Overview
Pointing IPs and CNAMEs outside LBL space (in the cloud) can help Berkeley Lab projects make the best use of external resources. However, there are risks associated with making outside systems appear to be within LBL control.
Requirement
All externally facing CNAMEs and other IP records must be approved and must have short TTLs (30 minutes / 1800 seconds) to facilitate redirection in the event of a security issue.
Category 1:
Approved by LBLnet
- Points to any LBL domain name (nersc.gov, es.net, etc)
- Points to any UC campus (berkeley.edu, ucdavis.edu, etc)
- Points to another national laboratory (e.g. anl.gov, etc)
- Requested by an IT Division Service Owner for a pilot or production service approved by management (e.g. Cloudflare, Sectigo, etc)
- Points to the LBL controlled hosting environments at ghs.googlehosted.com1, cdn.cloudflare.net, or wpengine.com
Note: The LBL controlled hosting environments at wpengine.com contains these subdomains as of August 2020: als, ameriflux, berkeleylab, biosciences, biosciences2, climatemulti, csarea2, eesa2, ehsd, esd, etalbl, intranet4lbnl, jbei, jgi, lbldedicated, lblcs, lblabf, lbldedicated, lbldir, lbldir2, lblensci, lblfluxnet, lblfoundry, lblinternal, lbleta, lbleta2 lblinternal, lblmain, lblopenid, lblops, lblops2, lblops3, lblops4, lblsci, lblsci2, lblstatic, lblvhosts, lblwww2, msdiv, physci, physci2, tough, uho, wwwdev
1The googleusercontent.com domain is different from ghs.googlehosted.com and is considered Category2.
Category 2:
Approved by Cyber Security
Anything that does not fall into Category 1.
Cloudflare is required for Category 2 web servers. Cyber Security will work with the requester to determine the appropriate risk and additional.
If you are the requester, please fill our our "Cloud Hosting Request Form" form based on Cloud Services - Cyber Controls.
