You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Conventional means of firewall management allow ingress to a system by IP address range and port. This is fine if you know in advance where your calls into the system will be coming from. With orchestration (and particularly functions as a service,) the potential subnet can be vast and insecure. For example, Azure Functions require you to open your port to an entire Azure data center. Any bad actor who wants to attack your system can do so using an Azure function in the same region as yours.
Describe the solution you'd like
Sunspot is a system that listens on a single HTTPS endpoint for requests that include an originating IP address, a port, a time span, and a previously-distributed secret. When it receives a valid request, it creates a firewall exception for that port and a scheduled job to remove that exception once the timespan expires.
Describe alternatives you've considered
The most obvious alternative is to open up to a wider subnet and require the clients to pass a secret
with each call. This works all right with programmed RESTful endpoints, but is inelegant for opening ports to databases, etc.
Additional context
This is something I'd like to build and open source myself, but probably won't get to in the foreseeable future.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Conventional means of firewall management allow ingress to a system by IP address range and port. This is fine if you know in advance where your calls into the system will be coming from. With orchestration (and particularly functions as a service,) the potential subnet can be vast and insecure. For example, Azure Functions require you to open your port to an entire Azure data center. Any bad actor who wants to attack your system can do so using an Azure function in the same region as yours.
Describe the solution you'd like
Sunspot is a system that listens on a single HTTPS endpoint for requests that include an originating IP address, a port, a time span, and a previously-distributed secret. When it receives a valid request, it creates a firewall exception for that port and a scheduled job to remove that exception once the timespan expires.
Describe alternatives you've considered
The most obvious alternative is to open up to a wider subnet and require the clients to pass a secret
with each call. This works all right with programmed RESTful endpoints, but is inelegant for opening ports to databases, etc.
Additional context
This is something I'd like to build and open source myself, but probably won't get to in the foreseeable future.
The text was updated successfully, but these errors were encountered: