Risk Level: Low
Description
This plugin ensures load balancers are configured to only accept connections on HTTPS ports. For maximum security, load balancers can be configured to only accept HTTPS connections. Standard HTTP connections will be blocked. This should only be done if the client application is configured to query HTTPS directly and not rely on a redirect from HTTP.
About the Service
Load Balancers: Load Balancers is an Azure service used to balance out the incoming requests to different virtual machines. The azure load balancer provides various features other than load balancing, such as port forwarding, automatic reconfiguration during scaling of instances and various others. The load balancer ensures that the incoming traffic does not reach a non-working virtual machine ensuring resilience to physical or software failures of virtual machines.
Impact
Using HTTP protocol for data transfer causes severe security concerns as the data transfer is in plain text and is always prone to passive attacks.
Steps to Reproduce
- Log in to the Azure portal.
- Click on Load balancer under Services or type “load balancer” in the search box.
- Select any one load balancer from the given records to check for the issue.
- From the navigation bar, go to Inbound NAT rules under Settings.
- From the defined list of inbound rules check if an HTTPS protocol is set under the Service column. If not, visit the Steps for remediation section.
- Repeat for other load balancers as well.
Steps for Remediation
- Login to the Azure portal.
- Click on Load balancer under Services or type “load balancer” in the search box.
- Select any one load balancer from the given records to check for the issue.
- From the navigation bar, go to Inbound NAT rules under Settings.
- Click on +Add to define the HTTPS protocol.
- Fill in the given details and configure the settings as required. Click on Add.
- Wait for a few seconds for the changes to get saved. Repeat for other vulnerable load balancers as well.
Please feel free to reach out to support@pingsafe.ai with any questions that you may have.
Thanks
PingSafe Support