Risk Level: High
Description:
This plugin ensures that all traffic is blocked by default by default security groups. When resources are launched without a designated security group, the default security group is generally used. As a result, the default rules should be set to block all traffic in order to avoid unintentional exposure.
PingSafe strongly recommends updating the rules for the default security group to deny all traffic by default.
About the Service :
In an Azure virtual network, a network security group may be used to restrict network traffic to and from Azure resources. A network security group is a collection of security rules that allow or disallow incoming and outgoing network traffic to and from various Azure services. Source and destination, port, and protocol can all be specified for each rule.
Impact :
The default rules should be set to block all traffic in order to avoid unintentional exposure.
Steps to reproduce :
- Sign in to your Azure portal with your Azure account.
https://portal.azure.com/#home - Navigate to Azure’s Network Security Groups.
- Click on the Security Group that you want to examine. Next, click on the inbound security rules and then outbound security rules.
- Check if the default security group rules are set or not.
- Follow the same steps for other security groups as well.
Steps for remediation :
- Sign in to your Azure portal with your Azure account.
https://portal.azure.com/#home - Navigate to Azure’s Network Security Groups.
- Click on the Security Group that you want to examine. Next, click on the inbound security rules and then outbound security rules.
- Check if the default security group rules are set or not.
- If the default security rules are not set in either inbound security rules or outbound security rules, then click on Add in inbound security rules and outbound security rules and enter the required security information and then click Add.
- The rules are now added to the security group.
- Follow the same steps for other Network Security Groups as well.
References :
Please feel free to reach out to support@pingsafe.com with any questions that you may have.
Thanks
PingSafe Support