Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Restrict Access to High Risk Ports

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Google Cloud VPC network firewall rules don't have high-risk ports configured to allow inbound traffic in order to protect the associated compute resources against Denial-of-Service (DoS) attacks or brute-force attacks. Many ports with elevated risk reside within the 1-1024 range, therefore ports <= 1024 are considered high-risk ports.

Security

In Google Cloud, roles with administrative permissions can incorporate positions that provide elevated access privileges. To minimize security risks, these roles should not be assigned to IAM members (principals) on a regular basis. When IAM members have administrator privileges (Owner and Editor roles, or roles containing "Admin" or "admin" in their names), they can access, create, and manage cloud resources. To adhere to the Principle of Least Privilege (POLP), assign IAM members the minimal set of permissions required for their operations, and remove any administrator roles that grant overly permissive access.

Audit

To determine if your VPC network firewall rules are using high-risk ports to allow unrestricted inbound access (i.e. 0.0.0.0/0), perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network console available at https://console.cloud.google.com/networking.

04 In the navigation panel, select Firewall to access the VPC firewall rules defined for the selected GCP project.

05 In the VPC firewall rules section, click inside the Filter box, set Type to Ingress and Disabled to False, to list all the active inbound firewall rules created for your cloud resources.

06 Check the filtered list for any inbound rules with the Protocols / ports attribute set to a port or range or ports between 1 and 1024 (inclusive), Action set to Allow, and Filters set to IP ranges: 0.0.0.0/0. If one or more rules match the filter criteria, there are VPC network firewall rules that allow unrestricted access (i.e. 0.0.0.0/0) on high-risk ports, therefore, the access to the associated compute resources is not restricted.

07 Repeat steps no. 2 – 6 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of the Google Cloud Platform (GCP) projects currently available in your cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

PROJECT_ID
cc-project5-stack-1637916379
cc-mobile-project-11263793

03 Run compute networks list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name of each VPC network created within the selected project: 

gcloud compute networks list
  --project cc-project5-stack-1637916379
  --format="table(name)"

04 The command output should return the name(s) of the VPC network(s) created for the specified project: 

NAME
cc-app-stack-network
cc-main-stack-network

05 Run compute firewall-rules list command (Windows/macOS/Linux) using the name of the VPC network that you want to examine as the identifier parameter and custom filtering to list all the firewall rules defined for the selected Virtual Private Cloud (VPC): 

gcloud compute firewall-rules list
  --filter network=cc-app-stack-network
  --sort-by priority
  --format=table"(name,disabled,direction,sourceRanges,allowed[].map().firewall_rule().list())"

06 The command output should return the information available for the existing VPC firewall rules: 

NAME: cc-web-allow-ssh
DISABLED: False
DIRECTION: INGRESS
SOURCE_RANGES: ['0.0.0.0/0']
ALLOW: tcp:22

...

NAME: cc-web-allow-rdp
DISABLED: False
DIRECTION: INGRESS
SOURCE_RANGES: ['0.0.0.0/0']
ALLOW: tcp:3389

...

NAME: cc-web-allow-ftp
DISABLED: False
DIRECTION: INGRESS
SOURCE_RANGES: ['0.0.0.0/0']
ALLOW: tcp:20-21

Check the compute firewall-rules list command output for any enabled firewall rules (i.e. DISABLED: False) with the DIRECTION set to INGRESS, SOURCE_RANGES set to ['0.0.0.0/0'], and ALLOW set to a port or range or ports between 1 and 1024 (inclusive). If one or more rules match the search criteria, there are VPC network firewall rules that allow unrestricted access (i.e. 0.0.0.0/0) on high-risk ports, therefore, the access to the associated compute resources is not restricted.

07 Repeat steps no. 5 and 6 for each VPC network created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To update your VPC network firewall rules configuration in order to restrict inbound access on high-risk ports to trusted, authorized IP addresses or IP ranges only, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network console available at https://console.cloud.google.com/networking.

04 In the navigation panel, select Firewall to access the VPC firewall rules defined for the selected GCP project.

05 In the VPC firewall rules section, click inside the Filter box, set Type to Ingress and Disabled to False, to list all the active inbound firewall rules created for your cloud resources.

06 Click on the name (link) of the firewall rule that allows unrestricted inbound access on high-risk ports (i.e. ports <= 1024) and choose EDIT from the console top menu.

07 On the selected firewall rule configuration page, perform the following actions:

  1. Remove the non-compliant 0.0.0.0/0 IP address range from the Source IPv4 ranges configuration box to deny unrestricted (public) inbound access on the configured high-risk port/port range.
  2. Type the source IP address(es) or IP address range(s) into the Source IPv4 ranges box to define the source for the incoming traffic on the configured high-risk port/port range. The allowed IP address blocks must be specified in CIDR format (e.g. 10.10.24.0/24). The IP range(s) can include addresses inside your VPC network and outside your network. Source IP range(s) can be used to define sources both inside and outside Google Cloud Platform (GCP).
  3. Choose SAVE to apply the configuration changes.

08 If required, repeat steps no. 6 and 7 to configure other VPC network firewall rules that allow unrestricted inbound access on high-risk ports.

09 Repeat steps no. 2 – 8 for each GCP project available within your Google Cloud account.

Using GCP CLI

01 Run compute firewall-rules update command (Windows/macOS/Linux) to update the VPC firewall rule that allows unrestricted ingress access on the configured high-risk port/port range, by replacing the non-compliant 0.0.0.0/0 IP source range with a trusted, authorized IP address/IP range. The IP range(s) can include addresses available within your VPC network and outside your network. The allowed IP address blocks must be defined in CIDR format. You can specify a single value (e.g. 10.10.24.0/32) or a comma-separated list of multiple values (e.g. 10.10.24.0/32, 10.10.15.0/24): 

gcloud compute firewall-rules update cc-web-allow-ssh
  --allow tcp:22
  --source-ranges=10.10.24.0/24
  --description="Allows SSH access from an authorized network"

02 The command output should return the ID of the configured VPC firewall rule: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-1637916379/global/firewalls/cc-web-allow-ssh].

03 Repeat steps no. 1 and 2 to configure other VPC network firewall rules that allow unrestricted ingress access on high-risk ports.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date May 6, 2024

Related VPC rules