Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for VPC Firewall Rules with Port Ranges

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Google Cloud VPC network firewall rules don't have range of ports configured to allow inbound traffic, in order to protect associated virtual machine instances against Denial-of-Service (DoS) attacks or brute-force attacks. To follow cloud security best practices, it is strongly recommended to open only specific ports within your firewall rules, based on your application requirements.

Security

VPC network firewall rules are used to filter network traffic to and from virtual machine instances running inside a virtual network. A Virtual Private Cloud (VPC) firewall contains security rules that allow or deny inbound network traffic to your VM instances. For each firewall rule, you can specify source, destination, port, and network protocol. Opening range of ports within your VPC network firewall rules is not a good practice because it can allow attackers to use port scanners and other probing techniques to identify services running on your instances and exploit their vulnerabilities.

Audit

To determine if your VPC network firewall rules are using range of ports to allow inbound traffic, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select Firewall, click inside the Filter table box, set Type to Ingress, Action to Allow, and Disabled to False, to list all the inbound rules configured for the virtual machine instances within the selected project.

05 Check the filtered list for any inbound/ingress rules with the Protocols / ports attribute set to a range or ports (e.g. tcp:0-65535, tcp:80-8080, tcp:111-32800). If one or more rules match the filter criteria, there are VPC network firewall rules that are using range of ports to allow inbound traffic, therefore the access to the associated cloud resources is not secured.

06 Repeat steps no. 2 – 5 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of the Google Cloud Platform (GCP) projects currently available in your Google Cloud account: 

gcloud projects list
    --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

PROJECT_ID
cc-project5-stack-123123
cc-web-dev-project-112233

03 Run compute networks list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name of each VPC network created within the selected project: 

gcloud compute networks list
    --project cc-project5-stack-123123
    --format="table(name)"

04 The command output should return the name(s) of the VPC network(s) created for the specified project: 

NAME
cc-web-stack-network
cc-staging-vpc-network

05 Run compute firewall-rules list command (Windows/macOS/Linux) using the name of the VPC network that you want to examine as identifier parameter and custom filtering to list all the firewall rules defined for the selected Virtual Private Cloud (VPC) network: 

gcloud compute firewall-rules list
    --filter network=cc-web-stack-network
    --sort-by priority
    --format=table"(name,disabled,direction,allowed[].map().firewall_rule().list())"

06 The command output should return the requested information available for the existing VPC firewall rules: 

NAME                 DISABLED  DIRECTION  SOURCE_RANGES  ALLOW
network-allow-http   False     INGRESS    ['0.0.0.0/0']  tcp:80
network-allow-https  False     INGRESS    ['0.0.0.0/0']  tcp:0-65535

Check the compute firewall-rules list command output for any enabled firewall rules (i.e. DISABLED attribute set to False) with the DIRECTION set to INGRESS and ALLOW set to a range or ports such as tcp:0-65535 and tcp:80-8080. If one or more rules match the search criteria, there are VPC network firewall rules that are using range of ports to allow inbound traffic, therefore the access to the associated cloud resources is not secured (restricted).

07 Repeat step no. 5 and 6 for each VPC network created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To update your Google Cloud VPC network firewall rules configuration in order to restrict inbound access to specific ports only, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select Firewall to access the list of VPC firewall rules created for the resources within the selected project.

05 Click on the name of the rule that is using range(s) of ports to allow inbound traffic (see Audit section part I to identify the right firewall rule), then click on the Edit button from the dashboard top menu to access the rule configuration settings.

06 On the selected firewall rule configuration page, perform the following actions:

  1. In the Protocols and ports section, make sure that Specified protocols and ports option is selected, choose the network protocol type that you want to configure (e.g. tcp), and provide a single port such as 443 (HTTPS) or a comma-separated list of single ports such as 80 (HTTP) and 443 (HTTPS). This specifies on which port(s) the inbound traffic will be allowed by the selected VPC firewall rule.
  2. Click SAVE to apply the configuration changes.

07 Repeat step no. 5 and 6 to reconfigure other VPC firewall rules that use range of ports to allow inbound traffic.

08 Repeat steps no. 2 – 7 for each GCP project available within your Google Cloud account.

Using GCP CLI

01 Run compute firewall-rules update command (Windows/macOS/Linux) to reconfigure each VPC network firewall rule that use range(s) of ports to allow inbound traffic (see Audit section part II to identify each rule), to restrict inbound/ingress access to trusted ports only by setting the --allow configuration parameter to those ports on which inbound traffic will be allowed by the selected firewall rule. You can specify a single value such as --allow tcp:443, or a comma-separated list of multiple values e.g. --allow tcp:80,443. The following command example reconfigures a VPC network firewall rule to allow inbound traffic only on TCP port 443 (HTTPS): 

gcloud compute firewall-rules update network-allow-https
    --allow tcp:443
    --description="Allows inbound/ingress traffic on secure port 443 (HTTPS)"

02 The command output should return the ID of the reconfigured VPC firewall rule: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/firewalls/network-allow-https].

03 Repeat step no. 1 and 2 to reconfigure other VPC network firewall rules that use range of ports to allow inbound traffic.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date May 10, 2021

Related CloudVPC rules