Security at scale
Skeleton Bullet Points
- Good inventory management hygene: No unknown servers on infra
- MFA on servers
- Use SSH private keys instead of passwords
- Bastion/Jump Host for access to critical infra
- Firewall with deny all default and only open as required (e.g. no SSH/RDP accessible to the Internet, instead jump through a MFA enabled VPN first)
- Include info on IP based DDoS and how to mitigate it
- Engine API being filtered + auth for Engine API
- VLAN Segmentation
- OS hardening (this involves quite a few things, but https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf provides quite a lot of details and there are playbooks that will do a lot of it)
- EDR, SIEM, NDR and when to use them?
Security is non-negotiable when you're running Ethereum validators at scale. This guide focuses on best practices specifically tailored for scaled Ethereum staking providers. The objective is to offer a comprehensive security framework that goes beyond typical measures used by solo stakers.
Maintaining a precise inventory of all active servers is critical. Each unidentified machine is a potential security risk.
- Keep an updated inventory list, including the server type, purpose, and responsible team.
- Use automation tools to detect and report any unauthorized machines.
Multi-Factor Authentication (MFA) adds an additional layer of security, reducing the risk of unauthorized access.
- Implement MFA for all administrative access.
- Use hardware-based authentication methods when possible.
SSH keys are more secure than passwords and should be used for secure shell access.
- Rotate keys regularly.
- Store keys securely in a key vault.
A Bastion or Jump Host serves as an intermediary between your local machine and critical infrastructure.
- This host should be highly secured, monitored, and only accessible via MFA.
Start with a 'deny all' default firewall rule and open only those ports necessary for operations.
- No direct SSH/RDP should be accessible from the internet.
- Access should be enabled through an MFA-enabled VPN.
IP-based DDoS attacks can incapacitate your network.
- Utilize DDoS protection services.
- Regularly monitor network traffic for anomalies.
Your Engine API is an attack surface that needs to be minimized.
- Filter access to the Engine API.
- Implement authentication mechanisms like API tokens.
Using VLANs can effectively segregate different types of traffic and reduce the attack surface.
- Group related servers and services into VLANs.
- Limit inter-VLAN routing to only necessary services.
Hardening the Operating System can reduce the number of vulnerabilities.
- Use hardening playbooks that automate many of these processes.
Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), and Network Detection and Response (NDR) are powerful tools for monitoring and responding to security events.
- EDR for endpoint level visibility.
- SIEM for comprehensive security event management and reporting.
- NDR for network level monitoring and response.
Security at scale is an ongoing commitment that involves continual assessment and evolution. By implementing these practices, scaled Ethereum staking providers can not only secure their own operations but also contribute to the overall security of the Ethereum network.