#328 - Firewall Holes Procedural Automation - Final Report

Evaluate and implement a very simple mechanism to automate the annual audit and renewal of user requested firewall holes. Currently there is procedural documentation to follow, but it would be better to at least drive some of this automatically. This could be as simple as just setting reminders on the RT tickets associated with the holes that inform the necessary users that a positive step is required to perpetuate the firewall holes. There may be other things we can do cheaply to automate some of the manual procedure.

The main details of the project can be found in project page

What has been implemented

  • An 'iptables' queue has been set up in RT
  • An additional resource - reviewDate - has been added to the ipfilter component (thanks to George)
  • A script, run daily, which extracts ipfilter information to a comma-separated file, including ReviewDate on a Unit basis.
    • The US unit list includes every machine with a firewall hole excluding machines allocated to RAT, Services, Inf and MPU i.e. it includes US managed, unallocated and all self-managed machines.
  • A script which subsequently runs for the US machines to create an RT ticket in the ipfilters queue. It includes links to any RT numbers referenced in the machines profile.
  • A script which can email Units any changes made - run daily.
    • This is being done for Services Unit
  • Nick and Anila now review the ipfilter queue for Support and contact users to confirm that the holes are still required and/or whether thay can be restricted in any way e.g. within @ed.

Firewall position June 2020

  • The breakdown of machines with firewall holes:
    • Support - 57 (+ 6 where ipfilter.h included but no holes defined)
    • Services - 70 (+ 5 where ipfilter.h included but no holes defined)
    • RAT - 46 (+4 where ipfilter.h included but no holes defined)
    • Inf - 39
    • MPU - 18 (+1 where ipfilter.h included but no holes defined)
    • Total - 230

This is only a small decrease since the project started.

The breakdown of firewall holes is as follows:

Unit http/https only http/https + others ssh only ssh + others others total
User Support 11 25 7 6 8 57
Services 36 12 2 0 20 70
RAT 8 3 0 1 18 46
Infrastructure 3 9 0 18 9 39
MPU 8 3 0 3 4 18

Total effort for the project = 35.5 days

-- AlisonDownie - 18 May 2020

Topic revision: r2 - 11 Jun 2020 - 14:33:23 - AlisonDownie
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies