I have a situation where I need to open the FW to specific FQDN domains such as:
*.insight.rapid7.com
*.endpoint.ingress.rapid7.com
This is because the vendor cannot provide all possible IPs (either do not know), or they can come from any number of the cloud providers network and we're not opening things up to the entirety of Azure or AWS.
My understanding is I can use domain objects on the CP application policy, but I'm seeing a couple of limitations that are preventing me from using this method.
FQDN domain objects:
- Does not support wildcards. Must enter the exact FQDN for any possible host.subdomain.domain.
- If I understand correctly, the CP will do a forward DNS lookup and cache the IP.
- What happens if the IP changes and/or the cloud provider provides different IPs as part of load balancing and/or geo-DNS?
- How often is the lookup refreshed? Is it based on TTL or is there a specific refresh interval set?
In short I see a potential caching problem with this method.
Non-FQDN domain objects:
- Does support wildcard domains.
- The CP performs reverse DNS lookup of the IP. If the resulting PTR record contains the domain specified in the rule, it will match.
- The problem here is many SaaS services in the cloud seem to not have proper PTR records setup and their IPs simply back-resolve back to the domain of the Cloud provider itself, e.g. *.compute.amazonaws.com.
So with this method, there will be a conflict in the domain name not matching the PTR record so I don't see this as a valid option.
Now, one option is to potentially use the application filtering policy and create a custom URL/application and specify the URLs (with wildcards), but even this is problematic as it only works for a static set of web-based ports/protocols, e.g. HTTP/HTTPS. This won't work for any non-standard ports in use, or non-Web based traffic.
Any thoughts as to how best approach this?
