Hello. I am a security expert with a CISSP and CCP. I have also built the internals of several commercial firewalls, and I worked on the Lucent FIRMATO project for graphical management of multi-vendor firewall constellations in perimeter networks. I will be delighted to help you.
What brand(s) of firewalls do you already have in place?
We do not have any firewalls in place at this moment.
What we are trying to achieve is restrict our web developers to upload our company's code outside of their development environment, where they login through a VNC.
Can you help with that?
I certainly can. However, if you want me to (a) select a firewall for you, (b) tell you how to set it up, (c) set up all the Apache rules, it's rather beyond the scope of this small question.
What precise operating system and version are you using?
We are using Ubuntu Server 14.04 LTS.
I a not asking for you to setup the firewall for me, i am just looking for a way to restrict our developers from uploading the code anywhere else other than our Git server.
Just looking for some information regarding that. I tried doing it with iptables but i am getting "Connection timed out" responses, so i am missing something.
IPTABLES isn't the way to go. Apache modules can actually do most of what you want, plus Apache configuration; you don't need a firewall necessarily, though it's more robust. Please let me know what you prefer.
But this is regarding outbound requests. So on their dev environment they have a GNOME interface, so they can access a browser and to go any site and upload the code if they want to (lets say Dropbox for example). Apache would be great, but how could we do that with Apache? Isn't Apache used only for inbound requests?
Not entirely sure what you intend by "inbound request." A RESPONSE to an inbound request is your concern here. An OUTBOUND REQUEST -- what are you referring to? Your developers could attach a Web page to an e-mail message and just send it out.
However, that can be prevented readily. But I can't solve your every problem within the small scope of this question. I offered you premium service, and you declined it.
A very straightforward trick that will take minutes to implement can segregate development from outbound communication. Your developers would be able to develop Web content, but they would not be able to e-mail anything they developed to the outside. The only exception would be developers who have root access.
Would you be interested in this solution?
I don't see how limiting the size of uploads or downloads is relevant.
I understand but until accepting your premium service, i need my question answered and that means how this is going to be done, because from what you said i'm not sure yet you have a solution for me.
INBOUND REQUEST -> Request coming in from a user to our server
OUTBOUND REQUEST -> Request going out from our server to any outside website/api
Our developers login to their virtual development machine through a VNC connection. From their virtual development machine they can open up a browser and upload sensitive stuff (like company code) to an external service like Dropbox). We need to not allow them to do that. Is there a way to prevent that from happening? I am trying to be as clear as possible in our problem, hope i sent all the necessary info. Apache definitely cannot achieve that so i am looking for another solution..
That would not be enough, because as i said in the original question, we still need the server to be able to do outbound communications, we just need it to only be authorized to do that for specific domains/subdomains. So either that, or restrict size of file uploads.
Restricting file uploads would work because we have thousands of files and if they have to upload them one by one, they won't do it.
I made it clear that I can provide a VERY SIMPLE solution (one that wouldn't occur to you, I promise) to STRICTLY SEGREGATE development from external communication.
Apache can be configured to curtail the sizes of requests coming and files going--as well as to do some simple-minded restriction of the IP addresses of prospective communicants.
I served on the NSA Trusted UNIX Working Group and the DoD/DOE Labeling Working Group and was the chief architect of Trusted RUBIX B2 RDBMS and of the Norman Firewall and the only person ever to reverse-engineer the internals of the CheckPoint from its terminal characteristics.
I'm not going to discuss qualfications endlessly. I have a solution.
"Restricting file uploads would work because we have thousands of files and if they have to upload them one by one, they won't do it."
You don't seem to have much faith in your developers. I could write a five-line shell script that could automatically upload every file within a given directory subtree, one by one, by e-mail, without requiring more than sixty seconds' total effort by me.
It's not a problem of current developers, it's regarding new developers that need to build trust first. And they are remote to, so harder to manage.
You could do that yes, but what if you're limiting the upload size to 1kb and most files are bigger than that? You'd have to separate etc.. so more work to do.
Regarding Apache being able to curtail the sizes of outgoing files, can you explain to me how that is possible? I have worked for many years with Apache and i don't understand how it can access the server's outgoing requests and be able to manipulate them.
I thought you wanted to prevent your developers from mailing files outside your worksite. Limiting file sizes won't solve the problem.
Yes but not just mailing.. also uploading to Github, Google Drive, Dropbox..anything.
So restricting external traffic would be a better solution. But we still need the server to be able to access external APIs like googleapis.com and eu11.salesforce.com which are constantly changing IPs... Do you have a solution for that?
Um, if your external developers are hacking in the code, they can steal things WHETHER OR NOT they go through the Web server. You really have to think this through much more carefully. I offered you a comprehensive analysis, but you weren't interested. I really don't know what to tell you. You can't protect your PRICELESS infrastructure for essentially NO investment.
I can solve any problem you can pose, quickly and efficiently. But I can't solve your every last problem within what you have committed to this analysis. You have to call customer service at(###) ###-####and accept the premium offer, and I will solve ALL your problems, QUICKLY and CLEVERLY.
So paying $45 just for getting an "I can do it" answer is NO investment? I don't think so.. For that i would have hoped i'd get a clear explanation on what it would be done before going to pay the other $66 for the solution. You don't have to tell me the steps, i won't steal the solution, but make me understand how you're going to handle it because i am not confident enough yet.
I won't go on and on about my qualifications. If you don't want expert help, that's fine. Feel free to hack away at your Apache modules, and your solution will be defeated with thirty seconds' effort.
I have already shot down your EVERY "solution" and STILL you question my ability to help you?
And it is certainly NO investment because, one presumes, you are protecting potentially hundreds of thousands, or millions, of dollars' worth of intellectual property.
All of your problems could have been solved already.
I can trivially segregate development from outside communicaton via a simple stunt using group IDs.
Apache modules and logging can take care of your every other concern.
I have linux mint cinnamon. My T520 Lenovo thinkpad