Open Bug 1990271 Opened 3 months ago Updated 2 months ago

SwissSign: recommendation on firewall review

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: sandy.balzer, Assigned: sandy.balzer)

Details

(Whiteboard: [ca-compliance] [audit-finding] Next update 2026-04-30)

Preliminary Incident Report

Summary

  • Incident description: The audit report contains a recommendation regarding the further improvement of SwissSign’s firewall review.

  • Relevant policies: ETSI EN 319 401, REQ-7.8-21X

  • Source of incident disclosure: Audit

Assignee: nobody → sandy.balzer
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000049
  • Incident description: The audit report contains a recommendation regarding the further improvement of SwissSign’s firewall review.
  • Timeline summary:
    • Non-compliance start date: N/A (audit recommendation and not non-compliance)
    • Non-compliance identified date: N/A (audit recommendation and not non-compliance)
    • Non-compliance end date: N/A (audit recommendation and not non-compliance)
  • Relevant policies: ETSI EN 319 401, REQ-7.8-21X
  • Source of incident disclosure: Audit

Impact

  • Total number of certificates: N/A
  • Total number of "remaining valid" certificates: N/A
  • Affected certificate types: N/A
  • Incident heuristic: N/A
  • Was issuance stopped in response to this incident, and why or why not?: Certificate issuance was not halted, as certificate issuance was not impacted.
  • Analysis: N/A
  • Additional considerations: SwissSign's networking infrastructure is completely built by "Infrastructure as code". This includes definitions of network zones and communication channels. From this, firewall rules are built automatically and pushed to the firewalls via automation. There is no manual FW-rule management. This leads to potentially enabled FW-rules that are never used. Since some FW-rules see very little traffic / are rarely used, finding unused rules is non trivial.

Timeline

  • 12.09.2025 Audit report containing this recommendation published

Related Incidents

none found

Root Cause Analysis

Contributing Factor #1:

  • Description: Auditors recommend improving the search for unused FW-rules. We need to investigate if the FW allow automatic retrieval of usage of all FW-rules to detect unused rules. This will include investigation if counters are reset when FW-rules are uploaded via our automation (it's always a full upload) since that would lead to false positives. Also, jobs / tasks that are done rarely (e.g. yearly test of some emergency process) must be taken into consideration.
  • Timeline: N/A
  • Detection: Audit
  • Interaction with other factors: N/A
  • Root Cause Analysis methodology used: N/A

Lessons Learned

  • What went well: N/A
  • What didn’t go well: N/A
  • Where we got lucky: N/A
  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Investigate possibility to automatically extract usage of all FW-rules to detect unused rules Mitigate Root Cause # 1 Investigation concluded 2026-04-30 In progress

Appendix

N/A

We're monitoring this Bugzilla for Community feedback.

We're monitoring this Bugzilla for Community feedback.

Whiteboard: [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding] Next update 2026-04-30
You need to log in before you can comment on or make changes to this bug.