Network traffic to and from untrusted networks passes through a policy enforcement point; firewall rules are configured to prevent unauthorized access.
Effective network traffic policies help minimize the risk of network-based attacks, including denial of service attacks and malicious data exfiltration. By inforcing ingress and egress rules, we can limit the number of unnecessary open ports to protect customer, GitLab team-member, and partner data and prevent unauthorized access.
This control applies to all systems within the production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
Control should be designed to ensure we don't default to "allow all" traffic and instead put in place reasonable barriers for access to our production network.
Infrastructure manages the configuration for GCP using chef and terraform which includes firewall rules. Configurations are version controlled and require approval prior to changing. The Infrastructure team engages with Security Operations to review new firewall rules that fall outside of the baseline. Security manages the monitoring for the service and can validate the correct rules are still in tact.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Network Policy Enforcement Points control issue.