IATT-like Connectivity
By default, teams can not access systems inside of Arcus from an external source other than through the Arcusportal.
This is by design and part of the security accreditation. However, for organization with short term test and evaluation needs, there is an Interim Authority to Test (IATT)-like process for granting temporary inbound access from specific sources.
Users can request specific, event based exceptions to temporarily allow inbound traffic into their Arcus cloudspace for the purposes of a preplanned, coordinated test event. Request shall be made by support ticket. Not all requests will be granted.
IATT Requirements
The guidelines for requesting an opening are:
- Limited, defined durations
- Specific origination IP addresses for incoming traffic
- Automated Nessus scan (with credentials) of the environment with no unmitigated critical or high findings
- Test deployed systems with testssl.sh tool and resolve or mitigate any significant findings.
- Systems built via Arcus application using assets, not by hand nor existing VMs (to be reviewed by Arcus Site Admins)
- Limited to DoD PPS “green” ports
- Approval from the user’s Government PM for the event
- Inbound to only one project-connected cloudspace
How to Set Up an IATT
After receiving an IATT, you will want to connect to your system. The recommended approach is described below:
- Notify Arcus support that you would like to begin the connection process. The notification provide awareness to Arcus support so that they can ensure the process is executed smoothly.
- Provide source and destination IPs to Arcus support.
- Build your system(s)/scenario(s)/deployment(s) using the designs approved in your IATT.
- Use the built-in Nessus ETT to perform a credentialed scan of the system and provide a link to the results to the Arcus support team. (If you neeed help creating or running a Nessus ETT, see this [KB] (https://arcus-cloud.io/kb/nessus-scans/)
- Launch your system(s) and access from approved source(s).
- Download the testssl.sh script from https://testssl.sh and run the test on your launched system. Provide a link or send a file with the results to the Arcus support team
Optional Step
- Some organizations can not ensure repeatable assignment of source IPs. If that is the case, users can register their approved external system(s) with a dynamic DNS service. Most dynamic DNS services can use a client on your local system or offer a web portal registration (in the event local policy on the system does not allow installation of client agent). This will require an asset to the server side system(s) inside of Arcus that leverages the dynamic DNS service to manage its access list. The dynamic domain name and IP pool still need to be provided to Arcus support team.
Coming Soon…Example Asset: Arcus support is developing an example asset that takes a list of approved DNS names, performs a look up and then populate access control mechanisms. When using this asset, there may be a lag when first connecting from a new location but it is typically minutes and is automated.