To augment the security protocols on the external application load balancer, Glean has seamlessly integrated AWS’s Web Application Firewall (WAF) rules into your deployment. Please be advised that altering the WAF settings directly is not permitted. For modifications, kindly liaise with the Glean support team. The following features are enabled by default:

IP reputation rule groups to block anonymous IP traffic (Tor) and also IPs from AWS’s managed IP reputation lists
IP Green List: Only trust Glean outbound IP for control plane communication protocols
DOS Protection: Rate limiting on selected endpoints.
DDOS Protection: AWS included by default AWS Shield Standard
AWS managed Core Rule Set
AWS managed Known Bad Inputs rule set
AWS managed SQL Injection rule set
AWS managed Linux and Unix rule set

Features available for customization include (Please reach out to Glean SEs):

Request Country Red Listing: Option to block requests originating from specified countries.
Request Country Green Listing: Option to only permit requests from the list of countries specified (Note: US must be allowed)
Request IP Red Listing: Option to block requests originating from specified countries.
Request IP Green Listing: Allowing access only from designated IP ranges.
Request user agent red listing: Option to block requests with certain header values.
Request for only known URIs to be permitted and unknown URIs to be blocked-by-default
Request for all sensitive support endpoints to be blocked

Please be aware that adding new rules may result in increased charges and also hitting AWS WAF limits. Visibility into AWS WAF is made possible by looking at the AWS WAF console in the account Glean is deployed in. Logs are also stored in the aws-waf-logs-glean CloudWatch Log Group. Customers can write custom automation to ship the CloudWatch logs over to their own internal tooling. Optional features that customers can enable:

You may enable AWS Shield Advanced for the Glean load balancers, however, please be aware of AWS’s costs for this feature.

3rd Party WAF

At this time, Glean does not support customers deploying their own WAFs or third-party WAFs. Customers should work with Glean to configure AWS WAF to their needs for the deployment. The primary reason for this is Glean supported WAF rules have been thoroughly tested to not break Glean’s functionality.

Restrict Glean to a specific set of IPs

We have the ability to restrict non-webhook traffic to a specific set of IP addresses (i.e. VPN IPs). To do this, the customer would need to provide Glean with a list of properly formatted VPN CIDRs to restrict access to. Glean will then enable IP green listing and also enable the block-by-default configuration described above for the WAF. This requires that the customer configure their VPN to always send traffic destined to the *-be.glean.com ALB to go out via their VPN. In all cases, the customer must provide Glean with the proper list of VPN CIDRs and also inform Glean whenever new CIDRs are added.

Security & Architecture

Architecture

Networking

Cloud-Prem

Agents

Glean Web Application Firewall on AWS

3rd Party WAF

Restrict Glean to a specific set of IPs

Security & Architecture

Architecture

Networking

Cloud-Prem

Agents

​3rd Party WAF

​Restrict Glean to a specific set of IPs

3rd Party WAF

Restrict Glean to a specific set of IPs