cancel
Showing results for 
Search instead for 
Did you mean: 

Ensure no security groups / firewall rules allow ingress from 0.0.0.0/0 to port [ ]

nking
Netskope
Netskope

Security groups (AWS, Azure) and firewall rules provide stateful filtering of ingress/egress network traffic to Cloud Provider resources. The AWS rule below provides protection against security group allowing unrestricted ingress access to port 22 (SSH). This rule can easily be modified to provide similar protection for other ports such as RDP (3389), Oracle DB (1521), PostgreSQL (5432), MySQL DB (3306), MongoDB (27017), Microsoft-DS (445), HTTP (80), TCP (445), DNS (53), FTP (21), Telnet (23), SMTP (25), and more. See below for example rules in AWS, Azure, and GCP.

 

AWS:

EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 22 and ToPort gte 22) ) ] ]

 

GCP:

FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 23 and ToPort gte 23 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]

 

Azure: 

VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and  Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and  Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "<nw>/0", "/0" ) ] ) ) ] ]

 

Import / export rules to/from Netskope via REST API here 

https://docs.netskope.com/en/import-and-export-csa-custom-rules.html

 

Let us know how this worked for you in the comments below!

0 REPLIES 0