Pivotal Knowledge Base

Follow

How to delete a running Application Security Group (ASG) from deployment

Environment

 Product  Version
 Pivotal Cloud Foundry  1.10

Overview

This article describes what steps to take if a running Application Security Group (ASG) is inadvertently added to your deployment. 

Background

A running ASG for a deployment takes precedence over other ASGs that are bound to a particular space. This can be a security concern because if you have configured specific ASGs for a space, an open running ASG could be opening up the network more than you intended. If an all_open ASG has been added to your deployment, you are vulnerable to CVE-2016-0896

The configuration for an all_open security group looks like this:

[
   {
      "destination": "0.0.0.0-255.255.255.255",
                "protocol": "all"
} ]

For more information about ASGs, refer to this document

Instructions

If you are using the default_security_group but no other custom ASGs 

NOTE: Following these instructions will cause application downtime while apps are being restarted. Further downtime will occur if ASGs are not set up correctly. Try to schedule during light load or minimal traffic periods.

  1. Check the Apps Manager to see what ASGs are running for a given space. These ASGs will take precedence over any bound ASGs, even if the bound ASGs are more restrictive.
  2. Review any existing security groups for misconfiguration as the running open security group may be masking misconfigurations.
  3. Delete the running ASG.
  4. Restart all the applications in the foundation to apply new ASG settings.
  5. Ensure that all the applications are running and are correctly connecting to any services being used. 

If you are using custom ASGs

If you do have a running ASG that is open, you will need to do the following manual steps to close down the ASGs.

NOTE: Following these steps will cause application downtime while apps are being restarted. Further downtime will occur if ASGs are not set up correctly. Try to schedule during light load or minimal traffic periods.

  1. Check the Apps Manager to see what ASGs are running for a given space. These ASGs will take precedence over any bound ASGs, even if the bound ASGs are more restrictive.
  2. Create and bind an open ASG for the space that each service broker is running on. This might be required for the brokers that need outbound communication.
  3. Create an ASG that allows applications to talk to the bound services. This might require checking the services available in the space and creating a customized ASG for that space. Repeat this process for all spaces. Note: You can bind multiple ASGs per space and/or a single ASG can be bound to multiple orgs/spaces.
  4. Review any existing security groups for misconfiguration as the running open security group may be masking misconfigurations.
  5. Delete the running ASG.
  6. Restart all the applications in the foundation to apply new ASG settings.
  7. Ensure that all the applications are running and are correctly connecting to any services being used.

Comments

Powered by Zendesk