jramos/cve-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b9fa1281a9fca5f4086986735551cd2803c3e37d
cve-dashboard/docs/operations/card-prod-archer-firewall-request.md

117 lines
5.3 KiB
Markdown
Raw Normal View History

Initial commit — operational records, UAT evidence, and data exports
2026-05-01 20:47:24 +00:00
# Firewall Exception Request — CARD Production API Access
## Request Summary
| Field | Value |
|-------|-------|
| **Requesting Team** | NTS-AEO-STEAM |
| **Application** | STEAM Security Dashboard (CVE vulnerability management) |
| **Source Hosts** | `dashboard-dev``71.85.90.9` (dev/test), `dashboard-prod``71.85.90.6` (production) |
| **Destination Host** | `card.charter.com``47.43.51.7` (CNAME: `card.g.charter.com`) |
| **Destination Port** | `443/TCP` (HTTPS) |
| **Protocol** | HTTPS (TLS 1.2+), REST API (JSON) |
| **Direction** | Outbound from `71.85.90.9``47.43.51.7:443` |
| **Service Account** | `svc-jira-cn-projects` (already onboarded with CARD team) |
| **Traffic Log** | `card-prod-firewall-traffic-log.log` (attached) |
---
## Business Justification
The STEAM Security Dashboard manages vulnerability findings for the NTS-AEO-STEAM and NTS-AEO-ACCESS-ENG business units. The dashboard integrates with the CARD (Charter Asset Registry & Discovery) API to:
1. **Look up asset ownership** — determine which team owns a given IP/device
2. **Confirm/Decline/Redirect assets** — manage asset ownership disposition directly from the vulnerability queue
3. **Search team assets** — find Granite equipment IDs for assets that need to be re-onboarded after BU reassignment
The CARD UAT instance (`card.caas.stage.charterlab.com`) is already accessible from both servers and the integration is fully tested. Production access is required to operate against live asset data. Both the production server (`71.85.90.6`) and dev/test server (`71.85.90.9`) need access.
---
## Traffic Profile
### Endpoints Accessed
| Method | Path | Purpose | Frequency |
|--------|------|---------|-----------|
| `POST` | `/api/v1/auth/get_token` | OAuth token acquisition (Basic Auth) | ~1/hour (cached) |
| `GET` | `/api/v1/teams` | List CARD teams for dropdown menus | ~1/session (cached) |
| `GET` | `/api/v1/team/{name}/assets` | Search assets by team and disposition | On-demand (user action) |
| `GET` | `/api/v1/owner/{assetId}` | Look up asset owner record + update_token | On-demand (user action) |
| `POST` | `/api/v2/owner/{assetId}/confirm` | Confirm asset ownership | On-demand (user action) |
| `POST` | `/api/v2/owner/{assetId}/decline` | Decline asset ownership | On-demand (user action) |
| `POST` | `/api/v2/owner/{assetId}/{team}/redirect` | Redirect asset between teams | On-demand (user action) |
### Traffic Characteristics
- **Volume:** Low — estimated 50200 API calls per day during active use
- **Pattern:** Interactive, user-driven. No batch jobs or scheduled syncs
- **Payload:** JSON request/response bodies, typically < 10KB per call
- **Authentication:** OAuth Bearer tokens acquired via Basic Auth (service account credentials)
- **TLS:** Standard HTTPS, TLS 1.2 or higher
- **No inbound traffic required** — all connections are outbound from the dashboard server
### Existing Approved Connections (same source servers)
| Destination | IP | Port | Status | From |
|-------------|-----|------|--------|------|
| `jira-uat.charter.com` | `142.136.123.17` | `443/TCP` | ✅ Active | Both |
| `card.caas.stage.charterlab.com` | `65.185.232.89` | `443/TCP` | ✅ Active | Both |
| `atlas-infosec.caas.charterlab.com` | (internal) | `443/TCP` | ✅ Active | Both |
| `platform4.risksense.com` | (external) | `443/TCP` | ✅ Active | Both |
---
## Firewall Rules Requested
### Rule 1 — Production Server
| Parameter | Value |
|-----------|-------|
| **Action** | ALLOW |
| **Source IP** | `71.85.90.6` (dashboard-prod) |
| **Source Port** | Ephemeral (any) |
| **Destination IP** | `47.43.51.7` |
| **Destination Port** | `443` |
| **Protocol** | `TCP` |
| **Direction** | Outbound |
### Rule 2 — Dev/Test Server
| Parameter | Value |
|-----------|-------|
| **Action** | ALLOW |
| **Source IP** | `71.85.90.9` (dashboard-dev) |
| **Source Port** | Ephemeral (any) |
| **Destination IP** | `47.43.51.7` |
| **Destination Port** | `443` |
| **Protocol** | `TCP` |
| **Direction** | Outbound |
---
## Traffic Log Reference
Five connection attempts were generated on **2026-04-30** from `71.85.90.9` to `card.charter.com:443` to create firewall deny log entries for verification. These should appear as dropped/rejected TCP SYN packets in the firewall logs.
| # | Timestamp (UTC) | Source | Destination | Port | Endpoint | Result |
|---|-----------------|--------|-------------|------|----------|--------|
| 1 | 2026-04-30 ~16:35 | 71.85.90.9 | 47.43.51.7 | 443 | `POST /api/v1/auth/get_token` | TIMEOUT |
| 2 | 2026-04-30 ~16:35 | 71.85.90.9 | 47.43.51.7 | 443 | `GET /api/v1/teams` | TIMEOUT |
| 3 | 2026-04-30 ~16:35 | 71.85.90.9 | 47.43.51.7 | 443 | `GET /api/v1/owner/{assetId}` | TIMEOUT |
| 4 | 2026-04-30 ~16:36 | 71.85.90.9 | 47.43.51.7 | 443 | `GET /api/v1/team/{name}/assets` | TIMEOUT |
| 5 | 2026-04-30 ~16:36 | 71.85.90.9 | 47.43.51.7 | 443 | `POST /api/v2/owner/{assetId}/confirm` | TIMEOUT |
**Control test:** Same server successfully connected to `card.caas.stage.charterlab.com:443` (65.185.232.89) — HTTP 405, connect time 0.065s.
Full verbose curl output for each attempt is in the attached `card-prod-firewall-traffic-log.log`.
---
## Contact
| Role | Name | Details |
|------|------|---------|
| Requesting Engineer | Jordan Ramos | NTS-AEO-STEAM |
| CARD API Onboarding | (CARD team contact) | Service account `svc-jira-cn-projects` already approved |
Reference in New Issue Copy Permalink