General

Q: What is it and what can it do?
A: Cloud SMS is a Software as a Service (SaaS) offering that manages the onboard iptables firewall on Linux instances in the cloud through a very easy-to-use UI. It allows you to track all firewall changes over time and provide a high quality detailed report directly to your auditor. It also lets you validate your firewall rules, and track bandwidth usage over time, so you can identify anomalies easily, and close down access on ports that are unused.

Q: How much does it cost?
A: Cloud SMS is a free offering for basic firewall management. StillSecure will offer fee-based premium services beyond the basic firewall management capabilities in the near future.

Q: Does it work in any cloud?
A: Yes, Cloud SMS is platform agnostic and can be used in any cloud, physical server, or hybrid environment that has a public-facing IP address.

Q: Is Cloud SMS secure?
A: Yes, the Cloud SMS agent uses two-way SSL authentication using only U.S. DoD-approved strong ciphers, as well as listening only for traffic from our cloud infrastructure and blocking all other inbound traffic to the agent. That means there are multiple layers of protection against remote compromise and that means peace of mind.

Q: What operating systems are supported?
A: 64-bit Linux distros including CentOS, Red Hat Enterprise, Ubuntu, ArchLinux, Fedora Core, and others.

Q: Do you support Windows?
A: Not at this time, though Windows support is coming: stay tuned!

Q: Does Cloud SMS support IPv6?
A: Yes, Cloud SMS supports IPv6 in all features and functions.

Getting started

Q: What’s involved?
A: There are three main steps:
1. Sign up for a new account
2. Install the secure Cloud SMS agent on your cloud instance
3. Tell Cloud SMS about your cloud instance by logging into the Cloud SMS UI and adding your cloud instance IP.

Q: How do I sign up?
A: Go to https://cloud.stillsecure.com and click "sign up now".

Q: How do I install it?
Q: How do I install it?
Login to the Cloud SMS UI at https://cloud.stillsecure.com/login.php, go to the Cloud Instances page, click "attach a cloud instance", and then enter a name and the IP address of your cloud instance.
For detailed support information, please visit the Cloud SMS forums at: http://forums.cloudsms.stillsecure.com/discussion/2/cloud-security-monitoring-service-faq


Q: How do I tell Cloud SMS about my cloud instance?
A: Login to the Cloud SMS UI at https://cloud.stillsecure.com/login.php, go to the Cloud Instances page, click “add a cloud instance”, and then enter a name and the IP address of your cloud instance.

Q: After installing the Cloud SMS agent, I can no longer connect to my cloud instance. What happened?
A: By default, all inbound traffic to your cloud instance is blocked. You will need to add an inbound rule for whatever ports you need to access (port 22 for ssh) on that cloud instance.

Q: I've added my cloud instance to the UI, but I see agent status "no connection". What's going on?
A: Cloud SMS connects to your instances via the public Internet. You need to ensure that you specify the public IP address of the cloud instance when you add it to the Cloud SMS UI.

Q: How do I uninstall it?
A1: From the UI: Go to the Cloud Instances page, and click the 'detach' link on the server you wish to remove. This will revert your firewall settings to the same configuration they had before you installed the agent.
A2: From the server: Run the agent installer again with "sh ./SSCloudSecAgent uninstall" to uninstall it. This will revert your firewall settings to the same configuration they had before you installed the agent.

Security best practices

Q: I've added an inbound firewall rule for ssh, don't I need to add an outbound rule as well?
A: No, Cloud SMS configures your iptables firewall to track connection states (a stateful firewall), so it recognizes that a connection initiated from outside your server should also be automatically allowed out.

Q: Why does Cloud SMS allows all outbound traffic by default?
A: While not a security best practice, this is what most users will expect as far as outbound rules. It is best to allow only those outbound requests that are needed for the services running on your cloud instance to be able to function properly.

Troubleshooting

Q: After installing the Cloud SMS agent, I can no longer connect to my cloud instance. What happened?
A: This is Cloud SMS doing its job and blocking inbound connections. Just go to "Cloud Instances", click the "manage" link for the server you just added, and add a new incoming firewall rule for the service you want to access (for example, port 22 ssh).

Q: My Cloud Instance is on the Amazon EC2 service and the Cloud SMS interface says it cannot connect to my server after adding the Cloud SMS agent. How do I fix this?
A: The Cloud SMS host must be able to access port 4407 from our server. In order to use the Cloud SMS service on your EC2 based system please open all ports in the Amazon Security Group configuration by:
1. Click the Amazon EC2 tab at the top of the screen
2. Click "Security Groups" on the left side of the screen
3. Select the security group of which the EC2 instance is a member (you can see this by clicking Instances on the left hand side of the screen, and looking at the "Security Groups" column for the instance in question).
4. Click the "Inbound" tab in the lower left pane
5. Allow all ports inbound (1-65535) for source 0.0.0.0/0 on TCP, UDP
6. Allow all ICMP inbound

Q: I am on Debian version 6 and the Cloud SMS agent does not seem to be working. How can I fix this?
You need to install the latest libnss tools to run the CloudSMS agent. To do so simply:
1. Log into your Debian cloud instance.
2. Perform the command:
sudo apt-get install libnss3-tools

Once you have installed this package successfully, install the Cloud SMS agent again.