New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requesting Egress Domain Based Filtering #143

Open

aghassemlouei opened this issue May 29, 2024 · 0 comments

Labels

kind/enhancement

aghassemlouei commented May 29, 2024

What would you like to be added:

In addition to ip address based network filtering we would like to see domain-based and sni-based filtering. For example:

# Ubuntu Repositories
archive.ubuntu.com
security.ubuntu.com
esm.ubuntu.com
.canonical.com
api.snapcraft.io
.cdn.snapcraftcontent.com

# Certificate Validation
cacerts.digicert.com
ocsp.digicert.com
crl3.digicert.com
crl4.digicert.com
ocsp.pki.goog
crl.pki.goog
crls.pki.goog
.amazontrust.com

Why is this needed:

To comply with US NIST 800-53 R5 SC-7 (8) SYSTEM AND COMMUNICATIONS PROTECTION; BOUNDARY PROTECTION | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS we need to ensure that we have the ability to configure an explicit permit list of known-good or approved domains from our workloads. We are working with our various development teams to incorporate this capability natively into their applications but without this feature we will end up implementing cloud-native solutions such as AWS Firewall or Google Cloud Secure Web Proxy which increases cost and maintenance across our service offerings.

The text was updated successfully, but these errors were encountered:

aghassemlouei added the kind/enhancement label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment