lacework-global-302
3.7 Ensure That RDP Access Is Restricted From the Internet (Automated)
Profile Applicability
• Level 2
Description
GCP Firewall Rules
are specific to a VPC Network
. Each rule either allows
or denies
traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an IPv4
address or IPv4 block in CIDR
notation can be used. Generic (0.0.0.0/0)
incoming traffic from the Internet to a VPC or VM instance using RDP
on Port 3389
can be avoided.
Rationale
GCP Firewall Rules
within a VPC Network
. These rules apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network. Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication).
For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified. This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0)
destination IP Range
specified from the Internet through RDP
with the default Port 3389
. Generic access from the Internet to a specific IP Range should be restricted.
Impact
All Remote Desktop Protocol (RDP) connections from outside of the network to the concerned VPC(s) will be blocked. There could be a business need where secure shell access is required from outside of the network to access resources associated with the VPC. In that case, specific source IP(s) should be mentioned in firewall rules to white-list access to RDP port for the concerned VPC(s).
Audit
From the Console:
- Go to
VPC network
. - Go to the
Firewall Rules
. - Ensure
Port
is not equal to3389
andAction
is notAllow
. - Ensure
IP Ranges
is not equal to0.0.0.0/0
underSource filters
.
From Command Line:
gcloud compute firewall-rules list --format=table'(name,direction,sourceRanges,allowed.ports)'
Ensure that there is no rule matching the below criteria:
SOURCE_RANGES
is0.0.0.0/0
- AND
DIRECTION
isINGRESS
- AND IPProtocol is
TCP
orALL
- AND
PORTS
is set to3389
orrange containing 3389
orNull (not set)
note
- When ALL TCP ports are allowed in a rule, PORT does not have any value set (
NULL
) - When ALL Protocols are allowed in a rule, PORT does not have any value set (
NULL
)
Remediation
From the Console:
- Go to
VPC Network
. - Go to the
Firewall Rules
. - Click the
Firewall Rule
to be modified. - Click
Edit
. - Modify
Source IP ranges
to specificIP
. - Click
Save
.
From Command Line:
1.Update RDP Firewall rule with new SOURCE_RANGE
from the below command:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]
References
https://cloud.google.com/vpc/docs/firewalls#blockedtraffic
https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts
Additional Information
Currently, GCP VPC only supports IPV4; however, Google is already working on adding IPV6 support for VPC. In that case along with source IP range 0.0.0.0
, the rule should be checked for IPv6 equivalent ::0
as well.