[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T101912

Network segmentation for WMF servers
Open, LowPublic
Actions

Description

Over a hangout today, @MoritzMuehlenhoff, @Joe, @faidon discussed different ways we could segment the cluster network to make extracting sensitive data harder for an attacker. In the short term, there are other projects with more security benefit. But documenting this here so we can revisit in the future.

Currently, setting up a vlan is labor intensive, so it isn't practical to put each new service in its own vlan We could probably setup an untrusted or trusted vlan within each datacenter.

  • Trusted: We would move sensitive data services to access that data to an isolate network. Currently, that would likely be Password hashes, CheckUser data, and maybe logs.
  • Untrusted: We would move services like Citoid, Mathoid, which don't need access to the rest of the cluster to work, into their own network so a compromise there limits the attacker to those services.

A prerequisite for setting up another vlan in the cluster is moving network configuration to an orchestration / code review system.

Related Objects

Event Timeline

csteipp created this task.Jun 9 2015, 11:45 PM
csteipp raised the priority of this task from to Low.
csteipp updated the task description. (Show Details)
csteipp added a project: Security-Other.
csteipp added subscribers: csteipp, MoritzMuehlenhoff, faidon, Joe.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 9 2015, 11:45 PM
GWicke subscribed.Jun 19 2015, 3:01 PM
Krenair subscribed.Oct 27 2015, 2:22 PM
GWicke mentioned this in T170111: Implement a pod networking policy approach.Jul 11 2017, 7:46 PM
ayounsi subscribed.Jul 12 2017, 10:03 AM
Aklapper added projects: Kubernetes, SRE.Jun 29 2018, 2:28 PM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:16 AM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:08 PM
Aklapper removed a project: Security-Other.Nov 27 2019, 1:38 PM
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
LSobanski added a project: Infrastructure-Foundations.Jan 6 2023, 12:04 PM
LSobanski merged a task: T121240: Network isolation for production and semi-production services.Jan 6 2023, 12:14 PM
LSobanski added subscribers: dpatrick, Tfinc, EBernhardson and 7 others.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits