By default, teams can not access systems inside of CONS3RT from an external source other than through the CONS3RTportal.
This is by design and part of the security accreditation. However, for organization with short term test and evaluation needs, there is an Interim Authority to Test (IATT)-like process for granting temporary inbound access from specific sources.
Users can request specific, event based exceptions to temporarily allow inbound traffic into their CONS3RT cloudspace for the purposes of a preplanned, coordinated test event. Request shall be made by support ticket. Not all requests will be granted.
The guidelines for requesting an opening are:
- Limited, defined durations
- Specific origination IP addresses for incoming traffic
- Automated Nessus scan (with credentials) of the environment with no unmitigated critical or high findings
- Test deployed systems with testssl.sh tool and resolve or mitigate any significant findings.
- Systems built via CONS3RT application using assets, not by hand nor existing VMs (to be reviewed by CONS3RT Site Admins)
- Limited to DoD PPS “green” ports
- Approval from the user’s Government PM for the event
- Inbound to only one project-connected cloudspace
How to Set Up an IATT
After receiving an IATT, you will want to connect to your system. The recommended approach is described below:
- Notify CONS3RT support that you would like to begin the connection process. The notification provide awareness to CONS3RT support so that they can ensure the process is executed smoothly.
- Provide source and destination IPs to CONS3RT support.
- Build your system(s)/scenario(s)/deployment(s) using the designs approved in your IATT.
- Use the built-in Nessus ETT to perform a credentialed scan of the system and provide a link to the results to the CONS3RT support team. (If you neeed help creating or running a Nessus ETT, see this KB
- Launch your system(s) and access from approved source(s).
- Download the testssl.sh script from https://testssl.sh and run the test on your launched system. Provide a link or send a file with the results to the CONS3RT support team
- Some organizations can not ensure repeatable assignment of source IPs. If that is the case, users can register their approved external system(s) with a dynamic DNS service. Most dynamic DNS services can use a client on your local system or offer a web portal registration (in the event local policy on the system does not allow installation of client agent). This will require an asset to the server side system(s) inside of CONS3RT that leverages the dynamic DNS service to manage its access list. The dynamic domain name and IP pool still need to be provided to CONS3RT support team.
Coming Soon…Example Asset: CONS3RT support is developing an example asset that takes a list of approved DNS names, performs a look up and then populate access control mechanisms. When using this asset, there may be a lag when first connecting from a new location but it is typically minutes and is automated.