-
Notifications
You must be signed in to change notification settings - Fork 87
Firewall Change Requests
For all apps, there is usually an ingress and an egress. See each repo for what ingress systems may be in place, but all apps should use the https://github.com/GSA/cg-egress-proxy for egress...
Refer to our firewall rules request form for an overview. Knowing the existing Data.gov subnets can be useful.
- Go to https://servicedesk.gsa.gov
- Go to
Order Something - Select
Firewall Change Request(FCR) - For System POC, choose Hyon
- For Service/Staff Office, choose "Federal Acquisition Services"
- For Fisma System, choose "FAS Cloud Service (FCS)". ISSO and ISSM should auto populate.
- Fill out the details and click "Add"
The FCR has approval workflows built in, which include a supervisor as well as ISSO contact that will need to approve the ticket.
In the "additional comments" section, add a note that these are Trend Micro rules which requires some special handling on the SecOps side.
As for APP --> APP and WEB --> APP, that's terminology used to represent the tiers. Usually (there are rare exceptions) that there are 3 tiers, which are WEB, APP, and DB. They flow of access is usually (again there are rare exceptions) from WEB --> APP --> DB as well as laterally from WEB --> WEB, APP--> APP, and DB --> DB. So, essentially, WEB can make a connection to WEB or APP, APP can make a connection to APP or DB, and DB can only make a connection to DB. WEB typically doesn't talk directly to DB (has to go to APP first) and traffic can't flow backward (i.e. APP cannot make a connection to WEB nor can DB make a connection to APP or WEB).
tcp/8983 is not part of the WEB -> APP rules, the FCR would look like:
SOURCE: 10.xxx.x.xxx, 10.xxx.x.xxx, 10.xxx.x.xx
DESTINATION: 10.xxx.x.xxx
SERVICE: tcp/8983