Curiefense v1.4 releases: new application security platform
Curiefense is a new application security platform, which protects sites, services, and APIs. It extends Envoy proxy to defend against a variety of threats, including SQL and command injection, cross-site scripting (XSS), account takeovers (ATOs), application-layer DDoS, remote file inclusion (RFI), API abuse, and more.
Curiefense is fully controllable programmatically. All configuration data (security rulesets, policies, etc.) can be maintained singularly, or as different branches for different environments, as you choose. All changes are versioned, and reverts can be done at any time.
Curiefense also has a UI console, discussed in this Manual beginning in the Settings section.
Architecture and Components
Curiefense provides traffic filtering that can be configured differently for multiple environments (e.g. dev/qa/prod), all of which can be administered from one central cluster if desired. Here is an overview of its components.
In the diagram above, the Server represents a resource protected by Curiefense (a site, app, service, or API). The User is a traffic source attempting to access that resource.
Incoming traffic passes through Envoy, which is using Curiefense as an HTTP filter. Hostile requests are blocked.
The other components in the diagram represent the Curiefense platform, as follows:
Curiefense proxy (represented by the Curiefense logo): Plugs into Envoy and performs traffic filtering.
Logs DB. Curiefense stores traffic data (headers, payloads, etc.) from all requests here.
Metrics. A Prometheus store of traffic metrics.
Dashboard. Grafana dashboard(s) with visual displays of traffic metrics.
Web UI. Curiefense’s web console for configuring the platform.
Config Server: A service which:
Receives configuration edits from the Web UI
Receives configuration edits from API calls (not shown in the diagram)
Creates a new configuration version in response to edits
Stores the new version in one or more Cloud Storage buckets
Cloud Storage: Stores versioned configurations. Each Curiefense proxy periodically checks Cloud Storage: when a new version is found there, the proxy downloads it and updates its security posture.
- [e2e] Add back test_ipv4 which passes
- [e2e] Add support for fork repositories in github workflows
- [helm] Add curiefense to Istio-helm charts
- [docker] Add missing packages to curielogger (to run contrib scripts)
- [ui] Add options to configure links to Kibana & Grafana
- [curielogger] Add docker-compose e2e tests
- [e2e] Add tests to last missing components, fix referral bug in url maps editor, chang coverage thresholds, remove unused code
- [ui] Add autocomplete support to WAF Policies editor and resolve a bug in URL Maps editor
- [ui] Add a requirement of at least one tag for Tag Rule tags list in Tag Rules json schema
- [e2e] Add test of flow control editor in case of multiple limit option keys
- [helm] Add v2 deployment tests
- [e2e] Add test on fluentd
- [helm] Add filebeat to the helm deployment
- [curielogger] Add logrotate container
- [e2e] Add a testcase for pairwith limits
- [e2e] Add Rust formatting tests to Makefile
- Add configs and templates for Elasticsearch 6.x
- Add an nginx-ingress container
- Add map to define request_map
- Add knob to disable Kibana initialization (es6 init script)
- [ui] Update dependencies with found security vulnerabilities.
- [ui] Update version to 1.3.0 to match the achieved milestone and overall* system version
- [docker] Update Envoy configuration version to v3
- [e2e] Update log patterns
- [docker] Update Istio image to use Envoy binary for 1.9.2
- [helm] Update curiefense EnvoyFilters to v3
- [docker] Update Envoy binary for Istio
- [ci] Update minikube to fix CI
- [e2e] Update Rust unit tests to include urldecode
- [curieproxy] Update iptools.so in curieproxy with new url decode function
- Update iptools.so for lua
- Update iptools.so with fixed urldecode
- Update with new urldecode algorithm
- [e2e] Improve general coverage of UI unit tests in DocumentEditor.vue and Publish.Vue for a total coverage of 89%+
- [e2e] Improve general coverage of UI unit tests, add types to unit tests, fix small issues throughout the UI
- [helm] Remove helm install
- [e2e] Remove test for feature that does not exist anymore
- [helm] Remove references & variables for postgres & curielogserver
- [deploy] Remove remaining postgres configuration values
- Remove the ROADMAP.md file in favor of RELEASES.md
- Remove ILM for ES 6.x as it was added in 7.x
- Remove logstashs’ from e2e-ci.yml
- [ci] use more recent shellcheck version, fix remaining errors
- [e2e] Fix ratelimit countby tests
- [e2e] Fix WAF Rules tests
- [e2e] Fix arguments passed to deploy.sh. Fixes e2e tests.
- [e2e] Fix elasticsearch port for tests on minikube
- [ci] Fix deployment & tests following Istio update
- [e2e] Fix latency tests (deploy-gke.sh)
- [ci] Fix environment for rust & lua tests
- [docker-compose] Fix curieproxy metrics scrape
- [ui] Fix referral bug in url maps editor
- [curielogger] Fix test_logs Elasticsearch query
- [docker-compose] Fix CI
- [curielogger] Fix tag rules logging
- [curieproxy] fix geo-related ratelimit counters
- [curieproxy] fix geo-related ratelimit scope checks
- Fix challenge in flow control
- Fix start_curiefense script
- Fix flow checks tags
- Fix default return codes
- Fix nginx failure with unknown remote ip
- Fix curiefense/images/uiserver/Dockerfile to reduce vulnerabilities
© Curiefense Contributors 2020-2021