gitea-mirror/Pulse
1
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-02-18 23:41:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
4e0d971fa9c1f8577752d4b34c2daa68a032eaa5
Pulse/docs/security/SENSOR_PROXY_NETWORK.md
courtmanr@gmail.com fd39196166 refactor: finalize documentation overhaul 
- Refactor specialized docs for conciseness and clarity
- Rename files to UPPER_CASE.md convention
- Verify accuracy against codebase
- Fix broken links
2025-11-25 00:45:20 +00:00

1.1 KiB
Raw Blame History

🌐 Sensor Proxy Network Segmentation

Isolate the proxy to prevent lateral movement.

🚧 Zones

  • Pulse App: Connects to Proxy via Unix socket (local).
  • Sensor Proxy: Outbound SSH to Proxmox nodes only.
  • Proxmox Nodes: Accept SSH from Proxy.
  • Logging: Accepts RELP/TLS from Proxy.

🛡️ Firewall Rules

Source Dest Port Purpose Action
Pulse App Proxy unix RPC Requests Allow (Local)
Proxy Nodes 22 SSH (sensors) Allow
Proxy Logs 6514 Audit Logs Allow
Any Proxy 22 SSH Access Deny (Use Bastion)
Proxy Internet any Outbound Deny

🔧 Implementation (iptables)

# Allow SSH to Proxmox
iptables -A OUTPUT -p tcp -d <PROXMOX_SUBNET> --dport 22 -j ACCEPT

# Allow Log Forwarding
iptables -A OUTPUT -p tcp -d <LOG_HOST> --dport 6514 -j ACCEPT

# Drop all other outbound
iptables -P OUTPUT DROP

🚨 Monitoring

  • Alert on outbound connections to non-whitelisted IPs.
  • Monitor pulse_proxy_limiter_rejects_total for abuse.