Cloud Native Access Point (CNAP), a Platform One (P1) offered service, allows secure access to Game Warden-hosted solutions at Impact Levels (ILs) 4 and 5 (or IL4 and IL5). CNAP Whitelisting is a screening mechanism that allows environment access based on an allowable list of IP addresses within the Department of Defense (DoD) Non-classified Internet Protocol Router Network (NIPRNet) boundary. The CNAP whitelist contains most of the IP addresses within NIPRNet, and these NIPRNet IP addresses can be specific to users, data connections, and computers/browsers. These entities likely may not require CNAP whitelisting; however, consider making the whitelist request as a potential remedy should you encounter application access or data connectivity issues relative to Game Warden-hosted solutions at IL4 and IL5.
Applicable for Whitelist¶
You need CNAP whitelist access if your application requires data connections (ingress, egress, bidirectional) and is external to the Game Warden authorization boundary but internal relative to the NIPRNet boundary (accredited at IL4 or IL5). The DoD uses NIPRNet to manage unclassified information.
When establishing External Data Connections, it is imperative that you have a complete understanding of your data directional flow:
- Egress – Data leaves or exits the Game Warden boundary.
- Ingress – Data enters the Game Warden boundary.
- Bidirectional – Data leaves and enters the Game Warden boundary.
Not Applicable for Whitelist¶
You do not need CNAP whitelist access:
- If applications are deployed to IL2 Staging (STG) or Production (PRD), as these environments connect via the Internet and, therefore, do not require CNAP access. However, you must include these connections on your Authorization Boundary Diagram.
- If applications are deployed to IL6 STG/PRD, since these environments contain classified data and are segregated to prevent data spillage.
- If applications do not require external data connections and, as a result, there is no data transmission external to the Game Warden authorization boundary.
For additional information, read Authorization Boundary Diagram.
Verification of Need for whitelist¶
CNAP provides steps to verify whether IP addresses require allowlisting.
Try loading https://code.il4.dso.mil which is restricted to only AppGate clients or NIPR whitelisted ranges. If the page loads then your IP range is already whitelisted.
If the page times out, whitelisting must be pursued via P1.
Why don’t I already have CNAP Access?¶
The USAF's Zero Trust Architecture mandates positive confirmation of need for the IP space granted access through CNAP (Cloud Native Access Point). While the goal is for all agencies with a validated need to have access to Platform One resources, the default is to deny access to unfamiliar IP Spaces. Agencies can request their IP range proactively, or wait until an access issue arises to request CNAP allowance on a case by case basis. If your agency’s IP spaces are constantly developing, they will need to be kept current in CNAP.
Game Warden does not have access to the IPs currently allowed through the CNAP. This is not our Firewall, and Platform One does not share this information for security reasons.
You must provide certain information specific to ports and protocols before you submit a CNAP whitelist request. If you cannot readily retrieve this information, consider contacting your government contract sponsor/mission owner for assistance.
The Game Warden team requires the information below for each external application connection:
- IP Addresses and Ports/Protocols
- Example Format – IP: 192.168.1.1 Port: 443 TCP
- IP Address Range
- Example Format – IP Range: 192.168.1.1-192.168.1.254 Port: 443 TCP
Whitelist Request Process¶
P1 requires government users to submit approval requests. Contractors who need to submit an approval request must do so via their government sponsors.
You may need to submit a separate request for each government installation.
If your end users are having trouble reaching your endpoint(s), read this article for troubleshooting steps.