Unrestricted access between network segments
Need
Implementation of network segmentation and access controls
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of azurerm for managing resources in Azure
Description
Non compliant code
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "example-network"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "example-subnet"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefix = "10.0.2.0/24"
}
resource "azurerm_network_interface" "example" {
name = "example-nic"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.example.id
private_ip_address_allocation = "Dynamic"
}
}
In the above code, a resource group is created, and within that resource group a virtual network is created with an address space of 10.0.0.0/16. A subnet is also created within this virtual network with an address prefix of 10.0.2.0/24. Finally, a network interface is created which is associated with the subnet.
The vulnerability lies in the fact that there are no network security groups (NSGs) applied to the subnet or the network interface. NSGs contain security rules that allow or deny inbound or outbound traffic to resources connected to Azure Virtual Networks. Without these, there are no restrictions on the traffic that can flow between different resources within the virtual network, or between the virtual network and the internet. This means that an employee could potentially access database servers from the internet, which is a security risk.
Steps
- Implement network segmentation to restrict access between network segments
- Identify the different network segments required for the application
- Define access control policies to limit communication between network segments
- Configure firewall rules or network security groups to enforce the access control policies
- Regularly review and update the access control policies to ensure they align with the principle of least privilege
- Monitor network traffic and logs to detect any unauthorized access attempts
Compliant code
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "example-network"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "example-subnet"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefix = "10.0.2.0/24"
}
resource "azurerm_network_security_group" "example" {
name = "example-nsg"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_network_security_rule" "example" {
name = "example-rule"
priority = 100
direction = "Inbound"
access = "Deny"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_subnet_network_security_group_association" "example" {
subnet_id = azurerm_subnet.example.id
network_security_group_id = azurerm_network_security_group.example.id
}
resource "azurerm_network_interface" "example" {
name = "example-nic"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.example.id
private_ip_address_allocation = "Dynamic"
}
}
The updated code includes the creation of a Network Security Group (NSG) and a Network Security Rule. The NSG is associated with the subnet to enforce the security rule.
The azurerm_network_security_group resource creates a new NSG named "example-nsg". This NSG is located in the same resource group and location as the other resources.
The azurerm_network_security_rule resource creates a new security rule named "example-rule". This rule is configured to deny all inbound TCP traffic. The rule is associated with the "example-nsg" NSG.
The azurerm_subnet_network_security_group_association resource associates the "example-nsg" NSG with the "example-subnet" subnet. This means that the security rule will be enforced for all resources in the subnet.
The azurerm_network_interface resource is updated to use the "example-subnet" subnet, which is now associated with the NSG.
This configuration ensures that all inbound TCP traffic to the subnet is denied by default, limiting access between network segments. This aligns with the principle of least privilege by only allowing necessary traffic.