Platform Security and Hardening

Traffic Separation

Fabric uses proven technology to ensure separation of traffic between customers. MPLS L3VPNs (VRFs) and EVPN L2 instances per customer or customer connection. This is all provisioned using automated configuration and without any configuration change no data is available outside the customer’s Fabric connections. All configuration changes (both automated as well as manual in case of fault diagnostics) are logged and monitored for anomalies. The active configuration in all network devices is constantly compared to the configuration on record and any anomaly is reported and corrected.

Traffic Ownership & Encryption

All data carried across the Fabric platform is owned by the customer and as Equinix has no way of knowing what data is carried and to which regulatory frameworks this data is subject to Equinix does not provide advice on how to encrypt data carried. It is the customer’s responsibility to treat data in transit in compliance to their regulatory demands. Equinix has no mechanisms deployed to monitor or intervene with traffic carried over Fabric connections

Management Interfaces

All management interfaces of the network devices that are part of the Fabric platform are connected to our internal management infrastructure and no management interface is exposed on or connected to Internet.

• Internet firewalls – Equinix deploys next-generation firewalls that provide anti-virus, intrusion detection and prevention, URL filtering and application control. Events detected by the firewalls are fed into a global Security Incident and Event Management (SIEM) system.

• Email – An anti-virus and anti-spam gateway defends against threats originating through email.

• Hardening – Equinix desktops and laptops are hardened. Equinix hardening guidelines and standards are documented and carried out during system builds.

• Anti-Virus and Malware – Windows and Mac desktops and laptops are required to run anti-virus and anti-malware software featuring real-time scanning protection for files and applications. Infected files are quarantined.

• Remote Control – Secure remote control technology is used to assist staff with technical problems.

• Remote Access VPN – Staff members that remotely access Equinix corporate networks or systems are required to use company-supplied remote access and VPN solutions using two-factor authentication. Client systems connecting to remote desktop servers must be assigned and controlled by corporate IT.

• WiFi – WiFi networks are segregated from Equinix enterprise networks. A user connected to WiFi can access the enterprise network through a remote access VPN.

• Hardening – Equinix hardening guidelines and standards are documented and carried out during system builds.

• Anti-Virus and Malware – Windows servers are required to run anti-virus and anti-malware software featuring real-time scanning protection for files and applications. Infected files are quarantined.

• Scans – Vulnerability scans are performed internally on a weekly and on-demand basis. Applications must pass comprehensive vulnerability and application security scans before being released to the public.

• Logging – Successful and unsuccessful access to systems is logged for analysis. The industry-standard SUDO utility is used on UNIX systems. Logs are fed into a SIEM and retained for at least 90 days.

The physical security of every IBX data center is a high operational priority. Each data center uses an array of security equipment, techniques and procedures to monitor the facility and to control and record access.

• Access – The access control subsystem allows authorized users inside the building and within the facility. Biometric hand geometry or fingerprint readers, proximity cards and other technologies permit users to identify themselves to the system and, upon authentication, obtain access to specific areas inside the facility premises.

• Alarm Monitoring and Intrusion Detection – The alarm monitoring and intrusion detection subsystem monitors the status of various devices associated with the security system. These include alarm contacts, glass break detectors, motion detectors, and tamper switches. If the status of any of these devices changes from their secure state, an alarm is activated, the event is recorded, and appropriate action is taken.

• CCTV – The closed-circuit television subsystem provides the display, control, recording and playback of live video from cameras throughout the facility, as well as outside the facility where legally permitted. This system is integrated with the alarm monitoring and intrusion detection subsystem, so in the event of an alarm, cameras can be activated to record the event.

  Note: CCTV operates 24 hours a day, every day.

• Audio Intercom and Two-way Radio Subsystem – The audio intercom subsystem provides two-way communications between facility visitors and the security officer. The two-way radio subsystem also provides communications between the front lobby guard and the patrol guard.

• Intrusion Testing – Intrusion testing is performed on a periodical basis with no advance warning to site staff.

