search

UOS-RZ / deterrers

The automateD nETwork pERimeter thREat pRevention System (DETERRERS) is a tool for decentral network administration. It automates workflows at the network perimeter, e.g., automatic scanning for vulnerabilities and automatic configuration of perimter firewall policies.
BSD 3-Clause "New" or "Revised" License
2 stars 2 forks source link

Transactions or eventual consistency #21

Closed lkiesow closed 1 year ago

lkiesow commented 1 year ago

From time to time it seems to happen that users activate profiles in DETERRERS which are never committed to the actual firewall. This is a critical problem since users are misled what the firewall is set to. They cannot identify that the firewall rules are incorrect.

The only way to identify the incorrectly set firewall is to run into actual errors in production and then investigate by checking if ports are blocked from outside the network but not from inside. This is tedious work for technicians and causes issues for end users.

DETERRERS should either use transactions, and only set profiles when it's guaranteed that they are set correctly in the firewall.

If this is hard, an alternative would be to go for eventual consistency, mark the profile change as pending and update this state once the firewall has been updated. This process should be repeated and the actual state being checked on a regular basis to avoid that the state in DETERRERS and the firewall diverges.

nwintering commented 1 year ago

fixed with commit c9bb19235008f26b4ec8e4db1a2b1030edeff560