Firewall Management Standard
Firewall Management Standard
| Field | Value |
|---|---|
| Document ID | STD-010 |
| Classification | Internal |
| Owner | CTO (interim CISO) |
| Effective Date | April 2026 |
| Review Cycle | Annual |
We use cloud-native firewall controls instead of traditional hardware firewalls — Cloudflare at the edge, AWS WAF, GCP network controls, API gateway plugins, and VPN.
Scope
- Cloudflare (DDoS, bot protection, TLS)
- AWS WAF on CloudFront (insurance)
- GCP Load Balancer and VPC rules
- Kong Gateway (external API gateway)
- WealthyGateway / StarkNet (custom API gateway)
- Pritunl VPN
- Office network
Firewall Layers
Cloudflare (Edge)
All public traffic proxied through Cloudflare. Origin IPs hidden. Handles DDoS protection, bot management, TLS enforcement, and HSTS.
AWS WAF (Insurance — CloudFront)
| Rule | Purpose |
|---|---|
| Country blocking | Block traffic from high-risk regions |
| BlockCommonScannerPaths | Block /.env, /.git, /wp-admin, etc. |
| AWSManagedRulesBotControlRuleSet | Bot detection and blocking |
GCP
| Component | Configuration |
|---|---|
| Load Balancer | External HTTPS (L7), TLS 1.2/1.3, Google-managed certs |
| VPC | Backend services in private VPC — no direct internet access |
| Cloud SQL | Private subnets only — no public IPs |
Kong Gateway (External API Gateway)
Kong is our primary external API gateway, handling traffic for api.buildwealth.in, mapi.wealthy.in, graph.wealthy.in, and other external endpoints.
| Feature | Purpose |
|---|---|
| Chirp Auth Plugin | Custom authentication plugin — validates tokens and enforces auth |
| Rate Limiting | Request rate limits per consumer/IP |
| Request Routing | Routes REST and GraphQL traffic to internal services |
| ACL | Access control lists for consumer-level permissions |
Kong routes are managed dynamically via its admin API.
WealthyGateway / StarkNet (Custom API Gateway)
Our custom Go-based gateway, currently used for aiapis.wealthy.in. Provides advanced security plugins:
| Plugin | Purpose |
|---|---|
| IPAccessControlPlugin | IP whitelisting/blacklisting (CIDR) |
| RateLimitPlugin | Rate limiting by IP, User ID, or Header |
| GeoAccessControlPlugin | Country-based filtering |
| CircuitBreakerPlugin | Prevents cascade failures |
| CORSPlugin | Strict origin allowlist |
Pritunl VPN
All internal access (Grafana, K8s dashboard, Airflow, servers) requires VPN. Authenticated via Google OAuth. No direct server access from public internet.
Office Network
Wi-Fi is MAC address restricted — only pre-configured devices can connect.
Rule Management
- Deny by default — all traffic blocked unless explicitly allowed
- Production, staging, and dev environments fully isolated
- Cloud SQL accepts connections only from application layer
- AWS origin servers accept only CloudFront traffic
Changes
- Submit change request with justification
- DevOps reviews for security impact
- CTO approval needed for: opening ports to internet, whitelisting new IPs, disabling protections
- Implement and document
Emergency: DevOps can apply temporary blocks immediately during incidents. Document within 24 hours.
Review & Audit
Quarterly: Review whitelisted IPs, WAF triggers, geo-blocking rules, rate limits, TLS configs — owned by DevOps.
Annually: Full audit of all firewall layers, evaluate new controls, update this standard.
Logging & Monitoring
| Layer | What’s Logged |
|---|---|
| Cloudflare | Requests, bot scores, DDoS events, WAF triggers |
| AWS WAF | Rule matches, blocked requests |
| GCP | VPC flow logs, LB logs |
| Kong Gateway | Auth failures, rate limit violations, request logs |
| WealthyGateway | Rate limit hits, blocked IPs, circuit breaker events |
| Pritunl | Connection logs, auth attempts |
Alerts
| Condition | Threshold |
|---|---|
| Rate limit hits | >1000/min |
| Auth failures per IP | >100/min |
| WAF rule triggers | >50/min |
| Circuit breaker opens | Any |
Alerts go to Slack/Telegram via Grafana.
Responsibilities
| Role | What |
|---|---|
| DevOps | Configure/maintain rules, respond to alerts, quarterly reviews |
| CTO | Approve major rule changes, annual review |
| IT Team | Office network and MAC management |