Layer7 API Management

Hi everybody,

we have a cluster gateway of 2 nodes, balanced by a LB and exposed to the internet for services requests.
I've noticed that the GW nodes can be accessed via Policy Manager even outside the company LAN or VPN. If I connect with Policy Manager pointing at the public IP of the LB on the secure port 443, I can get the access from anywhere.

This is a security leak and I would like to know if the only way to avoid it is to define a dedicated secure port, not mapped by the LB, to be used only for Policy Manager access. Are there any other solutions to overcome the issue?

Thanks,

------------------------------
Enzo
------------------------------

By default, the policy manager will connect to Gateway by using 8443 or 9443 ports. Did you enable 443 for the policy manager connection to Gateway?

You can a non-default port and set firewall rules to allow incoming connections to this port only from the internal network.
Original Message:
Sent: 06-18-2020 09:08 AM
From: Enzo Fusca
Subject: Policy Manager access from untrusted network

Hi everybody,

we have a cluster gateway of 2 nodes, balanced by a LB and exposed to the internet for services requests.
I've noticed that the GW nodes can be accessed via Policy Manager even outside the company LAN or VPN. If I connect with Policy Manager pointing at the public IP of the LB on the secure port 443, I can get the access from anywhere.

This is a security leak and I would like to know if the only way to avoid it is to define a dedicated secure port, not mapped by the LB, to be used only for Policy Manager access. Are there any other solutions to overcome the issue?

Thanks,

------------------------------
Enzo
------------------------------

Hi Saravanan,

thank you for your answer. I did not enable port 443 on Policy Manager, but my load balancer map the port 443, exposed on internet, on the port 8443 of the Policy Manager.
Are you suggesting to set the firewall rules on the gateway nodes to allow only internal traffic on a specific port? This is the solution (define a dedicated secure port) that I exposed in the description of the problem. I'd like to know if there is a way to leave the situation as default, with 8443 and 9443 ports for PM access, and configure the system to deny Policy Manager accesses on those ports, outside the internal network.
Original Message:
Sent: 06-18-2020 10:21 AM
From: SARAVANAN RAMALINGAM
Subject: Policy Manager access from untrusted network

By default, the policy manager will connect to Gateway by using 8443 or 9443 ports. Did you enable 443 for the policy manager connection to Gateway?

You can a non-default port and set firewall rules to allow incoming connections to this port only from the internal network.
Original Message:
Sent: 06-18-2020 09:08 AM
From: Enzo Fusca
Subject: Policy Manager access from untrusted network

Hi everybody,

we have a cluster gateway of 2 nodes, balanced by a LB and exposed to the internet for services requests.
I've noticed that the GW nodes can be accessed via Policy Manager even outside the company LAN or VPN. If I connect with Policy Manager pointing at the public IP of the LB on the secure port 443, I can get the access from anywhere.

This is a security leak and I would like to know if the only way to avoid it is to define a dedicated secure port, not mapped by the LB, to be used only for Policy Manager access. Are there any other solutions to overcome the issue?

Thanks,

------------------------------
Enzo
------------------------------

You can disable policy manager access on 8443  in the listen port configuration to avoid external access thru the frontend LB and instead connect via port 9443 or define another listen port for internal  PM access.

when connection to PM connect directly to one of your cluster node not using the LB as  <gateway_node_name>:9443

once connect to PM on port 9443 then you can  simple disable the policy manager access in the properties for port 8443 listen port. 

Original Message:
Sent: 06-18-2020 10:30 AM
From: Enzo Fusca
Subject: Policy Manager access from untrusted network

Hi Saravanan,

thank you for your answer. I did not enable port 443 on Policy Manager, but my load balancer map the port 443, exposed on internet, on the port 8443 of the Policy Manager.
Are you suggesting to set the firewall rules on the gateway nodes to allow only internal traffic on a specific port? This is the solution (define a dedicated secure port) that I exposed in the description of the problem. I'd like to know if there is a way to leave the situation as default, with 8443 and 9443 ports for PM access, and configure the system to deny Policy Manager accesses on those ports, outside the internal network.
Original Message:
Sent: 06-18-2020 10:21 AM
From: SARAVANAN RAMALINGAM
Subject: Policy Manager access from untrusted network

By default, the policy manager will connect to Gateway by using 8443 or 9443 ports. Did you enable 443 for the policy manager connection to Gateway?

You can a non-default port and set firewall rules to allow incoming connections to this port only from the internal network.
Original Message:
Sent: 06-18-2020 09:08 AM
From: Enzo Fusca
Subject: Policy Manager access from untrusted network

Hi everybody,

we have a cluster gateway of 2 nodes, balanced by a LB and exposed to the internet for services requests.
I've noticed that the GW nodes can be accessed via Policy Manager even outside the company LAN or VPN. If I connect with Policy Manager pointing at the public IP of the LB on the secure port 443, I can get the access from anywhere.

This is a security leak and I would like to know if the only way to avoid it is to define a dedicated secure port, not mapped by the LB, to be used only for Policy Manager access. Are there any other solutions to overcome the issue?

Thanks,

------------------------------
Enzo
------------------------------