Contribution (Click)
This page, like many others, is always open to contribution.
If you would like a specific topic covered, or defined, please let us know and we'll see to it being added :)
Machine Security¶
The following is a dictionary of approaches Storyfire takes to their machine security.
Machine security at the Oasis project is of the highest priority as we live in an ever evolving digital world, where uptime is money.
Dictionary¶
| Service | Affects | Description |
|---|---|---|
| TCPShield | MC | TCPShield offers a comprehensive DDoS Mitigation, Cloud Firewall and Geo-routing software suite. |
| CosmicGuard | All services | CosmicGuard offers industry leading DDoS protection & network mitigation. With their 5TBps+ global backbone, it is almost impossible to knock us offline with a DDoS attack. |
| Warpgate | SSH & HTTP | Warpgate allows us to authenticate using Single Sign On (Google Log-in or Jetbrains Hub) to access all of our internal resources, and means that nobody unauthorized can try to break into the http or ssh apps. Warpgate also records and monitors all ssh sessions so that we can see what someone did at the end of a session. |
| Firewall | All services | We use the uncomplicated firewall utility to restrict network access to specific ports, and sometimes only from specific locations. E.g. an unsecure web app is only allowed to be accessed by our security proxy so that any data passed through it is secure. |
| SSH Keys | SSH | We use the ED25519 key specification to login to all remote sessions. It is thought to be computationally infeasible to break this level of key. We use ED25519 keys, backed up by passphrases of 8+ characters, with 250+ rounds of AES-256 encryption. This same security specification is used globally by banks and large software teams like Google and Netflix. |
| Jetbrains | HTTP | Jetbrains Hub helps us lower our attack vector for HTTP apps because it means we have one account to manage for all services. It is extremely easy to assign and unassign licenses and access to software/apps and means we aren't monitoring tons of platforms for unauthorized logins outside of SSH. |
| HetrixTools, Grafana and InStatus | Monitoring | We use all 3 of these tools to complete our monitoring solution. HetrixTools watches for usage and downtime, and acts as a Discord, Telegram and SMS notification broker to Jack should anything go wrong, meaning we are on high alert for any failures. Grafana is similar in that it provides a dashboard to overview status of all machines on our network and InStatus is our public tool for showing players when we are doing live maintenance and when we have unexpected downtime. |
| Ansible | Deployment | We use Ansible deployment to ensure that all machines are up to a specific security standard, pre-planned by the playbook used for deployment. |
| GitHub Cloud Deployment | Deployment | All of our game hosts are based on a cloud deployment model. This means it is incredibly easy to spin up and spin down host servers for our game, meaning rapid expansion is possible should we have the hardware available. It takes on average 15 minutes to install the operating system on the hardware (which should already be done) and then approximately 5 minutes to have all of the server files downloaded and many game servers up and live for players to fall back on. In an instance where we have an issue with a machine, we can pull it off the shelf and rack a replacement and be back up to the same capacity within 5-10 minutes at most. |
| Cloudflare DNS | HTTP & All | Cloudflare has a global network reach and more than 250+ internet connections in 50+ locations. It provides extremely fast DNS and internet hosting solutions, and we also use it for hosting some of our internal documentation sites on their Cloudflare Pages.dev platform. |
| Cloudflare Zero-Trust | HTTP | Cloudflare Zero-trust links in with their DNS solution to provide an authentication wall, helping us reduce our attack vector. It means that internal sites like this can be protected by one account (Jetbrains Hub or Google Workspace) and means that we only need to focus on security in one place. |
Glossary¶
| Word | Meaning |
|---|---|
| Attack Vector | The areas of which an attacker is able to focus on and try to weaken our security to gain unauthorized access. We limit authentication down to 2 accounts: Jetbrains Hub (for Oasis-only team members) and Storyfire Google Workspace (for Storyfire). This means if we have extremely high security guidelines for only these 2 accounts, this is the only place we have to focus to know we are secure. |
| Playbook | A pre-planned and specific set of instructions used to install software and security products on a virtual or bare metal machine. This allows us to ensure all machines are compliant with our security standard because they all had the same setup instructions. |
| Jetbrains Hub | A one-stop shop for team members allowing them to use their account for easy log-in and also access other Jetbrain's products like our Youtrack instance (Product Tracker) |
| DDoS Attack | Distributed Denial of Service Attack. Using a large bot-net or number of "slave" (infected) machines, to send hundreds of thousands of web requests to a server, to overload it and bring it offline temporarily. For an attacker to be successful with us, they'd need to bring a capacity over 5TBps+ (we have more resources available should we need them too), which is extremely difficult. |