Ways to identify internet facing CI records

Griffith Goas · ‎05-31-2024

Hello SN Community,

My company's security team has given us a requirement to identify which CIs are internet facing, and also identify which of those CIs are protected by a Web Application Firewall (WAF).

Our CMDB team is struggling to identify out-of-box sources and destinations for these types of attributes.

Have any other community members achieved this with Discovery, Service Graph Connectors, or other non-custom integrations? - if so, what did you use?

-or-

Has anyone achieved this through customization? -if so, what data sources did you use?

Thanks in advance

Narsing1 · ‎06-01-2024

If you have CSDM framework installed, you can achieve this via Data Classification field (public)

Example: A Server can have multiple applications installed in it. If any application Data classification is public, then you may consider that as a internet facing.

So if a CI relationship contains these kind of business applications, then that CI can be considered as Internet facing.

You may also consider to use business app field audience type (but before doing anything, all these applications should be configured correctly. Need to contact the application owners to take that information)

If you don't have CSDM framework, you can see the Service(cmdb_ci_service) table.

Thanks,

Narsing

View solution in original post

Narsing1 · ‎06-01-2024

If you have CSDM framework installed, you can achieve this via Data Classification field (public)

Example: A Server can have multiple applications installed in it. If any application Data classification is public, then you may consider that as a internet facing.

So if a CI relationship contains these kind of business applications, then that CI can be considered as Internet facing.

You may also consider to use business app field audience type (but before doing anything, all these applications should be configured correctly. Need to contact the application owners to take that information)

If you don't have CSDM framework, you can see the Service(cmdb_ci_service) table.

Thanks,

Narsing

Griffith Goas · ‎06-12-2024

Thanks Narsing,

If this is the preferred method, then it ends up being a manual effort to collect this context from an app owner, rather than an automated effort using a discovery source.

What is your recommendation for displaying this context on the individual CI record? (Server/firewall/load balancer/DNS record)? And how should we guide our security data-customers to trace the relationships between the information object - business app - app service - server CI(s)?

Narsing1 · ‎06-12-2024

Hi,

Yes. This requires manual effort to collect the information from all the app owners. Probably you may go with the below steps.

Take all the Applications list (including its sys_id) into an Excel sheet.
Get into a call with all application owners (This is normally done by Data Quality people)
Update the Excel sheet with all the Internet facing applications
Create a Data source and a Transform map for the same. Since you already have the sys id in the excel sheet, use this as a coalesce in the Field mappings

In CSDM framework, the hierarchy is as below

Business Application => Application Services with the Environment (PROD, DEV, TEST)
Business Service ==> Business Service Offerings with the Environment
Technical Service ==> Technical Service Offerings with the Environment

All the Infrastructure CI's i.e. Server, Load Balancer, Firewall etc., will have relations to the above Childs i.e. Application Services/Technical Service Offerings / Business Service Offerings

Sample on how a typical relation can be observed here

Thanks,

Narsing