Azure Virtual Network
Azure VNet manages network traffic via network security groups. A network security group contains security rules that manage inbound and outbound security rules that enable you to filter network traffic. For each rule, you can specify the source and destination, port, and protocol. With a network security group, you can allow or deny network traffic to and from a single IP address, to and from multiple IP addresses, or to and from entire subnets.
To review network security groups in Azure, go to the portal and type security group in the search bar, as shown in Figure 4.30:
Figure 4.30 – Azure security group search
Review Inbound port rules, as shown in Figure 4.31:
Figure 4.31 – Azure NSG – Inbound port rules
In this example, we get a warning on rule 300. SSH, which runs on port 22 , is a powerful network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network. In this scenario, SSH is directly exposed to the internet. As an IT auditor, we would flag this and recommend the organization use a VPN or a private connection if there was a business need for SSH.
In addition, review the Outbound port rules section to ensure secure configuration, as shown in
Figure 4.32:
Figure 4.32 – Azure NSG – Outbound port rules
Now that we’ve looked at how to secure network controls for Azure VNet, let’s look at how to implement network security controls in a GCP VPC.
Google Cloud Platform Virtual Private Cloud
Network traffic in GCP is managed by VPC firewall rules and network firewall policies. The firewall contains rules that are scoped to a single VPC. Network traffic is evaluated against each rule in priority order until there is a matching rule to make the final determinations.
Every GCP project comes with a default VPC and this default VPC is pre-populated with firewall rules that allow incoming connections to all instances. The default VPC has over-permissive, insecure firewall rules, so the IT auditor needs to examine these default rules closely to ensure they match the organization’s risk posture.
Organizations are strongly recommended to create custom VPC networks and avoid using GCP default VPCs. GCP firewall rules are defined at the VPC network level and are specific to the network in which they are defined. GCP firewall rules are specific to a VPC network. Each rule either allows or denies traffic when its conditions are met. The IT auditor should review ports, protocols, and the source or destination of the network traffic.
To review the VPC firewall, follow these steps:
- Go to the Google Cloud Console and navigate to VPC network. Then, click on Firewall, as shown in Figure 4.33:
Figure 4.33 – Google Cloud Console
2. Next, navigate to Firewall resources, as shown in Figure 4.34:
Figure 4.34 – GCP VPC – Firewall resources
3. Navigate to VPC firewall rules to review the current rules, as shown in Figure 4.35:
Figure 4.35 – GCP – VPC firewall rules
4. Navigate to Network firewall policies to review the current policies, as shown in Figure 4.36:
Figure 4.36 – GCP VPC – Network firewall policies
In this section, we reviewed how to securely configure core network controls in AWS, Azure, and GCP. Next, we will look at how to implement industry-standard security benchmarks within security policies in AWS, Azure, and GCP.
