3.10 Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Access to VMs should be restricted by firewall rules that allow only IAP traffic by ensuring only connections proxied by the IAP are allowed. To ensure that load balancing works correctly health checks should also be allowed.

Rationale:

IAP ensure that access to VMs is controlled by authenticating incoming requests. However if the VM is still accessible from IP addresses other than the IAP it may still be possible to send unauthenticated requests to the instance. Care must be taken to ensure that loadblancer health checks are not blocked as this would stop the loadbalancer from correctly knowing the health of the VM and loadbalancing correctly.

Impact:

If firewall rules are not configured correctly, legitimate business services could be negatively impacted.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the Console:

Go to the Cloud Console VPC network > Firewall rules.

Select the checkbox next to the following rules:

default-allow-http

default-allow-https

default-allow-internal

Click Delete.

Click Create firewall rule and set the following values:

Name: allow-iap-traffic

Targets: All instances in the network

Source IP ranges (press Enter after you paste each value in the box):

130.211.0.0/22

35.191.0.0/16

Protocols and ports:

Specified protocols and ports

tcp:80

When you're finished updating values, click Create.

Default Value:

By default all traffic is allowed.

See Also

https://workbench.cisecurity.org/files/3316