Whitelisting Fabric & Crashlytics IP - firewall

Question - would like to allow access to Fabric & Crashlytics from our server which means that we need to allow it through our firewall for access.
Can anyone share the domains or IPs that we should allow through ?
Secondly, we would also like the fabric plugin for Android Studio and Xcode to work, would the above domains and IPs also apply ?

Mike from Fabric and Firebase here. We don't support IP whitelisting as our IP addresses can and do change quite frequently. You should whitelist the following domains:
*.crashlytics.com
*.fabric.io
Update as of July 2020:
From the recent contact with the Firebase team, we got the following details:
You can whitelist the following domains on ports 80 and 443:
For Firebase Crashlytics (SDK versions 4.x and up):
*.crashlytics.com
crashlyticsreports-pa.googleapis.com
For Fabric Crashlytics (SDK versions 3.x):
*.crashlytics.com
*.fabric.io
For Firebase Crashlytics, there's one more domain which needs to be whitelisted even though it's not officially informed by Firebase team
firebasecrashlyticssymbols.googleapis.com

From what I understand a firewall usually blocks incoming connections, fabric just requires outgoing, so no need for whitelisting.
If you have a strict situation, just inpect the firewall logs with your sysadmin and make the whitelist entries, it can be different over time and you should be able to update it, so this way you know how to obtain it.

Related

Snowflake DNS whitelisting

We are using snowflake enterprise edition.
One of the client systems wants to access our snowflake account to consume the data.
We have created user and password and share with them to connect to snowflake.
Now we want to add extra security to this user by whitelisting the DNS name, so that username created for this client will not be misused.
Is there anyway that we can whitelist DNS in enterprise edition.
I read that VPC version have this feature by setup some firewall behind the snowflake.
We can achieve this using IP Mapping in Enterprise but client using dynamic IP which will keep change.
Regards,
Srinivas.
The network policy feature is IP address or range only so you won't be able to do name resolution with this currently (i.e., would be a feature request). I don't think there's one perfect solution to your request.
If the changing IPs are all part of a CIDR range, you could use that, or a proxy solution would have a stable IP. VPN could be another alternative and include the VPN-issued IP addresses in the Snowflake Network Policy.
I'm sure there's other methods too and worth a discussion with your security team for more ideas. Welcome others to comment with their ideas as well.

Disable Microservice initial exposed port after configuring it in a gateway

Hello I've been searching everywhere and did not found a solution to my problem, which is how can I access my API through the gateway configured endpoint only, currently I can access to my api using localhost:9000, and localhost:8000 which is the Kong gateway port, that I secured and configured, but what's the point of using this gateway if the initial port is still accessible.
Thus I am wondering is there a way to disable the 9000 port and only access to my API with KONG.
Firewalls / security groups (in cloud), private (virtual) networks and multiple network adapters are usually used to differentiate public vs private network access. Cloud vendors (AWS, Azure, etc) and hosting infrastructures usually have such mechanisms built in, e.g. Kubernetes, Cloud Foundry etc.
In a productive environment Kong's external endpoint would run with public network access and all the service endpoints in a private network.
You are currently running everything locally on a single machine/network, so your best option is probably to use a firewall to restrict access by ports.
Additionally, it is possible to configure separate roles for multiple Kong nodes - one (or more) can be "control plane" nodes that only you can access, and that are used to set and review Kong's configuration, access metrics, etc.
One (or more) other Kong nodes can be "data plane" nodes that accept and route API proxy traffic - but that doesn't accept any Kong Admin API commands. See https://konghq.com/blog/separating-data-control-planes/ for more details.
Thanks for the answers they give a different perspectives, but since I have a scalla/play microservice, I added a special Playframework built-in http filter in my application.conf and then allowing only the Kong gateway, now when trying to access my application by localhost:9000 I get denied, and that's absolutely what I was looking for.
hope this answer gonna be helpful for future persons in this same situation.

What's the endpoint of Fabric.io Android Plugin for login and uploading APK?

I'm trying to figure out what's the endpoint of Fabric.io Android Plugin for login and uploading APK?
I'll use this information to whitelist the domain, so we can use the plugin when we are connected to the company's network.
I checked the Android Studio log file and it's https://api.crashlytics.com
To support a blocked traffic device, just whitelist the following domains on ports 80 and 443: *.fabric.io *.crashlytics.com
It's important to note that we don't support IP whitelisting because we use AWS and our IPs changevery often. If you're using domains as a way of obtaining IP addresses, please be aware that the IP addresses will change very frequently - potentially every 24 hours.

Heroku - Firewall necessary?

I'm currently considering Heroku as a new hosting platform. So far I've been working with various services on Amazon AWS so I'm still trying to figure out some pieces, especially when it comes to security.
I'm used to setting up a firewall & restricting the access. E.g. should only the application have access to the database as well as certain IP ranges. In Heroku there is no such setup possible, I can't configure a firewall.
With Heroku Private Spaces, I can whitelist IP addresses for my apps but that's not really satisfying.
Is it not necessary with a PaaS to configure a firewall to make sure the DB is not externally accessible for example? Additionally, my test and staging environment shouldn't be publicly accessible either (for security reasons).
I would appreciate your thoughts on this.

Dynamic Hostname resolving for DNS based on availability

I have two servers that provide a service to clients.
The client devices access the server through a DNS name. example.com
Now we generally use server1 (primary) but if server one becomes inaccessible, I want the DNS to change its resolving name to server 2 (secondary server)
How can I go about doing this, Is there a service that dyndns provides?
The only way I know to do it is to log into the DNS server and manually change the addresses that the dns resolves 2.
It sounds like you're looking to create an automated failover in the event of an outage. While this is a service that Dyn provides as an added service in the DynECT Managed DNS service (hit up sales#dyn.com for more info on that), you can also use the Dyn Updater API to push an IP update up to your Standard DNS account as well. It would be a matter of using a 3rd party monitoring solution to trigger the update in your code using their API, then using the Dyn Updater API to switch the IP.
http://dyn.com/support/developers/api/
Whether you want to spend the money on upgrading to DynECT Managed DNS or keep using your Standard DNS account, we can help you either way.
Good luck, and if you have any other questions, please do not hesitate to ask.
CL

Resources