Skip to main content

Validate zone-to-zone connectivity using Invariant

Use Invariant Access Policy rules, combining critical-flow and deny or deny-others, to validate and enforce required connectivity between security zones while controlling other traffic. Zones can be defined by IP subnets or by network locations (interfaces).

Scenario 1: IP Subnet to IP Subnet Segmentation

Ensure a specific Management Server (MGMT_SERVER) in the Corporate VLAN (CORP_VLAN) can SSH into the Cardholder Data Environment (CDE_ZONE), but no other TCP/UDP traffic is allowed from CORP_VLAN into CDE_ZONE.

Network Definitions: Define zones and hosts in def/networks.yaml.

def/networks.yaml
networks:
    CDE_ZONE:
        values:
            - address: 10.20.1.0/24 # Example CDE subnet
    CORP_VLAN:
        values:
            - address: 192.168.50.0/24 # Example Corporate subnet
    MGMT_SERVER:
        values:
            - address: 192.168.50.10/32 # Specific server allowed access

Invariant Policy: Define rules in invariant/policies/cde_segmentation.yaml.

invariant/policies/cde_segmentation.yaml
access-policy:
  - name: cde-zone-segmentation-corp
    comment: Enforce strict segmentation for CDE Zone from CORP_VLAN
    owner: security-compliance@example.com
    ingress-network: CDE_ZONE # Policy targets traffic *entering* the CDE_ZONE
    rules:
      - type: ingress-critical-flow
        comment: Allow SSH from MGMT_SERVER to CDE_ZONE
        source-address: MGMT_SERVER
        destination-port: SSH
        protocol: tcp
      - type: ingress-deny-others
        comment: Deny all other TCP/UDP from CORP_VLAN to CDE_ZONE
        within: # Scope the denial
          - protocol: tcp udp
            source-address: CORP_VLAN
        deny-all-except:
          flows: # Only exempt the specific SSH flow
            - source-address: MGMT_SERVER
              destination-port: SSH
              protocol: tcp

Scenario 2: Location (VPN Ingress) to IP Subnet Segmentation

Ensure a specific application server in AWS (AWS_APP_SERVER, traffic entering via TGW VPN tunnels) can reach a database server in the CDE (CDE_DB_SERVER) over SQL ports, but no other traffic from the VPN ingress point can reach the CDE zone.

Location Definition: Define the VPN ingress point in invariant/locations/locations.yaml. This uses the Tunnel interfaces on border-1 from the tutorial example.

invariant/locations/locations.yaml
locations:
  AWS_TGW_VPN_INGRESS:
    - devices: border-1
      interfaces: Tunnel1 Tunnel2 # Interfaces receiving traffic from AWS TGW

Network Definitions: Define relevant servers in def/networks.yaml.

def/networks.yaml
networks:
  CDE_ZONE:
    values:
      - address: 10.20.1.0/24
  AWS_APP_SERVER:
    values:
      - address: 10.30.1.166/32 # Example AWS server IP
  CDE_DB_SERVER:
    values:
      - address: 10.20.1.207/32 # Example CDE server IP

Invariant Policy: Add rules to invariant/policies/cde_segmentation.yaml.

invariant/policies/cde_segmentation.yaml
access-policy:
  # ... (policy from Scenario 1) ...

  - name: cde-zone-segmentation-aws
    comment: Enforce strict segmentation for CDE Zone from AWS VPN
    owner: security-compliance@example.com
    ingress-network: CDE_ZONE # Policy targets traffic *entering* the CDE_ZONE
    rules:
      # Rule 1: Ensure required SQL flow is possible from AWS App Server
      - type: ingress-critical-flow
        comment: Allow SQL from AWS_APP_SERVER to CDE_DB_SERVER via VPN
        enter-interface: AWS_TGW_VPN_INGRESS # Traffic must enter here
        source-address: AWS_APP_SERVER
        destination-address: CDE_DB_SERVER
        destination-port: SQL # Assuming SQL service defined (e.g., TCP/1433, TCP/5432)
        protocol: tcp

      # Rule 2: Deny all other TCP/UDP traffic entering CDE *from this location*
      - type: ingress-deny-others
        comment: Deny all other TCP/UDP from AWS VPN ingress to CDE_ZONE
        within: # Scope the denial
          - protocol: tcp udp
            enter-interface: AWS_TGW_VPN_INGRESS # Only check traffic entering via VPN
        deny-all-except:
          flows: # Only exempt the specific SQL flow
            - source-address: AWS_APP_SERVER
              destination-address: CDE_DB_SERVER
              destination-port: SQL
              protocol: tcp

Run Analysis: Execute Invariant on your snapshot directory.

invariant run --target /path/to/your/snapshot/ --condensed

Check Results: Verify all rules pass across the relevant reports (critical_flows_ok, policy_ok). Violations indicate incorrect segmentation or reachability between zones/locations.

# Check for critical flow violations (expect 0 rows for these rules)
invariant show critical_flows_violations --json

# Check for policy violations (expect 0 rows for these rules)
invariant show policy_violations --json

Using named networks for IP-based zones and named locations for interface-based boundaries allows precise validation of inter-zone connectivity policies. See Access Policy for more details.