Creating a custom policy
Policies can be thought of as advanced, identity and application-aware firewall rules. Policies define who has access to your services (Sockets).
Each time a user tries to access a Socket, our platform will evaluate all policies that are attached to the Socket. The verdict is the cumulative result of all policies. If no policies match or no policies are attached to a Socket, no access will be granted.
Organization wide policies and regular policies
A policy can, optionally, be marked as an Organization wide policy. This means it will automatically be applied to all Sockets in your organization.
A regular policy needs to explicitly linked to a Socket.
JSON format
The JSON below shows an example policy. As you can see it has two high-level sections:
- Actions, ie, what action is allowed
- Conditions, ie. under what condition is it allowed
In the example below, the actions include
- database
- ssh
- HTTP
meaning access to SSH, database and HTTP sockets are allowed.
In the condition section, we have three categories.
- Who
- Where
- When
{
"version": "v1",
"action": [
"database",
"ssh",
"http"
],
"condition": {
"who": {
"email": [
"[email protected]"
],
"domain": [
"example.com"
]
},
"where": {
"allowed_ip": ["0.0.0.0/0", "::/0"],
"country": [
"NL",
"CA",
"US",
"BR",
"FR"
],
"country_not": [
"BE"
]
},
"when": {
"after": "2022-10-13",
"before": null,
"time_of_day_after": "00:00:00 UTC",
"time_of_day_before": "23:59:59 UTC"
}
}
}
In Summary the policy above allows access to SSH, Database and HTTP services under the following conditions:
- The user identity needs to either have authenticated with an email ending in example.com or as [email protected]
AND - The IPv4 address the user is visiting from should be in the range 0.0.0.0/0 (any IPv4 address).
AND - The users should come from one of these countries: NL, US, CA, BR, FR
AND - The time of day should be any time between 00:00:00 UTC and 23:59:59 UTC (any time)
AND - This policy is valid after 2021-12-31, there is no end date.
Visual Policy editor
Next up we need to attach this Policy to one or more Sockets. This can be done from the Policy Tab in the Policy view.
Attach a Policy to one or more Sockets.
Database specific Actions
Border0 allows you to specify what kind of Database command, or queries are allowed. For example, you can define a Border0 policy for databases to implement read-only database access. In which case a user can only execute "use", "show", "describe" and "select" queries.
heads-up:
Make sure to use the JSON editor to define database specific actions
To do so, define the following the action settings:
"action": [
"database:use",
"database:show",
"database:describe",
"database:select",
"database:other"
],
A complete example:
{
"action": [
"database:use",
"database:show",
"database:describe",
"database:select",
"database:other"
],
"condition": {
"when": {
"after": "2022-02-02T22:22:22Z",
"before": null,
"time_of_day_after": "00:00 UTC",
"time_of_day_before": "23:59 UTC"
},
"where": {
"allowed_ip": [
"0.0.0.0/0",
"::/0"
],
"country": null,
"country_not": null
},
"who": {
"domain": null,
"email": [
"[email protected]"
]
}
},
"version": "v1"
}
To allow for any database query use:
"action": [
"database:*"
],
These are all the policy action keywords you can use to control database access
Database-read
"database:use",
"database:show",
"database:describe",
"database:select",
"database:other
database-manipulate
"database:insert",
"database:delete",
"database:update",
"database:lock"
Database-ddl (Data Definition Language (DDL) to CREATE, ALTER, DROp, etc))
"database:ddl",
"database:dcl",
"database:grant"
Updated 3 months ago