A software solution that is hosted on-premise or cloud will not be allowed without negotiating frontline firewalls. It would be an extremely challenging situation when there is a port opening request raised to the infrastructure security team (infosec). Unless the purpose of the port and direction is justified, it would be impossible at times to get a gate pass for the application to reach the server and get a response from the server. Raising port opening requests to the customer-side infrastructure team would be a common tasks list across all on-premise or cloud projects. Unless Solution design complies with the basic security requirements of the infrastructure, reaching the infosec team would be a bad idea. This write-up presented a scenario that appeared as a blocker for project execution.
Scenario:
Project deployment was in progress and the team in parallel was expecting approval of port opening requests. Two of the requests among various other requests has been denied for approval for a reason that,
1. The request was raised for Media Proxy Transport Layer port, i.e. for UDP/TCP ports without stating the Application Layer protocol.
2. An outbound request from Application Zone (Enterprise to DMZ zone).
Reason for Denial of Requests #1 :
The infrastructure was powered by a web application firewall (WAF), any traffic or packet that passes through the firewall is deep inspected and allowed to pass through only if application protocol is determined. Ex: HTTP, SMTP SIP etc. When any requests are raised for just transport layer protocol (UDP/TCP) without stating the application layer, the firewall configuration to look for the packet exchange protocol will not be possible. Hence, the request was denied by the infosec team.
Reason for Denial of Requests #2 :
Outbound requests from Application Zone to DMZ are strictly assessed for a reason that the application zone is a zone where the database resides and this is a zone that costs heavily if the infrastructure and business data are being compromised. There would always be a risk that an application hosted in the application zone can successfully create an outbound connection to the remote hosts anywhere on the internet and create a tunnel for data theft.
Resolution:
- STUN Protocol is configured as an application layer protocol for the requested port.
- Packet trace (tcpdump) of outbound request has been produced as proof for firewall exception configuration.