Authorize and implement WAF in GovCloud for cloud.gov control plane

[spgreenberg]

See: Malicious Traffic Protection doc for details.

Originally named: "Create and authorize WAF in GovCloud for API and customer apps" - renaming to: Authorize and implement WAF in GovCloud for cloud.gov control plane

We are not implementing customer WAF at the ALB level, as we can't pick rules that would free from impacting them.

Desired outcomes:

• [ ] We can filter unsophisticated malicious actors and DOS traffic from the control plane
  • We recognize that sophisticated or state-sponsored actors may be using novel attacks and using IPs that are domestic and not necessarily recognized by AWS having a poor reputation
• [ ] We can block particular traffic that should be internal-only, e.g. related to sandbox sign-up.

Implementation sketch

• [ ] Make a plan
• [ ] Remove app.cloud.gov from cf domains
• [ ] Disaggregate .fr.cloud.gov and .app.cloud.gov traffic
• [ ] Submit SCR to JAB
• [ ] Add WAF rules to app ALB in COUNT mode, monitor
• [ ] Switch to BLOCK mode

[pburkholder]

I'm starting the SCR work for this since we have some rules already in place we need to document.

[pburkholder]

• I've asked AWS account reps for wafv2 FedRAMP status, so waiting on that. The fact that wafv2 api enables management of existing WAF makes me think it's all pretty unified and should be good, but would like to get that confirmation.
• I've drafted the SCR at https://docs.google.com/document/d/1roNkZwfMZhxWwY9J9GYXatHm0YyBP-e4SP3i6mpg8oE/edit# -- I need some help on finishing this, could be an opportunity to pair.
• The wafv2 support in Terraform is still not on master: https://github.com/terraform-providers/terraform-provider-aws/pull/12677 so not sure how we'll manage this.

The rules are going to take a lot of hashing out as customer impact will be hard to gauge, and I don't know if one can get any insight into what the details are of the AWS-managed rulesets.

[pburkholder]

@spgreenberg Could you review the SCR at https://docs.google.com/document/d/1roNkZwfMZhxWwY9J9GYXatHm0YyBP-e4SP3i6mpg8oE/edit# or is there another engineer more appropriate for that? I'm happy to jump on a call discuss.

@eddietejeda are you OK with signing the above SCR? If we can get it over to FedRAMP this afternoon it removes the potential for another week's wait.

[spgreenberg]

@pburkholder Everything looks good except for one clarification. DDOS protection is provided by AWS Shield. Unfortunately, I don't see Shield on the Fedramp list but I believe GSA is using Shield elsewhere.

[pburkholder]

I added DDOS as even a naive WAF will blunt some of the impact of a DDOS, which we saw ourselves with the me6 incident. But removing it from the SCR reduces the # of updates to make, leaves us a better case for shield down the line, and we still have the benefit.

[spgreenberg]

I have pinged Marcus as managed rulesets don't show up in GovCloud yet despite the interface being updated to v2. I will report back as soon as I hear from him.

[pburkholder]

I have feedback from JAB that I need to respond to. Unblocking while I do so.

[pburkholder]

Moving to blocked today to lower WIP while I complete work before 3PAO starts secrets assessment.

[pburkholder]

I started a new SCR but I'm stuck until we determine how we'll disentangle our customer and control plane traffic, particularly WRT to the CloudFront routing. The https://github.com/cloud-gov/private/issues/171 work needs to move forward first.

[spgreenberg]

We can start with the AWS Managed Core Rule Set described as: "Contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including those described in OWASP publications."

Additionally, it appears Terraform has added support for WAF v2 managed rulesets: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl. We should be able to manage this in cg-provision. I am looking at this in detail now.

[pburkholder]

Ooooh -- terraform support opens the door to brokered support 😍

On Mon, Dec 14, 2020 at 6:24 PM Steve Greenberg notifications@github.com wrote:

We can start with the AWS Managed Core Rule Set described as: "Contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including those described in OWASP publications."

Additionally, it appears Terraform has added support for WAF v2 managed rulesets: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl. We should be able to manage this in cg-provision. I am looking at this in detail now.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cloud-gov/product/issues/1311#issuecomment-744792690, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJHWCW7A6L635NOSR3YJRLSU2NCTANCNFSM4LBOTBJQ .

--

*Peter Burkholder | *cloud.gov https://cloud.gov compliance & security please use cloud-gov-compliance@gsa.gov for cloud.gov matters

202-709-2028 <(202)%20209-2028> | peter.burkholder@gsa.gov peter.burkholder@gsa.gov

| pronouns he-him https://www.mypronouns.org/he-him Free/Busy Calendar https://calendar.google.com/calendar/embed?src=peter.burkholder@gsa.gov

[spgreenberg]

The terraform provider requires TF v 0.13 or greater. We are currently on v0.11 and therefore are pausing on this so we can discuss options as a team.