788232 - Request for review of change to browserid network ACLs

Status: RESOLVED FIXED

(mozilla.org :: Security Assurance, task)

Description

[Gene Wood [:gene]]

https://intranet.mozilla.org/Services/Ops/BrowserID/NetworkACLs

We've (services operations) created a new service called "zbroker". This is a web service which accepts requests from servers such as "drain all zeus load balancer connections to me" or "add me back into my zeus load balancer pool". The zbroker will only allow a client add or remove itself from a load balance pool (not other IPs).

We would like to run this service on port 80 on our "adm" servers. These servers currently are the puppetmasters for our servers. As such, our servers currently initiate connections to these "adm" hosts over the puppet port 8140.

We thought this would be a good place to run it because the hosts already initiate connections to it, and because it has the network access to make subsequent calls to our zeus load balancers.

We'd like an opsec review of this planned change. The change would manifest in a firewall opening from all of our current puppet clients in production (and staging and dev), to the their adm puppetmasters over the new port 80, in addition to the existing port 8140.

Comment 1

[Joe Stevensen [:joe]]

We will review this change request this week.

Comment 2

[Gene Wood [:gene]]

Just talked to Joe on the phone. His team will review this ticket this afternoon and will send out an update at the end of the day with either results, or a new date/time that they can have the review completed, in the case that they have questions.

Comment 3

[Joe Stevensen [:joe]]

Eugene,

This doesn't look like a serious concern, but we have a couple of questions. I'll schedule a quick vidyo meeting for 9am PDT or at another convenient time.

Comment 4

[Joe Stevensen [:joe]]

Discussed with Gene today. 

Permitting the webheads to initiate connections to adm hosts running zbroker is approved.