Profile Applicability:

Level 2

Description:

Firewall rules in Google Cloud Platform (GCP) are defined at the VPC level and control ingress and egress traffic to/from resources. SSH access on port 22 from the internet (0.0.0.0/0) poses a significant security risk. To mitigate this, SSH access should be restricted to specific IP ranges or entirely blocked.

Rationale:

Unrestricted SSH access exposes resources to potential brute force attacks and unauthorized access. By restricting SSH traffic to specific, trusted IP ranges, organizations can minimize exposure and enforce tighter access controls. Additionally, VPC firewall rules provide fine-grained control to ensure secure communication within and across networks.

Impact:

Blocking SSH connections from the internet (0.0.0.0/0) may disrupt workflows requiring remote access to VPC resources. For legitimate access needs, specific IP ranges can be whitelisted instead of allowing unrestricted access.

Default Value:

By default, GCP VPCs support unrestricted ingress traffic on port 22. Ensure this default configuration is overridden.

Audit Steps:

From Google Cloud Console:

  1. Navigate to VPC Network.

                               

  1. Go to Firewall Rules.

                                   

  1. Review the firewall rules for the following criteria:

    • Port: Ensure it is not set to 22.

                                                 

  • Action: Ensure it is not set to Allow.

                                               

  • Source IP ranges: Ensure it is not set to 0.0.0.0/0.

                                 

From Google Cloud CLI:

List all firewall rules and inspect their configurations:

gcloud compute firewall-rules list --format="table(name,direction,sourceRanges,allowed)"

  1. Ensure no rules meet all of the following:

    • SOURCE_RANGES is 0.0.0.0/0.

    • DIRECTION is INGRESS.

    • IPProtocol is tcp or ALL.

    • PORTS includes 22 or allows all ports (NULL).

Remediation Steps:

From Google Cloud Console:

  1. Navigate to VPC Network > Firewall Rules.

                     

  1. Identify and select the firewall rule to be modified.

                     

  1. Click Edit.

                             

  1. Update the Source IP ranges to a specific IP range (e.g., a trusted IP range or subnet).

                               

  1. Save the changes.

                               

From Google Cloud CLI:

Update the firewall rule to restrict SSH access:

gcloud compute firewall-rules update FirewallName \
  --allow=[PROTOCOL[:PORT[-PORT]],...] \
  --source-ranges=[CIDR_RANGE,...]

Example:

gcloud compute firewall-rules update allow-ssh-rule \
  --allow=tcp:22 \
  --source-ranges=192.168.1.0/24

References:

  1. GCP Firewall Rules Documentation


Additional Information:

  1. GCP VPC currently supports only IPv4; however, IPv6 support is in progress. Ensure future configurations account for IPv6 (::/0).

  2. Using Identity-Aware Proxy (IAP) or bastion hosts can further secure remote access.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

4.4 Implement and Manage Firewalls on Servers

Apply firewalls to servers to enforce network security policies and block unauthorized access.

4.5 Firewalls on End-User Devices

Use host-based firewalls on user devices to allow only authorized services and traffic.

9.2 Restrict Ports, Protocols, and Services

Allow only approved network ports, protocols, and services to run on systems with validated needs.


12.4 Deny Unauthorized Communication

Block unauthorized TCP or UDP traffic to enforce secure network boundaries.