Profile Applicability:

Level 2

Description:

To enhance security, it is recommended to delete the default network in Google Cloud projects. The default network comes preconfigured with insecure firewall rules and a predefined IP range that limits its utility for secure and scalable networking.

Rationale:

The default network automatically includes the following insecure firewall rules:

  • default-allow-internal: Allows unrestricted ingress traffic for all protocols and ports within the network.

  • default-allow-ssh: Permits ingress traffic on TCP port 22 (SSH) from any source.

  • default-allow-rdp: Permits ingress traffic on TCP port 3389 (RDP) from any source.

  • default-allow-icmp: Allows unrestricted ICMP ingress traffic from any source.

These rules are not logged by default and pose a significant security risk. Additionally, the default network uses auto mode, making it incompatible with features like Cloud VPN and VPC Network Peering. Deleting the default network ensures that organizations can configure custom networks aligned with their security and networking requirements.

Impact:

Organizations must migrate all assets from the default network to a newly created network before deleting it. This ensures uninterrupted operations while adhering to security best practices.

Default Value:

By default, a default network is created for each project.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to the VPC networks page at Google Cloud Console: VPC Networks

               

  1. Verify that no network named default exists in the list.

               

Using Google Cloud CLI:

Set the project:

gcloud config set project PROJECT_ID

List all networks in the project:

gcloud compute networks list
  1. Confirm that default is not listed.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to the VPC networks page at Google Cloud Console: VPC Networks

               

  1. Select the default network and click Edit.

               

  1. Click DELETE VPC NETWORK to remove it.

               

  1. If necessary, create a new network to replace the default network.

 Using Google Cloud CLI:
Delete the default network:

gcloud compute networks delete default

If required, create a new network:

gcloud compute networks create NETWORK_NAME

Prevention:

Prevent default network creation by setting up an Organization Policy:

  1. Visit the Organization Policy for Skipping Default Network Creation.

  2. Enable the policy to ensure no default networks are created in new projects.

References:

  1. Google Cloud: Firewall Rules Overview

  2. Google Cloud: Deleting Networks

  3. Google Cloud: Logging Firewall Rules

  4. Google Cloud: Default Network Details

  5. gcloud Command Reference: Delete Networks


CIS Controls:

Control

Description

IG 1

IG 2

IG 3

4.2 Establish and Maintain Secure Configurations

Maintain a secure configuration process for network infrastructure and review documentation annually or when significant changes occur.

11.1 Maintain Security Configurations

Document and maintain standard security configurations for all authorized network devices.