Network traffic to and from untrusted networks passes through a policy enforcement point; firewall rules are established in accordance to identified security requirements and business justifications.
Effective network traffic policies help minimize the risk of network-based attacks, including denial of service attacks and malicious data exfiltration. By requiring ingress and egress rules be mapped to security requirements and business justifications, we can limit the number of unnecessarily open ports to protect customer, GitLab team-member, and partner data.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
Control should be designed to ensure we don't default to "allow all" traffic and instead put in place reasonable barriers for access to our production network.
Infrastructure manages the configuration for GCP using chef and terraform which includes firewall rules. Configurations are version controlled and require approval prior to changing. The Infrastructure team engages with Security Operations to review new firewall rules that fall outside of the baseline. Security manages the monitoring for the service and can validate the correct rules are still in tact.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Network Policy Enforcement Points control issue.