Audience: Network engineers, security architects. Use: Define firewall, routing, and endpoint exposure policy for cross-zone BSFG traffic.
Transport Security Principle
All BSFG boundary communication uses mutual TLS (mTLS) over Connect RPC. This provides:
- Cryptographic authentication (certificate-based peer identity)
- Encrypted transport (no plaintext facts)
- Audit trail (certificates bound to zones)
There is no fallback to unencrypted or weakly authenticated communication. All inter-zone RPC calls require valid mTLS handshake.
RPC Operations and Ports
BSFG exposes four RPC operations. All operate over a single Connect RPC endpoint:
AppendFactFetchFactsConfirmReceiptPutObject
These RPC calls are HTTP/2 POST requests to the BSFG node's endpoint. Typical port: 9443 (customizable).
Firewall Rules Template
For a three-zone deployment (Enterprise, IDMZ, Plant A), firewall rules should allow:
| Source Zone | Source BSFG Node | Dest Zone | Dest BSFG Node | Protocol | Port | Direction | Purpose |
|---|---|---|---|---|---|---|---|
| Enterprise | 10.0.1.10 | IDMZ | 10.1.1.10 | TCP/HTTP2 | 9443 | → | AppendFact, FetchFacts, ConfirmReceipt, PutObject |
| IDMZ | 10.1.1.10 | Enterprise | 10.0.1.10 | TCP/HTTP2 | 9443 | → | AppendFact, FetchFacts, ConfirmReceipt, PutObject |
| IDMZ | 10.1.1.10 | Plant A | 10.2.1.10 | TCP/HTTP2 | 9443 | → | AppendFact, FetchFacts, ConfirmReceipt, PutObject |
| Plant A | 10.2.1.10 | IDMZ | 10.1.1.10 | TCP/HTTP2 | 9443 | → | AppendFact, FetchFacts, ConfirmReceipt, PutObject |
Firewall Rules (iptables/pf syntax)
# Enterprise → IDMZ
allow tcp from 10.0.1.10 to 10.1.1.10 port 9443
# IDMZ → Enterprise
allow tcp from 10.1.1.10 to 10.0.1.10 port 9443
# IDMZ → Plant A
allow tcp from 10.1.1.10 to 10.2.1.10 port 9443
# Plant A → IDMZ
allow tcp from 10.2.1.10 to 10.1.1.10 port 9443
# Deny all others at boundary (implicit)
Certificate Requirements
Each BSFG node requires a TLS certificate with:
- Subject CN (Common Name): zone identity (e.g.,
enterprise-bsfg,plant-a-bsfg) - SANs (Subject Alternative Names): FQDN or IP of the node (e.g.,
bsfg-ent.example.com,10.0.1.10) - Key Usage:
TLS Web Server Authentication,TLS Web Client Authentication(both, because nodes act as server and client) - Issuer: Private CA (internal to organization, not public CA)
- Validity: 1–2 years (plan for renewal before expiry)
Certificate Validation
On connection, peer verification:
- Validate certificate signature against the CA root
- Check not expired
- Extract zone identity from Subject CN
- Verify zone is authorized for the operation (policy-dependent)
Example validation logic:
peer_cert = extract_peer_certificate()
zone_id = peer_cert.Subject.CN
if (zone_id == "enterprise-bsfg") {
// Enterprise zone — allow AppendFact to IDMZ and Plant
// Allow FetchFacts from IDMZ and Plant
}
if (zone_id == "idmz-bsfg") {
// IDMZ zone — allow AppendFact to Enterprise and Plant
// Allow FetchFacts from Enterprise and Plant
}
No Durable Middleware at Boundary
Forbidden at the boundary network:
- Message brokers (Kafka, NATS, RabbitMQ)
- Databases (PostgreSQL, MongoDB)
- File servers or NAS
- Load balancers with state
- Cache servers
Allowed at the boundary:
- Firewalls (stateless or connection-tracking)
- Routers
- Layer-4 load balancers (pass-through, no state)
- TLS terminators (if necessary, but each terminator is a separate trust domain)
- VPN gateways
Monitoring and Alerting
Monitor network paths between BSFG nodes:
- TLS Handshake Failures: Alert if certificate validation fails (expired certs, wrong identity, CA mismatch)
- Connection Timeouts: Alert if RPC calls take > 5 seconds (indicates network partition or overload)
- Firewall Drops: Log denied packets to debug connectivity issues
- Certificate Expiry: Alert 30 days before expiry; trigger renewal workflow
VPN and Encryption
If the network path crosses public internet or untrusted networks (e.g., enterprise VPN to cloud plant), consider adding an additional layer:
- IPsec VPN: Encrypts all traffic end-to-end at the network layer. Useful if you don't trust the intermediate network.
- WireGuard: Lightweight VPN alternative; simpler configuration than IPsec.
Note: mTLS is sufficient for encryption. VPN adds a second layer for defense-in-depth.
Deployment Checklist
- ☐ Create private CA for your organization
- ☐ Generate certificates for each BSFG node (zone identity)
- ☐ Install certificates and CA root on each BSFG node
- ☐ Configure BSFG nodes to validate peer certificates and extract zone identity
- ☐ Configure firewall rules to allow mTLS RPC between zones
- ☐ Test TLS handshake between zones (certificate validation)
- ☐ Verify RPC calls succeed with valid certificates
- ☐ Set up certificate renewal workflow (before expiry)
- ☐ Monitor TLS errors and certificate expiry