Network Policy Advisor

概述

Snowflake 网络策略是一种强大的安全控制,但可能很难正确设计,特别是在当前不存在策略或流量模式复杂的情况下。

The Network Policy Advisor is a step-wise procedure that guides a security administrator, that is a user with the SECURITYADMIN role, to create a recommended candidate for an ingress network policy that is based on historical ingress-access data. You, as the administrator, then evaluate the recommended policy using a what-if simulation before activating the policy. You can recommend and evaluate a candidate network policy for a user or for all users in an account. The advisor procedure involves calling two non-disruptive system stored procedures. These procedures generate human-readable SQL and evaluation results that you can review, refine, and then apply manually.

注意事项

The Snowflake Network Policy Advisor doesn’t automatically activate or modify existing network policies. It makes no determination about whether an IP address is correct or safe for your network environment. The advisor provides recommendations and simulations only. Any final network policy decisions — that is, any changes to existing network rules and policies — remain the responsibility of the customer.

主要优势

Network Policy Advisor 提供以下主要优势:

  • 使您能够安全地设计第一个网络策略。
  • 提供在强制执行之前将阻止哪些流量的可见性。
  • 在加强安全控制时减少试错。
  • 支持迭代细化和验证工作流程。

访问控制要求

用户必须具有运行这些存储过程的 SECURITYADMIN 角色。

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

生成和评估候选网络策略

To generate and evaluate a candidate network policy for an account, log in to Snowsight, open a worksheet, and follow these steps:

  1. 生成候选策略的 SQL 语法,方法是调用 RECOMMEND_NETWORK_POLICY 过程。

    USE ROLE SECURITYADMIN;

CALL SNOWFLAKE.NETWORK_SECURITY.RECOMMEND_NETWORK_POLICY(
  LOOKBACK_DAYS => 30,
  );

  2. 查看上一步中生成的 SQL 语法。

  3. Based on your review, create a candidate network rule and policy by running commands similar to the following examples.

    USE ROLE SECURITYADMIN;

-- Create a network rule
CREATE OR REPLACE NETWORK RULE my_ingress_rule
  MODE = INGRESS
  TYPE = IPV4
  VALUE_LIST = ('203.0.113.0/24', ...);

-- Create a network policy
CREATE OR REPLACE NETWORK POLICY my_ingress_policy
  ALLOWED_NETWORK_RULE_LIST = ('my_ingress_rule');

    Note

    If your account receives IPv6 ingress traffic (AWS only), create an additional network rule with TYPE = IPV6 and add it to the network policy. For more information, see Network rules.

  4. Run the EVALUATE_CANDIDATE_NETWORK_POLICY procedure on the candidate policy to simulate which IP addresses it would allow or block.

    USE ROLE SECURITYADMIN;

CALL SNOWFLAKE.NETWORK_SECURITY.EVALUATE_CANDIDATE_NETWORK_POLICY(
  POLICY_NAME => 'my_ingress_policy'
  );

  5. 分析输出以确认推荐的候选策略将允许或阻止的 IP 地址。

  6. 根据评估结果细化候选策略。

例如,您可以添加规则以允许合法 IPs 被阻止,并为未经授权的已允许 IPs 删除规则。

  1. If necessary, re-evaluate the candidate policy by re-running the EVALUATE_CANDIDATE_NETWORK_POLICY procedure and refining the candidate network policy until it returns an acceptable result.

  2. (可选)确定候选策略成功执行后,将其激活:

    ALTER ACCOUNT SET NETWORK_POLICY = 'my_ingress_policy';

  3. (可选)运行如下查询,以查看网络中入口流量的历史记录:

    USE ROLE ACCOUNTADMIN;

SELECT *
  FROM SNOWFLAKE.ACCOUNT_USAGE.INGRESS_NETWORK_ACCESS_HISTORY
  LIMIT 100;