# Firewall Exception Request — CARD Production API Access

## Request Summary

| Field | Value |
|-------|-------|
| **Requesting Team** | NTS-AEO-STEAM |
| **Application** | STEAM Security Dashboard (CVE vulnerability management) |
| **Source Hosts** | `dashboard-dev` — `71.85.90.9` (dev/test), `dashboard-prod` — `71.85.90.6` (production) |
| **Destination Host** | `card.charter.com` — `47.43.51.7` (CNAME: `card.g.charter.com`) |
| **Destination Port** | `443/TCP` (HTTPS) |
| **Protocol** | HTTPS (TLS 1.2+), REST API (JSON) |
| **Direction** | Outbound from `71.85.90.9` → `47.43.51.7:443` |
| **Service Account** | `svc-jira-cn-projects` (already onboarded with CARD team) |
| **Traffic Log** | `card-prod-firewall-traffic-log.log` (attached) |

---

## Business Justification

The STEAM Security Dashboard manages vulnerability findings for the NTS-AEO-STEAM and NTS-AEO-ACCESS-ENG business units. The dashboard integrates with the CARD (Charter Asset Registry & Discovery) API to:

1. **Look up asset ownership** — determine which team owns a given IP/device
2. **Confirm/Decline/Redirect assets** — manage asset ownership disposition directly from the vulnerability queue
3. **Search team assets** — find Granite equipment IDs for assets that need to be re-onboarded after BU reassignment

The CARD UAT instance (`card.caas.stage.charterlab.com`) is already accessible from both servers and the integration is fully tested. Production access is required to operate against live asset data. Both the production server (`71.85.90.6`) and dev/test server (`71.85.90.9`) need access.

---

## Traffic Profile

### Endpoints Accessed

| Method | Path | Purpose | Frequency |
|--------|------|---------|-----------|
| `POST` | `/api/v1/auth/get_token` | OAuth token acquisition (Basic Auth) | ~1/hour (cached) |
| `GET` | `/api/v1/teams` | List CARD teams for dropdown menus | ~1/session (cached) |
| `GET` | `/api/v1/team/{name}/assets` | Search assets by team and disposition | On-demand (user action) |
| `GET` | `/api/v1/owner/{assetId}` | Look up asset owner record + update_token | On-demand (user action) |
| `POST` | `/api/v2/owner/{assetId}/confirm` | Confirm asset ownership | On-demand (user action) |
| `POST` | `/api/v2/owner/{assetId}/decline` | Decline asset ownership | On-demand (user action) |
| `POST` | `/api/v2/owner/{assetId}/{team}/redirect` | Redirect asset between teams | On-demand (user action) |

### Traffic Characteristics

- **Volume:** Low — estimated 50–200 API calls per day during active use
- **Pattern:** Interactive, user-driven. No batch jobs or scheduled syncs
- **Payload:** JSON request/response bodies, typically < 10KB per call
- **Authentication:** OAuth Bearer tokens acquired via Basic Auth (service account credentials)
- **TLS:** Standard HTTPS, TLS 1.2 or higher
- **No inbound traffic required** — all connections are outbound from the dashboard server

### Existing Approved Connections (same source servers)

| Destination | IP | Port | Status | From |
|-------------|-----|------|--------|------|
| `jira-uat.charter.com` | `142.136.123.17` | `443/TCP` | ✅ Active | Both |
| `card.caas.stage.charterlab.com` | `65.185.232.89` | `443/TCP` | ✅ Active | Both |
| `atlas-infosec.caas.charterlab.com` | (internal) | `443/TCP` | ✅ Active | Both |
| `platform4.risksense.com` | (external) | `443/TCP` | ✅ Active | Both |

---

## Firewall Rules Requested

### Rule 1 — Production Server

| Parameter | Value |
|-----------|-------|
| **Action** | ALLOW |
| **Source IP** | `71.85.90.6` (dashboard-prod) |
| **Source Port** | Ephemeral (any) |
| **Destination IP** | `47.43.51.7` |
| **Destination Port** | `443` |
| **Protocol** | `TCP` |
| **Direction** | Outbound |

### Rule 2 — Dev/Test Server

| Parameter | Value |
|-----------|-------|
| **Action** | ALLOW |
| **Source IP** | `71.85.90.9` (dashboard-dev) |
| **Source Port** | Ephemeral (any) |
| **Destination IP** | `47.43.51.7` |
| **Destination Port** | `443` |
| **Protocol** | `TCP` |
| **Direction** | Outbound |

---

## Traffic Log Reference

Five connection attempts were generated on **2026-04-30** from `71.85.90.9` to `card.charter.com:443` to create firewall deny log entries for verification. These should appear as dropped/rejected TCP SYN packets in the firewall logs.

| # | Timestamp (UTC) | Source | Destination | Port | Endpoint | Result |
|---|-----------------|--------|-------------|------|----------|--------|
| 1 | 2026-04-30 ~16:35 | 71.85.90.9 | 47.43.51.7 | 443 | `POST /api/v1/auth/get_token` | TIMEOUT |
| 2 | 2026-04-30 ~16:35 | 71.85.90.9 | 47.43.51.7 | 443 | `GET /api/v1/teams` | TIMEOUT |
| 3 | 2026-04-30 ~16:35 | 71.85.90.9 | 47.43.51.7 | 443 | `GET /api/v1/owner/{assetId}` | TIMEOUT |
| 4 | 2026-04-30 ~16:36 | 71.85.90.9 | 47.43.51.7 | 443 | `GET /api/v1/team/{name}/assets` | TIMEOUT |
| 5 | 2026-04-30 ~16:36 | 71.85.90.9 | 47.43.51.7 | 443 | `POST /api/v2/owner/{assetId}/confirm` | TIMEOUT |

**Control test:** Same server successfully connected to `card.caas.stage.charterlab.com:443` (65.185.232.89) — HTTP 405, connect time 0.065s.

Full verbose curl output for each attempt is in the attached `card-prod-firewall-traffic-log.log`.

---

## Contact

| Role | Name | Details |
|------|------|---------|
| Requesting Engineer | Jordan Ramos | NTS-AEO-STEAM |
| CARD API Onboarding | (CARD team contact) | Service account `svc-jira-cn-projects` already approved |