Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorize and implement WAF in GovCloud for cloud.gov control plane #1311

Closed
8 tasks
spgreenberg opened this issue Mar 4, 2020 · 12 comments
Closed
8 tasks
Assignees
Labels
compliance Compliance, security, and accessibility issues SCR Significant Change Request (SCR) involving comms with the FedRAMP JAB TRs - external dependency

Comments

@spgreenberg
Copy link
Contributor

spgreenberg commented Mar 4, 2020

See: Malicious Traffic Protection doc for details.

Originally named: "Create and authorize WAF in GovCloud for API and customer apps" - renaming to: Authorize and implement WAF in GovCloud for cloud.gov control plane

We are not implementing customer WAF at the ALB level, as we can't pick rules that would free from impacting them.

Desired outcomes:

  • We can filter unsophisticated malicious actors and DOS traffic from the control plane
    • We recognize that sophisticated or state-sponsored actors may be using novel attacks and using IPs that are domestic and not necessarily recognized by AWS having a poor reputation
  • We can block particular traffic that should be internal-only, e.g. related to sandbox sign-up.

Implementation sketch

  • Make a plan
  • Remove app.cloud.gov from cf domains
  • Disaggregate *.fr.cloud.gov and *.app.cloud.gov traffic
  • Submit SCR to JAB
  • Add WAF rules to app ALB in COUNT mode, monitor
  • Switch to BLOCK mode
@spgreenberg spgreenberg self-assigned this Mar 4, 2020
@pburkholder pburkholder self-assigned this Apr 27, 2020
@pburkholder
Copy link
Contributor

I'm starting the SCR work for this since we have some rules already in place we need to document.

@pburkholder pburkholder changed the title Create and implement control plane WAF Create and authorize WAF in GovCloud for API and customer apps Apr 27, 2020
@pburkholder pburkholder added compliance Compliance, security, and accessibility issues contractor-1-security SCR Significant Change Request (SCR) involving comms with the FedRAMP JAB TRs - external dependency labels Apr 27, 2020
@pburkholder
Copy link
Contributor

The rules are going to take a lot of hashing out as customer impact will be hard to gauge, and I don't know if one can get any insight into what the details are of the AWS-managed rulesets.

@pburkholder
Copy link
Contributor

@spgreenberg Could you review the SCR at https://docs.google.com/document/d/1roNkZwfMZhxWwY9J9GYXatHm0YyBP-e4SP3i6mpg8oE/edit# or is there another engineer more appropriate for that? I'm happy to jump on a call discuss.

@eddietejeda are you OK with signing the above SCR? If we can get it over to FedRAMP this afternoon it removes the potential for another week's wait.

@spgreenberg
Copy link
Contributor Author

@pburkholder Everything looks good except for one clarification. DDOS protection is provided by AWS Shield. Unfortunately, I don't see Shield on the Fedramp list but I believe GSA is using Shield elsewhere.

@pburkholder
Copy link
Contributor

I added DDOS as even a naive WAF will blunt some of the impact of a DDOS, which we saw ourselves with the me6 incident. But removing it from the SCR reduces the # of updates to make, leaves us a better case for shield down the line, and we still have the benefit.

@karareinsel karareinsel changed the title Create and authorize WAF in GovCloud for API and customer apps Create and authorize WAF in GovCloud for API and customer apps (5/7) Apr 30, 2020
@spgreenberg
Copy link
Contributor Author

I have pinged Marcus as managed rulesets don't show up in GovCloud yet despite the interface being updated to v2. I will report back as soon as I hear from him.

@karareinsel karareinsel changed the title Create and authorize WAF in GovCloud for API and customer apps (5/7) Create and authorize WAF in GovCloud for API and customer apps (5/11) May 7, 2020
@pburkholder
Copy link
Contributor

I have feedback from JAB that I need to respond to. Unblocking while I do so.

@karareinsel karareinsel changed the title Create and authorize WAF in GovCloud for API and customer apps (5/11) Create and authorize WAF in GovCloud for API and customer apps May 12, 2020
@pburkholder pburkholder changed the title Create and authorize WAF in GovCloud for API and customer apps Create and authorize WAF in GovCloud for API and customer apps (5/29) May 28, 2020
@pburkholder
Copy link
Contributor

Moving to blocked today to lower WIP while I complete work before 3PAO starts secrets assessment.

