About
Firewall rules with accidental or intentional access to the open internet can provide attackers potential pivots to other services. Often rules are added for troubleshooting purposes, not audited, and forgotten. Eventually, they are detected as the result of either an incident or a compliance audit.
Understanding Impact
Business Impact
Firewall rules control the traffic that can flow into Google Cloud services. When they are wide open to the internet, they allow anyone to send traffic to your workloads.
This is the equivalent of not running firewalls on the perimeter of your data center. Based on compliance requirements for your business, not monitoring changes or remediating could be a violation.
Technical Impact
Firewall rules can be attached to workloads such as compute instances and load balancers. While it is common to allow application traffic from the internet (for example: HTTP or HTTPS), management protocols such as SSH or RDP should not be exposed to anyone on the internet. Firewall rule modifications should be monitored and evaluated against a policy on exposure.
Identify affected resources
The GCloud CLI cannot trivially be used to identify firewall rules allowing traffic from the Internet.
- Open the Google Cloud Security Command Center.
- Use the query
state="ACTIVE" AND category="OPEN_FIREWALL"to identify open firewall rules.
Remediate vulnerable resources
Remove or adapt ingress rules that expose risky ports to the internet. You can also restrict them to specific public IPs. For remote management, it is recommended to use Google Cloud Identity-Aware Proxy (IAP) which allows you to authenticate using your existing identity, and does not require opening ingress ports.
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the following out-of-the-box rules:
References
Using IAP for TCP forwarding
gcp documentation