protection against one customer inadvertently or maliciously attempting to view another’s data, as a standard practice customers should encrypt sensitive traffic.
All of the phoenixNAP APIs are available via SSL-protected endpoints which provide server authentication. The PNAP network automatically generates new SSH host certificates on first boot and log them to the instance’s console. Customers can then use the secure APIs to call the console and access the host certificates before logging into the instance for the first time. Customers are encouraged to use SSL for all of their interactions with phoenixNAP's network.