@karareinsel karareinsel changed the title Create and authorize WAF in GovCloud for API and customer apps (5/29) Create and authorize WAF in GovCloud for API and customer apps (6/3) Jun 1, 2020
@karareinsel karareinsel changed the title Create and authorize WAF in GovCloud for API and customer apps (6/3) Create and authorize WAF in GovCloud for API and customer apps (6/11) Jun 4, 2020
@karareinsel karareinsel changed the title Create and authorize WAF in GovCloud for API and customer apps (6/11) Create and authorize WAF in GovCloud for API and customer apps Jun 16, 2020
@pburkholder pburkholder changed the title Create and authorize WAF in GovCloud for API and customer apps Authorize and implement WAF in GovCloud for cloud.gov control plane Jun 18, 2020
@pburkholder
Copy link
Contributor

I started a new SCR but I'm stuck until we determine how we'll disentangle our customer and control plane traffic, particularly WRT to the CloudFront routing. The https://github.com/cloud-gov/private/issues/171 work needs to move forward first.

@mheadd mheadd changed the title Authorize and implement WAF in GovCloud for cloud.gov control plane Authorize and implement WAF in GovCloud for cloud.gov control plane (6/22) Jun 18, 2020
@karareinsel karareinsel changed the title Authorize and implement WAF in GovCloud for cloud.gov control plane (6/22) Authorize and implement WAF in GovCloud for cloud.gov control plane (6/29) Jun 22, 2020
@karareinsel karareinsel changed the title Authorize and implement WAF in GovCloud for cloud.gov control plane (6/29) Authorize and implement WAF in GovCloud for cloud.gov control plane (7/6) Jun 29, 2020
@karareinsel karareinsel changed the title Authorize and implement WAF in GovCloud for cloud.gov control plane (7/6) Authorize and implement WAF in GovCloud for cloud.gov control plane (7/13) Jun 29, 2020
@karareinsel karareinsel changed the title Authorize and implement WAF in GovCloud for cloud.gov control plane (7/13) Authorize and implement WAF in GovCloud for cloud.gov control plane (7/20) Jul 13, 2020
@karareinsel karareinsel changed the title Authorize and implement WAF in GovCloud for cloud.gov control plane (7/20) Authorize and implement WAF in GovCloud for cloud.gov control plane (8/7) Jul 27, 2020
@spgreenberg
Copy link
Contributor Author

We can start with the AWS Managed Core Rule Set described as: "Contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including those described in OWASP publications."

Additionally, it appears Terraform has added support for WAF v2 managed rulesets: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl. We should be able to manage this in cg-provision. I am looking at this in detail now.

@karareinsel karareinsel changed the title Authorize and implement WAF in GovCloud for cloud.gov control plane (8/7) Authorize and implement WAF in GovCloud for cloud.gov control plane Dec 15, 2020
@pburkholder
Copy link
Contributor

pburkholder commented Dec 15, 2020 via email

@spgreenberg
Copy link
Contributor Author

The terraform provider requires TF v 0.13 or greater. We are currently on v0.11 and therefore are pausing on this so we can discuss options as a team.

@spgreenberg spgreenberg changed the title Authorize and implement WAF in GovCloud for cloud.gov control plane Authorize and implement WAF in GovCloud for cloud.gov control plane (BLOCKED 1/6) Dec 30, 2020
@karareinsel karareinsel changed the title Authorize and implement WAF in GovCloud for cloud.gov control plane (BLOCKED 1/6) Authorize and implement WAF in GovCloud for cloud.gov control plane (BLOCKED 1/20) Jan 6, 2021
@mheadd mheadd changed the title Authorize and implement WAF in GovCloud for cloud.gov control plane (BLOCKED 1/20) Authorize and implement WAF in GovCloud for cloud.gov control plane (BLOCKED 1/25) Jan 20, 2021
@mheadd mheadd changed the title Authorize and implement WAF in GovCloud for cloud.gov control plane (BLOCKED 1/25) Authorize and implement WAF in GovCloud for cloud.gov control plane Jan 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
compliance Compliance, security, and accessibility issues SCR Significant Change Request (SCR) involving comms with the FedRAMP JAB TRs - external dependency
Projects
None yet
Development

No branches or pull requests

3 participants