Link FWaaS to congress for firewall policy validation
FWaaS is a repository for storing and applying security rules to permit or deny network access. Rules should be able to be validated and accepted or rejected based on security policy. Since Congress is the engine for policy validation, work to link FWaaS and Congress. Ideally, Congress would perform two actions:
- Remove any firewall rules that do not comply with the policy.
- Produce some kind of notification that such an action was taken.
Use case:
Large-scale routed networks often have something called the ROD, the "Route of Death". It's the network equivalent of sending something to /dev/null, and it is used to control traffic from bad actors, like IP addresses that are mounting brute-force password guessing attacks against the kerberos infrastructure.
To implement something along the same lines, Congress would have a "ROD" policy, which would indicate that firewall rules that have an "allow" that includes an IP address in <array of malfeasant IP addresses> is forbidden. When Congress detects such a thing, then it would remove the rule and create a notification that this action occurred.
I'm not sure how best to specify the "array of malfeasant IP addresses" mentioned above. The best way would be if Congress could pull a specific FWaaS firewall group.
This would need to include some kind of CIDR computation logic. Firewalls are often expressed in terms of CIDR blocks, like "192.168.0.0/22" which indicates IP addresses 192.168.0.0 through 192.168.3.255. Let's say there is a firewall rule saying "allow tcp/22 from 192.168.0.0/22". And let's say that the IP address 192.168.1.38 is in the ROD. Congress would need to be able to realize that 192.168.1.38 is inside the CIDR block 192.168.0.0/22.
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Nate Johnston
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
Need CIDR logic builtins, which should be easy to add.
Need datasource for FWaaS.