add general_network_separation manual rule

sig-bsi-grundschutz · May 31, 2024 · 7d98762 · 7d98762
1 parent f7d31c8
commit 7d98762
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/applications/openshift/general/general_network_separation/rule.yml b/applications/openshift/general/general_network_separation/rule.yml
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+
+title: 'Create Network Boundaries between Functional Different Nodes'
+
+description: |-
+   Use different Networks for Control Plane, Worker and Individual Application Services.
+
+rationale: |-
+   Separation on a Network level might help to hinder lateral movement of an attacker and subsequently reduce the impact of an attack. It might also enable you to provide additional external network control (like firewalls).
+
+references:
+    bsi: APP.4.4.A7
+
+severity: medium
+
+ocil_clause: 'Network separation needs review'
+
+ocil: |-
+    Create separate Ingress Controllers for the API and your Applications. Also setup your environment in a way, that Control Plane Nodes are in another network than your worker nodes. If you implement multiple Nodes for different purposes evaluate if these should be in different network segments (i.e. Infra-Nodes, Storage-Nodes, ...).
diff --git a/applications/openshift/general/general_network_separation/tests/ocp4/e2e.yml b/applications/openshift/general/general_network_separation/tests/ocp4/e2e.yml
@@ -0,0 +1,2 @@
+---
+default_result: MANUAL
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
@@ -192,6 +192,7 @@ controls:
     status: partial
     rules:
       # Section 1
+      - general_network_separation
       # Section 2
       - configure_network_policies
       - configure_network_policies_namespaces