Profile Applicability:
Level 1
Description:
Access to Git repositories must be restricted to authorized IP addresses or IP ranges. By implementing IP address filtering, organizations can control and limit which networks or hosts are permitted to connect to Git services, reducing exposure to unauthorized access attempts.
Rationale:
Limiting Git access by IP address reduces the attack surface by preventing connections from untrusted or unknown sources. This control helps protect source code from unauthorized access, data exfiltration, and potential tampering. It also aligns with network security best practices and compliance requirements.
Impact:
Pros:
Enhances security by restricting access to trusted networks.
Prevents unauthorized or malicious connections to Git repositories.
Supports compliance with organizational security policies.
Cons:
Requires maintenance of IP allowlists and updates as network changes occur.
May restrict legitimate access if IP lists are not properly managed.
Default value:
By default, Git servers or hosting platforms may allow access from any IP address.
Audit:
Review firewall, VPN, or Git hosting configurations to verify IP-based access restrictions. Check access logs for connections outside authorized IP ranges.
Remediation:
Configure IP filtering on Git servers or hosting platforms. Maintain and regularly update allowlists. Communicate access policies to users and monitor compliance.
References:
https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/about -ip-allow-lists-for-your-organization
https://docs.gitlab.com/ee/security/ip_restriction.html
https://www.cisecurity.org/controls/limitation-and-control-of-network-ports-protocols-and-services/