Google Cloud Load Balancing

Security Policy Disabled

Risk Level: High

Description

This module protects all backend administrations that have an appended security strategy. Security strategies on backend administrations control the traffic on the load balancer. This makes edge security and can deny or permit determined IP addresses.

About the Service

Google Cloud Load Balancing:

According to Google services, the Google Cloud offers server-side load balancing so you can distribute incoming traffic across multiple virtual machine (VM) instances. Detect and automatically remove unhealthy VM instances using health checks. Instances that become healthy again are automatically re-added. Google's global load balancer knows where the clients are located and directs packets to the closest web service, providing low latency to users while using a single virtual IP (VIP). Using a single VIP means we can increase the time to live (TTL) of our DNS records, which further reduces latency. To know more about GCP Cloud Load Balancing click here.

Impact

Google Cloud Armor security policies enable you to allow, deny, or redirect requests to your external HTTP(S) load balancer at the Google Cloud edge, as close as possible to the source of incoming traffic. This prevents unwelcome traffic from consuming resources or entering your Virtual Private Cloud (VPC) networks. The impact is on the security of your backend services. Thus, this plugin ensures all backend services have an attached security policy. Security policies on backend services control the traffic on the load balancer. This creates edge security and can deny or allow specified IP addresses

Steps to Reproduce

Using GCP Console-

In order to ensure or determine, if your Google Cloud Platform (GCP) service Load Balancing backend services have CDN enabled or not, follow the steps mentioned below:

  1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
  2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
  3. From the Navigation Menu on the left, you may find the Networking section.
  4. Click on the Network Services subsection under Networking.
  5. Under the Network Services navigation panel, you may find Load Balancing as shown in the figure below.
  6. Click on the Load Balancing navigation link and a Cloud Load Balancing Page will appear on the screen. Click to open directly from here.
  7. On the Load Balancing Page, click on the Load Balancers nav link, present at the top of the navigation bar. This is to access the list of all the load balancers present within the Google Cloud Load Balancers in your GCP Project.
  8. The list of all the load balancers will be displayed. Choose the Name of Load Balancer you want to examine for. 
  9. A new page with all the details of that load balancer will be opened up. 
  10. Click on the Details tab and check for the Cloud CDN Configuration attribute value set for the backend service under the Backend Section. 
  11. In case, the value of the Cloud CDN attribute is set to Disabled, then the CDN is not enabled for that particular load balancer in your current GCP project.
  12. You may repeat steps 8-11 for other load balancers in your GCP Project.
  13. You may repeat the above-mentioned steps to check for the other GCP projects/folders in your organization.

Steps for Remediation

Using GCP Console-

In order to enable Cloud CDN  in your Google Cloud Platform (GCP) service Load Balancing backend services, follow the steps mentioned below::

  1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
  2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
  3. From the Navigation Menu on the left, you may find the Networking section.
  4. Click on the Network Services subsection under Networking.
  5. Under the Network Services navigation panel, you may find Load Balancing as shown in the figure below.
  6. Click on the Load Balancing navigation link and a Cloud Load Balancing Page will appear on the screen. Click to open directly from here.
  7. On the Load Balancing Page, click on the Load Balancers nav link, present at the top of the navigation bar. This is to access the list of all the load balancers present within the Google Cloud Load Balancers in your GCP Project.
  8. The list of all the load balancers will be displayed. Choose the Name of Load Balancer you want to examine for.
  9. A new page with all the details of that load balancer will be opened up. 
  10. Click on the Edit button available on the top navigation bar. On the Edit HTTPS load balancer page, select the Backend Configuration Tab present at the left panel.
  11. Under the Backend Configuration, click on the little Pencil icon available next to the name of Backend Service. This will open up the Edit page.
  12. Under the Edit Backend Service configuration panel, under Cloud CDN, click on Enable Cloud CDN checkbox. Now, choose the Cache mode from the options given there, and set the desired time limits
  13. Under the Security box, choose the Cloud Armor Policy, which must have been created already. If not, create a Cloud Armor Policy and use it.
  14. Click on the Update button on the Edit back-end service page.
  15. Now, go back to the Edit page and click on the Update button to reconfigure the settings.
  16. You may repeat steps 8-14 for other load balancers in your GCP Project.
  17. You may repeat the above-mentioned steps to check for the other GCP projects/folders in your organization.