Link FWaaS to congress for firewall policy validation

Registered by Nate Johnston on 2016-09-28

FWaaS is a repository for storing and applying security rules to permit or deny network access. Rules should be able to be validated and accepted or rejected based on security policy. Since Congress is the engine for policy validation, work to link FWaaS and Congress. Ideally, Congress would perform two actions:

- Remove any firewall rules that do not comply with the policy.
- Produce some kind of notification that such an action was taken.

Use case:

Large-scale routed networks often have something called the ROD, the "Route of Death". It's the network equivalent of sending something to /dev/null, and it is used to control traffic from bad actors, like IP addresses that are mounting brute-force password guessing attacks against the kerberos infrastructure.

To implement something along the same lines, Congress would have a "ROD" policy, which would indicate that firewall rules that have an "allow" that includes an IP address in <array of malfeasant IP addresses> is forbidden. When Congress detects such a thing, then it would remove the rule and create a notification that this action occurred.

I'm not sure how best to specify the "array of malfeasant IP addresses" mentioned above. The best way would be if Congress could pull a specific FWaaS firewall group.

This would need to include some kind of CIDR computation logic. Firewalls are often expressed in terms of CIDR blocks, like "192.168.0.0/22" which indicates IP addresses 192.168.0.0 through 192.168.3.255. Let's say there is a firewall rule saying "allow tcp/22 from 192.168.0.0/22". And let's say that the IP address 192.168.1.38 is in the ROD. Congress would need to be able to realize that 192.168.1.38 is inside the CIDR block 192.168.0.0/22.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Nate Johnston
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Need CIDR logic builtins, which should be easy to add.
Need datasource for FWaaS.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.