Alef-Burzmali
commented
6 months ago Thank you for your suggestions. I certainly need to improve the readme.
For dataflows, you used to be able to use the native Service object as source or destination (via a Object Alias), but I found it to be too limiting. A service represents a listening TCP, UDP or SCTP port. You can't represent other protocols (IPSEC? ICMP?), and you can't represent a source because it is (most often) not listening. E.g.: if you want to represent an application connecting to its database, the database listener can be easily represented by a service, but not the application, unless you misrepresent it somehow (I previously used TCP port 1 when I tried to do it with services).
Regarding object aliases, they are due to technical limitations of being a plugin (I'm not allowed to modify the native NetBox models, for good reasons) and the need to have ManyToMany relationships with GenericForeignKey (to be able to support IP Addresses, Prefixes and Ranges), which are simply not supported by Django as far as I know (hence the underlying hidden ObjectAliasTarget model). It's not possible to select directly a Device or Virtual Machine as these can have several interfaces and IP addresses, with different purposes, so you need to select to the corresponding IP (it could work with services too I suppose).
If there is a strong demand for them, I may add Service back as a possible type for object aliases, but then I would need to address what it means to have a service as a source, or how to handle a dataflow with a protocol or port different than the service.
To give you a better idea of how I use my plugin, here are three examples:
- Connection from a PAM jumphost to different other devices. I have an Application corresponding to the technology (e.g.: CyberArk, Wallix, whatever), a Object Alias "PAM servers" containing the IPs of the jumphosts), several Object Aliases containing the IPs of the managed servers (e.g.: Windows servers, Linux servers, Network devices, etc.), and dataflows corresponding to each management protocols, e.g.: "PAM SSH to Linux servers", with source "PAM servers", destination "Linux servers", TCP/22. Several Dataflow Groups regroup them by environments.
- Monitoring of everything by some monitoring servers. An Application corresponding to the technology (e.g. Nagios/Zabbix/your pick), Object Alias "Monitoring servers" containing the IPs of the scanners, and several object aliases containing the IP prefixes or ranges of the different environments. Some dataflows from "Monitoring servers" to the different "ranges" for the generic monitoring and discovery (e.g.: one for ICMP Echo Request, one for TCP/22, one for TCP/3389, etc.), and several specific dataflows for the ports used for specific devices identified by their IP (e.g.: SNMP only for network devices, TCP/443 for some web applications).
- Access to internet by a web proxy appliance. Again, a specific application, a dataflow for TCP/80, TCP/443 and what you want to allow. The source is an Object Alias containing the IP of the proxy device, but for the destination I use an empty Object Alias named "Internet".
In the examples above, Services could be used as destination instead of IP Addresses for TCP, UDP or SCTP dataflows, but when it is ICMP or IPSEC, or when the destination is generic ranges/prefixes, then that does not work.
alehaa
Came across your plugin in the netbox slack today. This has promise but I'd like to make some suggestions:
When you spend time on a plugin, there is obviously a desire to solve a problem. I look forward to seeing more details here.