Deployment

BSFG Network Policy

Firewall rules and transport security

Audience: Network engineers, security architects

Use: Define firewall, routing, and endpoint exposure policy for cross-zone BSFG traffic

Transport Security Principle

All BSFG boundary communication uses mutual TLS (mTLS) over Connect RPC. This provides:

  • Cryptographic authentication (certificate-based peer identity)
  • Encrypted transport (no plaintext facts)
  • Audit trail (certificates bound to zones)

There is no fallback to unencrypted or weakly authenticated communication. All inter-zone RPC calls require valid mTLS handshake.

RPC Operations and Ports

BSFG exposes four RPC operations. All operate over a single Connect RPC endpoint:

  • AppendFact
  • FetchFacts
  • ConfirmReceipt
  • PutObject

These RPC calls are HTTP/2 POST requests to the BSFG node's endpoint. Typical port: 9443 (customizable).

Firewall Rules Template

For a three-zone deployment (Enterprise, IDMZ, Plant A), firewall rules should allow:

Source Zone Source BSFG Node Dest Zone Dest BSFG Node Protocol Port Direction Purpose
Enterprise 10.0.1.10 IDMZ 10.1.1.10 TCP/HTTP2 9443 AppendFact, FetchFacts, ConfirmReceipt, PutObject
IDMZ 10.1.1.10 Enterprise 10.0.1.10 TCP/HTTP2 9443 AppendFact, FetchFacts, ConfirmReceipt, PutObject
IDMZ 10.1.1.10 Plant A 10.2.1.10 TCP/HTTP2 9443 AppendFact, FetchFacts, ConfirmReceipt, PutObject
Plant A 10.2.1.10 IDMZ 10.1.1.10 TCP/HTTP2 9443 AppendFact, FetchFacts, ConfirmReceipt, PutObject

Firewall Rules (iptables/pf syntax)

# Enterprise → IDMZ
allow tcp from 10.0.1.10 to 10.1.1.10 port 9443

# IDMZ → Enterprise
allow tcp from 10.1.1.10 to 10.0.1.10 port 9443

# IDMZ → Plant A
allow tcp from 10.1.1.10 to 10.2.1.10 port 9443

# Plant A → IDMZ
allow tcp from 10.2.1.10 to 10.1.1.10 port 9443

# Deny all others at boundary (implicit)

Certificate Requirements

Each BSFG node requires a TLS certificate with:

  • Subject CN (Common Name): zone identity (e.g., enterprise-bsfg, plant-a-bsfg)
  • SANs (Subject Alternative Names): FQDN or IP of the node (e.g., bsfg-ent.example.com, 10.0.1.10)
  • Key Usage: TLS Web Server Authentication, TLS Web Client Authentication (both, because nodes act as server and client)
  • Issuer: Private CA (internal to organization, not public CA)
  • Validity: 1–2 years (plan for renewal before expiry)

Certificate Validation

On connection, peer verification:

  1. Validate certificate signature against the CA root
  2. Check not expired
  3. Extract zone identity from Subject CN
  4. Verify zone is authorized for the operation (policy-dependent)

Example validation logic:

peer_cert = extract_peer_certificate()
zone_id = peer_cert.Subject.CN

if (zone_id == "enterprise-bsfg") {
  // Enterprise zone — allow AppendFact to IDMZ and Plant
  // Allow FetchFacts from IDMZ and Plant
}

if (zone_id == "idmz-bsfg") {
  // IDMZ zone — allow AppendFact to Enterprise and Plant
  // Allow FetchFacts from Enterprise and Plant
}

No Durable Middleware at Boundary

Forbidden at the boundary network:

  • Message brokers (Kafka, NATS, RabbitMQ)
  • Databases (PostgreSQL, MongoDB)
  • File servers or NAS
  • Load balancers with state
  • Cache servers

Allowed at the boundary:

  • Firewalls (stateless or connection-tracking)
  • Routers
  • Layer-4 load balancers (pass-through, no state)
  • TLS terminators (if necessary, but each terminator is a separate trust domain)
  • VPN gateways

Monitoring and Alerting

Monitor network paths between BSFG nodes:

  • TLS Handshake Failures: Alert if certificate validation fails (expired certs, wrong identity, CA mismatch)
  • Connection Timeouts: Alert if RPC calls take > 5 seconds (indicates network partition or overload)
  • Firewall Drops: Log denied packets to debug connectivity issues
  • Certificate Expiry: Alert 30 days before expiry; trigger renewal workflow

VPN and Encryption

If the network path crosses public internet or untrusted networks (e.g., enterprise VPN to cloud plant), consider adding an additional layer:

  • IPsec VPN: Encrypts all traffic end-to-end at the network layer. Useful if you don't trust the intermediate network.
  • WireGuard: Lightweight VPN alternative; simpler configuration than IPsec.

Note: mTLS is sufficient for encryption. VPN adds a second layer for defense-in-depth.

Deployment Checklist

  • ☐ Create private CA for your organization
  • ☐ Generate certificates for each BSFG node (zone identity)
  • ☐ Install certificates and CA root on each BSFG node
  • ☐ Configure BSFG nodes to validate peer certificates and extract zone identity
  • ☐ Configure firewall rules to allow mTLS RPC between zones
  • ☐ Test TLS handshake between zones (certificate validation)
  • ☐ Verify RPC calls succeed with valid certificates
  • ☐ Set up certificate renewal workflow (before expiry)
  • ☐ Monitor TLS errors and certificate expiry
← ← Back: Interaction Diagrams Next: Identity Model → →