Firewall Exception Request — CARD Production API Access
Request Summary
| Field |
Value |
| Requesting Team |
NTS-AEO-STEAM |
| Application |
STEAM Security Dashboard (CVE vulnerability management) |
| Source Hosts |
dashboard-dev — 71.85.90.9 (dev/test), dashboard-prod — 71.85.90.6 (production) |
| Destination Host |
card.charter.com — 47.43.51.7 (CNAME: card.g.charter.com) |
| Destination Port |
443/TCP (HTTPS) |
| Protocol |
HTTPS (TLS 1.2+), REST API (JSON) |
| Direction |
Outbound from 71.85.90.9 → 47.43.51.7:443 |
| Service Account |
svc-jira-cn-projects (already onboarded with CARD team) |
| Traffic Log |
card-prod-firewall-traffic-log.log (attached) |
Business Justification
The STEAM Security Dashboard manages vulnerability findings for the NTS-AEO-STEAM and NTS-AEO-ACCESS-ENG business units. The dashboard integrates with the CARD (Charter Asset Registry & Discovery) API to:
- Look up asset ownership — determine which team owns a given IP/device
- Confirm/Decline/Redirect assets — manage asset ownership disposition directly from the vulnerability queue
- Search team assets — find Granite equipment IDs for assets that need to be re-onboarded after BU reassignment
The CARD UAT instance (card.caas.stage.charterlab.com) is already accessible from both servers and the integration is fully tested. Production access is required to operate against live asset data. Both the production server (71.85.90.6) and dev/test server (71.85.90.9) need access.
Traffic Profile
Endpoints Accessed
| Method |
Path |
Purpose |
Frequency |
POST |
/api/v1/auth/get_token |
OAuth token acquisition (Basic Auth) |
~1/hour (cached) |
GET |
/api/v1/teams |
List CARD teams for dropdown menus |
~1/session (cached) |
GET |
/api/v1/team/{name}/assets |
Search assets by team and disposition |
On-demand (user action) |
GET |
/api/v1/owner/{assetId} |
Look up asset owner record + update_token |
On-demand (user action) |
POST |
/api/v2/owner/{assetId}/confirm |
Confirm asset ownership |
On-demand (user action) |
POST |
/api/v2/owner/{assetId}/decline |
Decline asset ownership |
On-demand (user action) |
POST |
/api/v2/owner/{assetId}/{team}/redirect |
Redirect asset between teams |
On-demand (user action) |
Traffic Characteristics
- Volume: Low — estimated 50–200 API calls per day during active use
- Pattern: Interactive, user-driven. No batch jobs or scheduled syncs
- Payload: JSON request/response bodies, typically < 10KB per call
- Authentication: OAuth Bearer tokens acquired via Basic Auth (service account credentials)
- TLS: Standard HTTPS, TLS 1.2 or higher
- No inbound traffic required — all connections are outbound from the dashboard server
Existing Approved Connections (same source servers)
| Destination |
IP |
Port |
Status |
From |
jira-uat.charter.com |
142.136.123.17 |
443/TCP |
✅ Active |
Both |
card.caas.stage.charterlab.com |
65.185.232.89 |
443/TCP |
✅ Active |
Both |
atlas-infosec.caas.charterlab.com |
(internal) |
443/TCP |
✅ Active |
Both |
platform4.risksense.com |
(external) |
443/TCP |
✅ Active |
Both |
Firewall Rules Requested
Rule 1 — Production Server
| Parameter |
Value |
| Action |
ALLOW |
| Source IP |
71.85.90.6 (dashboard-prod) |
| Source Port |
Ephemeral (any) |
| Destination IP |
47.43.51.7 |
| Destination Port |
443 |
| Protocol |
TCP |
| Direction |
Outbound |
Rule 2 — Dev/Test Server
| Parameter |
Value |
| Action |
ALLOW |
| Source IP |
71.85.90.9 (dashboard-dev) |
| Source Port |
Ephemeral (any) |
| Destination IP |
47.43.51.7 |
| Destination Port |
443 |
| Protocol |
TCP |
| Direction |
Outbound |
Traffic Log Reference
Five connection attempts were generated on 2026-04-30 from 71.85.90.9 to card.charter.com:443 to create firewall deny log entries for verification. These should appear as dropped/rejected TCP SYN packets in the firewall logs.
| # |
Timestamp (UTC) |
Source |
Destination |
Port |
Endpoint |
Result |
| 1 |
2026-04-30 ~16:35 |
71.85.90.9 |
47.43.51.7 |
443 |
POST /api/v1/auth/get_token |
TIMEOUT |
| 2 |
2026-04-30 ~16:35 |
71.85.90.9 |
47.43.51.7 |
443 |
GET /api/v1/teams |
TIMEOUT |
| 3 |
2026-04-30 ~16:35 |
71.85.90.9 |
47.43.51.7 |
443 |
GET /api/v1/owner/{assetId} |
TIMEOUT |
| 4 |
2026-04-30 ~16:36 |
71.85.90.9 |
47.43.51.7 |
443 |
GET /api/v1/team/{name}/assets |
TIMEOUT |
| 5 |
2026-04-30 ~16:36 |
71.85.90.9 |
47.43.51.7 |
443 |
POST /api/v2/owner/{assetId}/confirm |
TIMEOUT |
Control test: Same server successfully connected to card.caas.stage.charterlab.com:443 (65.185.232.89) — HTTP 405, connect time 0.065s.
Full verbose curl output for each attempt is in the attached card-prod-firewall-traffic-log.log.
Contact
| Role |
Name |
Details |
| Requesting Engineer |
Jordan Ramos |
NTS-AEO-STEAM |
| CARD API Onboarding |
(CARD team contact) |
Service account svc-jira-cn-projects already approved |
