Version: Next

Security

Security should be considered early in your ASI deployment planning.
This section outlines best practices and configuration options that help you secure your ASI environment at both the infrastructure and application levels.

Network & Infrastructure Security

Firewall and Port Control

Restrict network communication to only the ports required for ASI components.
See Networking for the full list of required ports.

Only expose port 52000 (or your configured HTTPS listener) externally.
Restrict inter-node and database traffic to internal networks.
If using a load balancer, ensure it terminates TLS or passes it through securely.
Use security groups, firewall-cmd, or nftables to enforce segmentation.

OS Hardening

All ASI nodes should run with a hardened baseline:

Ensure only required system packages are installed.
Apply latest OS updates and kernel patches.
Restrict sudo privileges to trusted administrators.

Application Security

Trusted Proxies (asi-core)

The asi-core module uses an internal proxy service to route traffic between ASI components.
To handle request origin tracking, ASI uses the X-Forwarded-For header.

By default, the configuration allows all proxies:

spring.cloud.gateway.trusted-proxies = .*

Recommendation: Restrict this to only the IPs or hostnames of known reverse proxies, load balancers, or ingress controllers.
The value accepts a regular expression and should match your trusted network range.

Example:

spring.cloud.gateway.trusted-proxies = 10\\.0\\..*|192\\.168\\..*

This ensures only legitimate upstream proxies are trusted when forwarding client IPs or headers.

TLS Configuration

All ASI communication — including web, API, and inter-node traffic — should use TLS encryption.

See TLS Security for certificate setup instructions.
Use CA-signed certificates for production, or a consistent self-signed CA across nodes.
Regularly rotate certificates and ensure private keys are protected (0600 permissions).
For clusters, ensure load balancers and ASI nodes share a trusted CA chain.

Secrets and Credentials

ASI components use credentials for database connections, vault access, and integrations.

Best practices:

Never store plaintext passwords in configuration files.
Use a management service to manage sensitive values.
Limit credentials to least privilege (e.g., asiadmin user for app DB access).
Rotate credentials periodically and after personnel changes.

Authentication & Authorization

Identity and Access

ASI integrates with internal or external identity systems.

Use role-based access control (RBAC) within ASI to manage user privileges.
Integrate with SSO/LDAP where available.
Regularly audit user accounts and remove unused credentials.

Session Security

Set appropriate session timeouts and cookie scopes.
Enable session affinity (sticky sessions) on your load balancer for stability.
Enforce HTTPS for all session cookies.

Auditing and Monitoring

Enable system-level auditing (e.g., auditd) on ASI hosts.
Monitor:
- Login attempts
- Configuration changes
- Certificate expiry
- Node health via /status endpoints
Regularly review cluster and OS-level logs for anomalies.

For further guidance or security validation, contact support@interlinksoftware.com.

Network & Infrastructure Security​

Firewall and Port Control​

OS Hardening​

Application Security​

Trusted Proxies (asi-core)​

TLS Configuration​

Secrets and Credentials​

Authentication & Authorization​

Identity and Access​

Session Security​

Auditing and Monitoring​