Being a tool used heavily by Information Security practitioners, quite often our customers will want to lock down their SimpleRisk instance following a least privilege approach. Unfortunately, applying a DEFAULT DENY policy to your SimpleRisk instance can have several unintended consequences. Thus, what follows is a list of the services we recommend you ALLOW for your SimpleRisk instance to operate properly.
Inbound Services
- HTTP (80): In most cases, this port is optional, but highly recommended, as it is used to redirect browsers over to port 443. If you are not running your SimpleRisk instance over HTTPS, then this port would be required.
- HTTPS (443): As SimpleRisk is a web-based application, it should be running via HTTPS. While you technically could run it only over HTTP, it is not recommended from a security perspective.
- SSH (22): The secure shell service is not required for SimpleRisk to operate, but you will require access via SSH to upgrade the underlying operating system. We highly recommend locking down SSH access down to a bastion host or VPN and not allowing connectivity via SSH from the Internet.
Outbound Services
Your SimpleRisk instance requires connectivity to the following domains over HTTP (port 443) for all of the features to worker properly:
- services.simplerisk.com (As AWS ELB IP addresses can change, please use a URL firewall rule): Used for license checks to SimpleRisk Extras.
- updates.simplerisk.com (As AWS ELB IP addresses can change, please use a URL firewall rule): Used to retrieve the latest versions of SimpleRisk software.
- scf.simplerisk.com (As AWS ELB IP addresses can change, please use a URL firewall rule): Used with the Secure Controls Framework (SCF) Extra to deliver the latest version of the framework and related controls.
- ping.simplerisk.com (As AWS ELB IP addresses can change, please use a URL firewall rule): Used to retrieve the latest versions of SimpleRisk software.
- simplerisk-downloads.s3.amazonaws.com (As AWS ELB IP addresses can change, please use a URL firewall rule)
- raw.githubusercontent.com (140.82.112.4): Used to retrieve the latest versions of SimpleRisk software.
- olbat.github.io (185.199.108.153, 185.199.109.153, 185.199.110.153, 185.199.111.153): Used to do CVE lookups in the External Reference ID field.