We want to use Slack Webhook (Outgoing Webhook) with an internal web service.
Our company is behind a firewall, so outside connections must be whitelisted.
It appears that Slack has multiple addresses it will send the API request from, and they don't seem to be documented.
Which IPs/Ports should we open in the firewall (whitelist) in order to allow slack's outgoing webhooks to connect to our internal web service?
I know this is an old question, but I was looking for something like this myself. I think the one answer thats there doesnt really understand the question as such.
ngrok could sort-of solve an issue here, but its not quite what was asked.
Mapping ports from external to internal on a firewall that would be at a company is trivial. What I think the originator was asking was "what IP addresses do slack use when calling our service" so that you can firewall the service off to only allow access from those IP's (hence the whole white listing thing).
Simple answer as far as i can see is they are basically using lambda and various sources within AWS which makes that rather hard
An alternative could be using a VPN tunnel service to expose your internal webserver the Internet, e.g. with ngrok. I can confirm it works with Slack (I use it every day for Slack developing) and its also recommended as solution for a local development environment in the Slack tutorials.
Related
We are looking at using webhooks from various vendors outside our network. They would publish the event to us. We would be the webhook listener/receiver, not pushing the events. We have done proof of concept of creating an Azure Function to receive the event. From the research we have done most have the security of passing a sha1/sha256/sha512 hash for us to verify they are who we want to receive the events. This all worked as expected with the POC Azure Function.
From a enterprise network security standpoint is there anything else available? The process above puts the security in the function. I'm sure our Network Security group would not want us to have 10 functions, one for each vendor to worry about the security. I've read about whitelisting of IP's that would be sending the events but most of our vendors are Cloud based so I'm not sure how readily that would be available. Maybe one function to validate all events that come in then let pass through? Would that be an acceptable solution? Azure API Gateway or API Management able to address somehow? Any other network type of product that handles webhook security specifically?
Any insight or link to information most appreciated.
Thanks.
Wow, that's really really so open conversation.
You can use Azure Front Door with the Web Application Firewall attached to it. So any SQL injection, DDoS or similar attacks can be prevented by AFD and WAF.
However, I would say the securest way is to put IP restriction as well. So you need to force your vendor to get their IP address. That can be multiple maybe hundreds. But that doesn't matter. You can implement CIDR IP address format so you can cover all network. And you can easily set these IP address restriction during the CI/CD pipeline with Azure PowerShell script.
You can also useAPI Management in front of Azure Functions and you can create access restriction policies. You can either restrict IP based or JWT based. APIM might be a little bit pricey tho.
https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies
You can also create advanced policies with APIM
https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies
Apart from that, the AFD & WAF and IP restriction are on the network layer. But you can also implement token-based authentication on your code side.
https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
You can either you Azure Active Directory, IdentityServer or JWT for this.
Good luck!
I have a self-hosted instance of Gitlab running in a local data center behind a firewall and we use Trello for all simple task/issue management. I'd like to connect Gitlab and Trello via Zapier for an automated Trello card creation process for each new issue and/or merge request. A recent attempt to connect the two did not work due to the firewall.
Are there any settings in Zapier I may be missing, potential work arounds, or another service beside Zapier that may solve the problem?
We are stuck with the instance of Gitlab.
Requests from Zapier come from AWS. If your firewall is blocking all connections from non-whitelisted IP addresses, you've got two options if you want to use Zapier with your Gitlab instance:
Whitelist all AWS IP addresses (probably not what you want to do)
Come up with a whitelisted server that will forward requests from Zapier to Gitlab. That way you only have to whitelist a server you own.
There's more info here: https://zapier.com/help/troubleshoot/behavior/cant-access-or-use-zapier-with-other-apps
Sorry I don't have better news here!
It is well documented that Google Apps Script run on Google App Engine servers that would not have access to a company's internal network/server:
https://developers.google.com/apps-script/reference/url-fetch/url-fetch-app
https://cloud.google.com/appengine/kb/#static-ip
https://developers.google.com/apps-script/guides/jdbc#using_jdbcgetconnectionurl
Per the documentation, if you want a Google Apps Script project to have access to an internal network/server then you will have to white-list Google's IPs. But we all know that isn't the safest option. In fact, the documentation even says so:
Note that using static IP address filtering is not considered a safe and effective means of protection. For example, an attacker could set up a malicious App Engine app which could share the same IP address range as your application. Instead, we suggest that you take a defense in depth approach using OAuth and Certs.
The issue is I cannot find any documentation, reference material, or articles on how best an organization should do what it suggests.