• Security Personnel — Hiring and Training – Equinix leverages industry-leading vendors and partners to help manage the physical infrastructure in each IBX data center. Security personnel undergo background and criminal checks, and are required to take security training when hired and periodically thereafter.

• Customer and Visitor Emergency Protocols – In an emergency, the IBX data center staff members provide direction. Customers and other visitors on the premises are required to follow any instructions given.

• Video Recording and Photography ‑ To safeguard the facility and preserve the anonymity of all IBX data center customers, no photography or videography is allowed within the IBX data center. Customers in licensed cages can request photographs of their cages and their equipment when they schedule a visit.

  Note: Any photography requires the presence of an Equinix technician.

• Asset Tracking – Customers and their vendors, contractors and subcontractors often deliver and remove equipment from an IBX data center through the lobby. Following rules apply for asset tracking:

  • Hand-carried bags and items are subject to search as permitted by law.
  • Equipment removed from an IBX data center not brought in that day must be listed on the service ticket as equipment that can be removed. The description of the items should be clear for accurate identification of the equipment.
  • Equipment shipped to and from the facility is handled by the shipping and receiving department which is separate from the co-location area. Customers must open a shipment service request ticket to receive equipment.

• Cage Signage – Equinix policy is to not divulge the physical location of any customer cage. However, customers can post cage signage upon approval by Equinix.

  Note: Cage signs are limited to private cages only and can't be used in shared cages or reseller spaces.

IBX Data Center Security Governance Team

The Cloud Exchange Security Governance team is responsible for promoting awareness of, and compliance with, internal security policies, procedures and standards that are applicable to Equinix Fabric deployments such as Network Edge.

Controlled Maintenance

Routine, emergency and configuration changes to Equinix service network infrastructure are authorized, logged, tested, approved and documented.

Change Requests

Change requests are formal, archived documents that describe modifications to any customer impacting aspect of Equinix Fabric or Network Edge.

Change Review Board

The change review board convenes a weekly review for change request documents. The board comprises appropriate stakeholders including experts from technical, release and project management teams. The board prioritizes change requests and assigns specific time windows for changes.

Change Rollback

Change requests are required to include rollback plans, in case of the change having a negative impact on the production environment.

Problem Management

Problems are formally managed and tracked from detection through resolution with the aid of a ticketing system.

Escalations

Published operational policies and processes are in place for customer-facing escalation procedures.

Equinix Fabric and Network Edge Service Network Security

Network Edge uses the Equinix Fabric network and platform for its interconnection. Unless stated below, the same rules apply to both product lines.

Bastion

Administrative access to the Equinix Fabric service network is only available through a bastion host.

Authentication, Authorization And Accounting (AAA)

Devices on the Equinix Fabric service network use TACACS+ for AAA services. Staff members involved in administering the Equinix Fabric service network are granted access based on the “least privilege” model, with their access rights commensurate to their job function. Successful and unsuccessful attempts to access network devices are logged for analysis and alarming purposes.

This same model is followed for the Network Edge infrastructure, including compute and hypervisor resources.  TACACs and LDAP access is restricted down to the command level on all infrastructure and virtual devices in which administrative orchestration access is necessary.

Management Tools

Service management tools are subject to AAA controls. Configurations they govern are revision controlled, time stamped and logged.

Only sessions that originate from the virtual device will be allowed to access external tools; and only return traffic for the same session will be allowed to return.  With internal orchestration and management tools, only sessions originating from Equinix OSS will be allowed to access the virtual device.  The Equinix service management network uses private RFC 1918 address space only.

To validate licenses, the virtual device might need to call outside the private network.  Only stateful egress originated sessions from the device will be allowed to specific allowed addresses that are sanctioned by the vendor of that device.

Network Device Management Plane

Management plane controls include the use of AAA services. Remote administration sessions are encrypted (i.e., using SSH) and timed out after an appropriate period of inactivity. Administrator access and configuration changes are logged. Access Control Lists (ACLs) limit traffic to/from only required source and destination IP addresses. Vendors’ default configurations are modified according to manufacturer security recommendations. 

