Thursday, May 10, 2018

Configuring Linux Firewall to Allow Upload Only

I have something of an interesting use case. I want Splunk clients to be able to upload data for processing to my Splunk server over port 8089 (the Splunk REST API port) with SSL. It needs to be lightweight on client endpoints, so using a universal forwarder is not viable.

This can be accomplished by using the Splunk REST API, but it creates a security issue. Splunk authentication/permissions do not allow for uploading that data without also allowing downloading of data on that server using the same credentials. For security purposes, that is unacceptable.

Given the limitations in Splunk, I'm attempting a work around using a Linux firewall on the Splunk server. My thought was I could use iptables to drop all output except that which is explicitly necessary to negotiate the SSL connection and acknowledge receipt of uploaded data. But I don't have the expertise to know how to do that most effectively.

Setting up a DROP policy on OUTPUT is easy enough. But the only progress I have made on filtering the communication is to set up a rule that limits the length of OUTPUT packets that are allowed out. This feels clunky and brittle though.

Does anyone have any insight into how to do that most effectively or if there is some other solution I'm overlooking that would make more sense? Thanks.



No comments:

Post a Comment