[Platformone] [EXT] Re: IATT Way Ahead

Lastrilla, Jet jlastrilla at mitre.org
Wed Dec 18 21:32:05 UTC 2019 

All:

Great job to the collective team on getting this done together!

Here are the actions, in order, that need to be completed:
1. Complete AAM build in UP Prod.  Blocker being worked by RH and Gu
2. Colleen scans UP Prod VPC in conjunction with Taylor scanning the VPC
3. Identify delta between testing provided earlier this week and new environment scans
4. Update external interface diagram per Nic's request (no dependencies on others on this list)
5. Send updated IATT package to Nic/Lauren.

Let me know if you have any questions.

R/Jet
619-508-5888

-----Original Message-----
From: Miller, Timothy J. <tmiller at mitre.org> 
Sent: Wednesday, December 18, 2019 2:41 PM
To: DIROCCO, ROGER E GG-13 USAF AFMC ESC/AFLCMC/HNCP <roger.dirocco.4 at us.af.mil>; Lastrilla, Jet <jlastrilla at mitre.org>; Kevin O'Donnell <kodonnel at redhat.com>; platformONE at redhat.com
Cc: Tim Gast <tg at braingu.com>; Bubb, Mike <mbubb at mitre.org>; TRAMBLE, ELIJAH Q Capt USAF AFMC AFLCMC/HNC <elijah.tramble.1 at us.af.mil>; tj.zimmerman at braingu.com; LOPEZDEURALDE, RICHARD A Lt Col USAF AFMC AFLCMC/HNCP <richard.lopezdeuralde at us.af.mil>; Blade, Eric D [US] (MS) <Eric.Blade at ngc.com>; RAMIREZ, JOSE A CTR USAF AFMC AFLCMC/HNCP <jose.ramirez.50.ctr at us.af.mil>; Leonard, Michael C. <leonardm at mitre.org>; Feiglstok, Colleen M [US] (MS) <Colleen.Feiglstok at ngc.com>; REINHARDT, MELISSA A GG-13 USAF AFMC AFLCMC/HNCP <melissa.reinhardt.2 at us.af.mil>
Subject: Re: [Platformone] [EXT] Re: IATT Way Ahead

> • Is Twistlock in runtime in Prod-B (and what about current Prod)?  If 
> not, then it needs to be.  (recommend for RH P1 Team)

Twistlock is deployed in up-prod w/ runtime defense enabled.  There's no custom content and it's still in learning mode, but running containers are being scanned and runtime events are being generated.  The compliance report is so-so but the vulnerability reports are fugly.

I'm waiting on access to up-prod-b to verify, but I expect it's the same.
 
> • DCAR S3 Bucket — Validate Proxy in place and no direct external 
> access (recommend for Taylor’s DSOP Team)

Cybersec needs to be part of this.  The DSOP S3 bucket may be ACL'd but it is reachable by anything in the peered VPCs--production-vpc, staging-up-vpc, dev-up-vpc, and up-prod-vpc.

> • Need Encryption on open Ports (recommend for RH P1 Team to look 
> into)

There's nothing answering on 80 AFAICT, but having 80 open is useful for TLS redirect.  If I can get cert-manager off the ground (still working w/ AF PKI SPO on this), 80 is required for the ACME HTTP01 challenge.

> • Need better diagram showing both internal and external 
> ports/protocols right on the diagram (no IPs or become Classified 
> Document) with encryption, and what’s internal/external to AWS 
> account, VPC, inside/outside cluster, what’s public facing and what’s 
> not, application; for IATT focus on what’s outside the cluster—what 
> goes in/out of cluster boundary and identify/define what goes in/out 
> (which team will take
> lead?)

I might be able to do much of this w/ cloudmapper, but the result is (a) a freakin' eyechart (I need to work on the filtering feature), and (b) intended to be interactive.  I might be able to generate a standalone version I can just host from S3.

However, there's no way to do this without IP addresses.  AWS internal addresses are encoded into the internal DNS name, which has to be reported or nothing makes sense.

> • Action Item: Taylor send DSOP scans of apps to Nic, focus on the 
> delta (the findings not covered by UBI)

Twistlock can report CVEs by layer, but IDK about compliance.  That might be a useful source.

-- T

More information about the platformONE mailing list