So my question is, how can an organization using G-Suite Enterprise securely allow Google Apps Script projects to access the company's internal network?
The documentation made it quite clear, that since App Scripts are ran on shared App Engine instances, it is impossible to restrict with IP, and that also implies the networking capability would be very limited (i.e. no VPC peering or alike). Therefore, as in the highlighted block, they suggest implementing authentication over just IP restriction.
Apart from authentication, App Script also supports encrypting and authenticating the server with SSL (sample code). This should protect the connection from being eavesdropped when sent over the Internet.
Further more, you can implement a "semi IP restriction" mechanism, technically called Port Knocking, which briefly works as follow:
First create a special endpoint, requires authentication, accepts an IP address as input. When requested, you open up your firewall to accept connection from that IP to your internal network for a limited time (e.g. 5min).
In your App Script, use URL Fetch to request that endpoint, so that your scripts instance is temporarily allowed to access your network.
Of course that will not be perfect, since one App Engine instance runs many scripts concurrently and the whitelist is opened for a set time, but still this is considerably better than persistently opening the port to all Google (App Engine) IPs.
Apps Script is a great tool for simplifying tasks when you are using G Suite services, unfortunately, what you are trying to achieve is not available. Also, keep in mind Apps Script is not built on App Engine, it's a completely different product.
Therefore if what it is shown in the documentation can't fulfill the requirements you have, please check other Google alternatives like App Engine or Google Cloud Platform, instead of G Suite.
Does azure not have a native transactional email service which we can make use of? Currently all aspects of my platform are hosted within azure. Just feels silly going off to a 3rd party for such a simple task.
The problem with the email software in the cloud that it there can be the sitation when the Azure security perimeter will block the traffic or mark it as a spam or many other situations. Especially when you do not have the dedicated IP address (in Azure, btw, you can).
I know about three options - i tested first two, and it works:
1) SendGrid partner offering has 25 000 free emails/month. Tutorial. Simplest way.
2) Less simple is to use external SMTP provider and something like System.Net.Mail. It works, but again, should be tested. It is not guaranteed that your server will not be blocked.
3) Set up the mail server and set up the reverse DNS.
I heard that some folks set up the IIS SMTP service. Did not do it by myself, but i expect that it will involve some extra infrastructure efforts.
I would highly recommend you to not place SMTP server inside of the cloud, but instead of that use some external one. But it can be set up and should work.
I have a mobile application that communicates with a REST based web-service. The web-service lives behind the firewall and talks to other systems. Currently this web-service requires a firewall port to be opened and a SSL cert generated for each installation. Mobile apps sends login credentials so web-services can login to custom back-end systems.
Recently a customer approached us asking how could we deploy this to 50 offices. As we don't want to say modify every firewall in every office, we're looking for options.. This is a list of possible solutions and my thoughts on each one:
Open firewall port and expose https webservice - This is our current
solution but we dont want to have to contact 50 network admins and explain why we need to do this.
VPN - Too heavy weight, complex and expensive, we only need access
to one server. Does not solve problem as firewall needs to be
modified.
Microsoft Azure Hybrid Connection Manager - This provides a managed
service where the Azure cloud will expose an end point. Azure will
also expect connections from a easy to install application that
lives behind the firewall. When a REST call is made to the cloud
end-point, the request is forward down socket that was initiated by
the software behind the firewall. This does what we want but as its
a Microsoft Solution there might impose other requirements that our
customers might not want. Currently the simple Hybrid Connection Manager is free. But for how long?
Jscape MFT Gateway - Similar to Azure but you can host their server anywhere. Not that expensive but is not opensource.
Netty - A async java library/toolkit where this type of application could easily be build. Client and server apps would need to be build and deployed. Dont know what we dont know about Netty.
MDM, AirWatch, BlackBerry BES - A MDM based solution would work expect that MDM's are centrally managed and are not often in every office where the backend services are located. Airwatch has an AppTunnle but im not sure about the specifics.
At this point the Microsoft and Jscape systems are possible solutions.
But most likely these solutions will require us to modify the mobile software to work around issues such as:
How does the user know which server to login to? A locator service
needs to be built such that, an email address is used to lookup their
office, or they need to select their office location from a list.
While the connection is SSL many company might want some additional protection since network login information will be send down the pipe.
How is load balancing and fail-over managed?
So, at this point i'm looking for more options. The best option would be a commercial product that offers some level of customization. Second, would like a well used open-source product that could be installed in Aws and customized.
Thanks
The best approach we found was to use the PUTTY API and setup a reverse proxy.