Root access is not allowed.

Network Edge Virtual Device Accessibility

User or customer access to the devices is done through SSH or vendor-authenticated software (such as a SaaS portal for SD-WAN), and is managed down to the command level for all devices.  Access to the device and the credentials are at the sole discretion of the user/owner of that device.  SSH credentials are managed by the user from the portal or API.  At no time does Equinix personnel have authority or ability to add, remove or change the credentials established by the owner of the virtual device.

Access to the device through SSH must be done through the Equinix-provided public internet interface or the customer-provided network interface.  Users must allow list any IP address and subnet that will require access, or the Network Edge platform will refuse the connection request.

The number of SSH sessions is limited to 5 and an idle timeout of 5 minutes applies.

Network Device Control Plane

Control plane controls include rate limiting on traffic destined to the device itself (ICMP, ARP, BGP, SSH, SNMP) and core application protocols like DNS in order to defend against denial of service attacks. Traffic to and from unauthorized and invalid networks is blocked. MD5 authentication is used for protocol message exchanges and updates (IGP/ LDP/ BGP).

Network Device Forwarding Plane

Customer forwarding planes are isolated to their own virtual routing and forwarding (VRF) tables and Layer 2 and/or Layer 3 VPNs. BGP maximum prefix limits as well as limits on the maximum number of physical (MAC) addresses are used to protect resources and defend against denial of service attacks.

Equinix does not perform any compression or de-duplication of data packets.  Equinix does not employ FEC on the Equinix Fabric and uses only flow load balancing, so that there is never any packet re-ordering that would require packet inspection.

Network Edge Infrastructure

All services relating to the Network Edge service have limited open ports, and the hypervisor and orchestration is container-based.

Network Edge Internet Access

All internet-facing traffic passes through the Internet gateway and infrastructure of the Equinix Connect service.  This service includes advanced DDoS protection and remote trigger black hole protections. 

Only the virtual device can originate a session to the outside world through the provided internet interface, including VPN tunnels between the virtual device and any other location.

Identity and Access Management

Equinix provides customers with identity management capabilities limited to the scope of the ECP and Cloud Exchange Portal. As part of the provisioning process, Equinix creates one primary administrator account for the customer. The primary administrator, can then create, modify, disable and delete customer user accounts as needed, including other primary administrators. Primary administrators assign roles and privileges to customer user accounts according to customer needs. Although cloud service providers might provide their own identity and access management systems, they are separate from those offered by ECP.

Application Programming Interfaces (APIs)

Equinix offers a Network Edge API whose functionality includes retrieving information about, and performing operations on, Equinix Fabric ports and virtual connections. Authentication and authorization are accomplished using the OAuth 2.0 standard. Although cloud service providers might provide their own APIs, they are separate from those offered by Equinix.

Access To Customer Data

Equinix does not and shall not access any Network Edge or Equinix Fabric customer transit data either in motion or at rest. As described throughout this document, both physical and logical controls are in place to prevent, monitor and detect any unauthorized party accessing or attempting to access customer transit data.

Equinix Fabric and Network Edge provides direct network connectivity between cloud customers and cloud service providers without accessing, inspecting, manipulating or copying the data. Customers are responsible for securing all aspects of data transiting Equinix Fabric in accordance with their security needs, policies and any applicable regulatory or legal requirements.

Network EdgeConfiguration Data

Equinix maintains a current build and historical record of the entire configuration of each virtual device launched into service. This includes the device OS and settings, the interface addressing, and other details.

Network Edge Event Data

Equinix maintains an ongoing record of all change management and administrative events that are logged with each device. This includes login and logout successes and failures to the device, portal, and APIs, changes to the configuration made by users or administratively by Equinix orchestration, changes in the status of interfaces and other common events. Users can access this directly from the device or request it from Equinix personnel. At no time is this data associated with user access privilege data (such as a full user name and password).