oasis-tcs / openc2-apsc-stateless-packet-filter

OASIS OpenC2 TC: A GitHub repository is to provide configuration management and to aid in the development of the first generation OpenC2 firewall profile
https://github.com/oasis-tcs/openc2-apsc-stateless-packet-filter
Other
6 stars 10 forks source link

Support for Google Cloud Platform #139

Open alevere opened 4 years ago

alevere commented 4 years ago

Google Cloud Platform provides a stateful packet filter that operates as if at the network or interface(s) of a virtual machine. To support rules more fully, we would need to both support tags and service accounts (and maybe implicit all) for both source and destination. It would be better supported if network was also supported.

Fields needed: tag - string service account - string all instances - boolean network - string priority - int 0-65535

Example 1: Deny 1.1.1.1 action:deny, ipv4_net:1.1.1.1 gcp command(s): gcloud compute firewall-rules create testfw --action deny --rules all --direction ingress --source-ranges 1.1.1.1 gcloud compute firewall-rules create testfw1 --action deny --rules all --direction egress --destination-ranges 1.1.1.1 Works? Yes, but this is applied to the entire VPC (default in this case), so it is applied basically to all machines on the network

Example 2: Allow 2.2.2.2 ingress gcp command(s): gcloud compute firewall-rules create testfw2 --action allow --rules all --direction ingress --source-ranges 2.2.2.2 Works? Yes, but this is applied to the entire VPC (default in this case), so it is applied basically to all machines on the network

Example 3: Allow dst port 33 for TCP gcp command(s): gcloud compute firewall-rules create testfw3 --action allow --rules tcp:33 --direction ingress gcloud compute firewall-rules create testfw4 --action allow --rules tcp:33 --direction egress Works? Yes, but this is applied to the entire VPC (default in this case), so it is applied basically to all machines on the network

Example 4: Deny src=4.4.4.4,dst=5.5.5.5,dport=443,dir:egress gcp command(s): n/a Works? No, you cannot specify ipv4 addresses as both source AND destination in GCP error: - Should not specify destination range for ingress direction.

What does GCP support for specifying if not ipv4 addresses? All instances on the network Tags Service Accounts

Vasileios-Mavroeidis commented 4 years ago

Good job.

Let me summarize GCP properties:

direction: ingress and egress (default is ingress) priority: 0 to 65535 action: allow or deny enforcement status: enabled or disabled (default is enabled) target: all instances, network tags, service accounts protocol port