brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoff Macartney <geoff.macart...@cloudsoftcorp.com>
Subject Re: [PROPOSAL] Disable Automatic Open Ports
Date Tue, 05 Jan 2016 10:18:06 GMT
hi Graeme,

+1 to that.  My 2 cents-  I strongly agree with your point about doing security configuration
explicitly.  Behaviours like leaving open default ports or accounts are a common cause of
breaches, and this Brooklyn feature seems to pose similar risks.

Geoff

————————————————————
Gnu PGP key - http://is.gd/TTTTuI


> On 5 Jan 2016, at 10:07, Graeme Miller <graeme.miller@cloudsoftcorp.com> wrote:
> 
> Hello,
> 
> Just before the new year, I discovered an interesting feature of Brooklyn.
> If an Entity has config with a name ending in "port" that can be coerced to
> a PortRange then Brooklyn will automatically open that port range in the
> firewall.
> 
> So, for example, if you have the following in YAML for an app deployed to
> AWS:
> 
> brooklyn.config:
>  kibana.elasticsearch.port: 9200
>  kibana.port: 5601
> 
> Then Brooklyn will open both 9200 and 5601 by adding them to a security
> group and authorising all traffic to use those ports.
> 
> I would like to propose that we disable this feature. The primary reason
> for this is that when developing a secure system, any security
> configuration should be explicit, rather than automatic. This is to ensure
> that there are no accidental security mis-configurations (number 5
> <https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration> on
> the OWASP top 10 security problems)
> 
> It is too easy to be unaware of Brooklyns automatic port opening and
> accidentally expose a port you would have otherwise kept secret. The above
> YAML example is from a piece of code where this has happened. This YAML was
> for a Kibana deployment. The developer wanted to open kibana.port to listen
> on, and also to have a configurable elasticsearch.port it can send traffic
> to. However, because of the automatic port opening, the elasticsearch.port
> was also opened on the Kibana instance.
> 
> The upside to removing this is that there will no longer be ports that are
> accidentally opened. The downside is that YAML config files will be more
> verbose, requiring the developer to explicitly open the ports (I.E. by
> adding the required.ports config).
> 
> What are your thoughts?
> 
> Regards,
> Graeme


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message