Security policies – Network, Infrastructure, and Security Controls

Security policies

As we said earlier in this chapter, it is important to review industry-standard security benchmarks such as CIS Amazon Web Services, CIS Microsoft Azure Benchmarks, and CIS Google Cloud Platform Benchmarks to understand best practices around security policies when configuring virtual networks. At the time of writing, the benchmarks from the Center for Internet Security can be found at https://www.cisecurity.org/cis-benchmarks.

For each benchmark, we will look at the recommendations around the networking policies.

Amazon Virtual Private Cloud

The following security policies related to networking in the CIS Amazon Web Services are recommended:

• 5.1 Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

• 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports

• 5.3 Ensure the default security group of every VPC restricts all traffic

• 5.4 Ensure routing tables for VPC peering are “least access”

For each control, the CIS benchmarks provide detailed instructions on why the policy is recommended, as well as the rationale. For example, for 5.1 Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports, it is recommended that “no NACL allows unrestricted ingressaccess to remote server administration ports, such as SSH to port 22 and RDP to port 3389.” The rationale given is “public access to remote server administration ports, such as 22 and 3389, increases the resource attack surface and unnecessarily raises the risk of resource compromise.”

Azure Virtual Network

Similarly, in Azure, the following security policies related to networking in the CIS Microsoft Azure Benchmarks are recommended:

• 6.1 Ensure that RDP access is restricted from the internet

• 6.2 Ensure that SSH access is restricted from the internet

• 6.3 Ensure no SQL databases allow ingress 0.0.0.0/0 (ANY IP)

• 6.4 Ensure that the Network Security Group Flow Log retention period is “greater than 90 days”

• 6.5 Ensure that Network Watcher is “Enabled” (manual)

• 6.6 Ensure that UDP services are restricted from the internet

For each control, the CIS benchmarks provide detailed instructions on why the policy is recommended, as well as the rationale. For example, for 6.2 Ensure that SSH access is restricted from the internet, it is recommended that you “Disable SSH access on network security groups from the internet.” The rationale given is “attackers can use various brute-force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.”