jramos/cve-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b9fa1281a9fca5f4086986735551cd2803c3e37d
cve-dashboard/docs/operations/card-prod-archer-firewall-request.md

117 lines
5.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Firewall Exception Request — CARD Production API Access
## Request Summary
| Field | Value |
|-------|-------|
| **Requesting Team** | NTS-AEO-STEAM |
| **Application** | STEAM Security Dashboard (CVE vulnerability management) |
| **Source Hosts** | `dashboard-dev``71.85.90.9` (dev/test), `dashboard-prod``71.85.90.6` (production) |
| **Destination Host** | `card.charter.com``47.43.51.7` (CNAME: `card.g.charter.com`) |
| **Destination Port** | `443/TCP` (HTTPS) |
| **Protocol** | HTTPS (TLS 1.2+), REST API (JSON) |
| **Direction** | Outbound from `71.85.90.9``47.43.51.7:443` |
| **Service Account** | `svc-jira-cn-projects` (already onboarded with CARD team) |
| **Traffic Log** | `card-prod-firewall-traffic-log.log` (attached) |
---
## Business Justification
The STEAM Security Dashboard manages vulnerability findings for the NTS-AEO-STEAM and NTS-AEO-ACCESS-ENG business units. The dashboard integrates with the CARD (Charter Asset Registry & Discovery) API to:
1. **Look up asset ownership** — determine which team owns a given IP/device
2. **Confirm/Decline/Redirect assets** — manage asset ownership disposition directly from the vulnerability queue
3. **Search team assets** — find Granite equipment IDs for assets that need to be re-onboarded after BU reassignment
The CARD UAT instance (`card.caas.stage.charterlab.com`) is already accessible from both servers and the integration is fully tested. Production access is required to operate against live asset data. Both the production server (`71.85.90.6`) and dev/test server (`71.85.90.9`) need access.
---
## Traffic Profile
### Endpoints Accessed
| Method | Path | Purpose | Frequency |
|--------|------|---------|-----------|
| `POST` | `/api/v1/auth/get_token` | OAuth token acquisition (Basic Auth) | ~1/hour (cached) |
| `GET` | `/api/v1/teams` | List CARD teams for dropdown menus | ~1/session (cached) |
| `GET` | `/api/v1/team/{name}/assets` | Search assets by team and disposition | On-demand (user action) |
| `GET` | `/api/v1/owner/{assetId}` | Look up asset owner record + update_token | On-demand (user action) |
| `POST` | `/api/v2/owner/{assetId}/confirm` | Confirm asset ownership | On-demand (user action) |
| `POST` | `/api/v2/owner/{assetId}/decline` | Decline asset ownership | On-demand (user action) |
| `POST` | `/api/v2/owner/{assetId}/{team}/redirect` | Redirect asset between teams | On-demand (user action) |
### Traffic Characteristics
- **Volume:** Low — estimated 50200 API calls per day during active use
- **Pattern:** Interactive, user-driven. No batch jobs or scheduled syncs
- **Payload:** JSON request/response bodies, typically < 10KB per call
- **Authentication:** OAuth Bearer tokens acquired via Basic Auth (service account credentials)
- **TLS:** Standard HTTPS, TLS 1.2 or higher
- **No inbound traffic required** — all connections are outbound from the dashboard server
### Existing Approved Connections (same source servers)
| Destination | IP | Port | Status | From |
|-------------|-----|------|--------|------|
| `jira-uat.charter.com` | `142.136.123.17` | `443/TCP` | ✅ Active | Both |
| `card.caas.stage.charterlab.com` | `65.185.232.89` | `443/TCP` | ✅ Active | Both |
| `atlas-infosec.caas.charterlab.com` | (internal) | `443/TCP` | ✅ Active | Both |
| `platform4.risksense.com` | (external) | `443/TCP` | ✅ Active | Both |
---
## Firewall Rules Requested
### Rule 1 — Production Server
| Parameter | Value |
|-----------|-------|
| **Action** | ALLOW |
| **Source IP** | `71.85.90.6` (dashboard-prod) |
| **Source Port** | Ephemeral (any) |
| **Destination IP** | `47.43.51.7` |
| **Destination Port** | `443` |
| **Protocol** | `TCP` |
| **Direction** | Outbound |
### Rule 2 — Dev/Test Server
| Parameter | Value |
|-----------|-------|
| **Action** | ALLOW |
| **Source IP** | `71.85.90.9` (dashboard-dev) |
| **Source Port** | Ephemeral (any) |
| **Destination IP** | `47.43.51.7` |
| **Destination Port** | `443` |
| **Protocol** | `TCP` |
| **Direction** | Outbound |
---
## Traffic Log Reference
Five connection attempts were generated on **2026-04-30** from `71.85.90.9` to `card.charter.com:443` to create firewall deny log entries for verification. These should appear as dropped/rejected TCP SYN packets in the firewall logs.
| # | Timestamp (UTC) | Source | Destination | Port | Endpoint | Result |
|---|-----------------|--------|-------------|------|----------|--------|
| 1 | 2026-04-30 ~16:35 | 71.85.90.9 | 47.43.51.7 | 443 | `POST /api/v1/auth/get_token` | TIMEOUT |
| 2 | 2026-04-30 ~16:35 | 71.85.90.9 | 47.43.51.7 | 443 | `GET /api/v1/teams` | TIMEOUT |
| 3 | 2026-04-30 ~16:35 | 71.85.90.9 | 47.43.51.7 | 443 | `GET /api/v1/owner/{assetId}` | TIMEOUT |
| 4 | 2026-04-30 ~16:36 | 71.85.90.9 | 47.43.51.7 | 443 | `GET /api/v1/team/{name}/assets` | TIMEOUT |
| 5 | 2026-04-30 ~16:36 | 71.85.90.9 | 47.43.51.7 | 443 | `POST /api/v2/owner/{assetId}/confirm` | TIMEOUT |
**Control test:** Same server successfully connected to `card.caas.stage.charterlab.com:443` (65.185.232.89) — HTTP 405, connect time 0.065s.
Full verbose curl output for each attempt is in the attached `card-prod-firewall-traffic-log.log`.
---
## Contact
| Role | Name | Details |
|------|------|---------|
| Requesting Engineer | Jordan Ramos | NTS-AEO-STEAM |
| CARD API Onboarding | (CARD team contact) | Service account `svc-jira-cn-projects` already approved |
Reference in New Issue View Git Blame Copy Permalink