[FORSETI] Firewall Rules scanner functionality

[hshin-g]

Related to Forseti Security Issue #3624

Scanner

Firewall Rules Scanner

Description: Network firewall rules protect your network & organization by only allowing desired traffic into and out of your network. The firewall rules scanner can ensure that all your network’s firewalls are properly configured.

Python Violations Summary

There are four types (modes) of violations that can be generated:

1. Matches - Find the Firewall rules that don't match the required policy found under the “match_policies” field in firewall_rules.yaml file.

   • If a rule in the “match_policies” field in firewall_rules.yaml does NOT exist in the Firewall rules, generate a violation and a recommended action to INSERT the missing rule into the Firewall rules (in order to match the “match_policies” that have been defined). This is referential as it has to look at ALL the Firewall rules to see whether the rule in "match_policies" exist- i.e. is a match. Only when it sees that the rule in "match_policies" does NOT exist in the Firewall rules, does it generate a violation.

   • If a Firewall rule does NOT exist in the rules found under the “match_policies” field in the firewall_rules.yaml file, generate a violation and a recommended action to DELETE the Firewall rule (in order to match the “match_policies” that have been defined). This seems to be a whitelist function, as it just needs to check whether a Firewall rule exists in a user-defined list of "match_policies". If it does NOT exist, generate a violation.

2. Required - Find the missing rules that are required from the “match_policies” field in firewall_rules.yaml file.

   • If a rule in the “match_policies” field in firewall_rules.yaml does NOT exist in the Firewall rules, generate a violation and a recommended action to INSERT the missing match_rule into the Firewall rules (in order to match the “match_policies” that have been defined). This is referential as it is required that ALL the Firewall rules be evaluated to see whether the required rule in "match_policies" is included.

3. Whitelist - Find Firewall rules that do NOT match the whitelisted rules in firewall_rules.yaml file.

4. Blacklist - Find the blacklisted policies and return violations if there are any Firewall rules that are blacklisted in firewall_rules.yaml file.

1:1 Rego | Python Parity Status

The Firewall Rego rule generates violations by listing rules to match - i.e. if a firewall rule matches the parameters of the Rego rules, it will generate violations. It does not look like WHITELIST, REQUIRED, or MATCHES modes are covered. BLACKLIST seems to be covered here.

Rego work to do

From the analysis above, looks like "whitelist" mode should be what is targeted, as the other modes (required and matches) are either 1) referential (required, INSERT missing "match_policies") or 2) already covered with "whitelist" (DELETE Firewall rule that is missing from "match_policies").

Create or edit existing Rego rule to do the following:

1. Allow for ""whitelist"" mode to be used --> currently only does blacklist.

[morgante]

This PR might help: #211

[hshin-g]

@morgante Required is difficult to implement, referential.
Matches is technically a mix of whitelist/required --> which means that this is also referential, and difficult to implement.

Minimum thing to work on is to add is whitelist.