brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoff Macartney <>
Subject Re: [PROPOSAL] Disable Automatic Open Ports
Date Tue, 05 Jan 2016 10:18:06 GMT
hi Graeme,

+1 to that.  My 2 cents-  I strongly agree with your point about doing security configuration
explicitly.  Behaviours like leaving open default ports or accounts are a common cause of
breaches, and this Brooklyn feature seems to pose similar risks.


Gnu PGP key -

> On 5 Jan 2016, at 10:07, Graeme Miller <> wrote:
> Hello,
> Just before the new year, I discovered an interesting feature of Brooklyn.
> If an Entity has config with a name ending in "port" that can be coerced to
> a PortRange then Brooklyn will automatically open that port range in the
> firewall.
> So, for example, if you have the following in YAML for an app deployed to
> AWS:
> brooklyn.config:
>  kibana.elasticsearch.port: 9200
>  kibana.port: 5601
> Then Brooklyn will open both 9200 and 5601 by adding them to a security
> group and authorising all traffic to use those ports.
> I would like to propose that we disable this feature. The primary reason
> for this is that when developing a secure system, any security
> configuration should be explicit, rather than automatic. This is to ensure
> that there are no accidental security mis-configurations (number 5
> <> on
> the OWASP top 10 security problems)
> It is too easy to be unaware of Brooklyns automatic port opening and
> accidentally expose a port you would have otherwise kept secret. The above
> YAML example is from a piece of code where this has happened. This YAML was
> for a Kibana deployment. The developer wanted to open kibana.port to listen
> on, and also to have a configurable elasticsearch.port it can send traffic
> to. However, because of the automatic port opening, the elasticsearch.port
> was also opened on the Kibana instance.
> The upside to removing this is that there will no longer be ports that are
> accidentally opened. The downside is that YAML config files will be more
> verbose, requiring the developer to explicitly open the ports (I.E. by
> adding the required.ports config).
> What are your thoughts?
> Regards,
> Graeme

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message