Profile Applicability:

Level 1

Description:

Google Compute Engine instances are restricted from forwarding packets unless the source and destination IP addresses match the instance's own IP address. IP forwarding allows instances to act as routers, which could lead to potential data loss or unauthorized data disclosure. To ensure enhanced security, instances should have IP forwarding disabled.

Rationale:

Disabling IP forwarding enforces source and destination IP checks, ensuring instances cannot route packets with mismatched IPs. This prevents misuse of instances as routers or packet forwarders, reducing risks of information leakage and enhancing network security.

Impact:

Disabling IP forwarding may affect instances configured to act as routers or forward packets, potentially disrupting network connectivity. Review network requirements carefully before implementing this change

Default Value:

By default, Compute Engine instances are not configured to allow IP forwarding..

Audit Steps:

From Google Cloud Console:

  1. Navigate to the VM Instances page: https://console.cloud.google.com/compute/instances.

               

  1. Select an instance to view its details.

               

  1. Under the Network Interfaces section, ensure IP forwarding is set to Off for all network interfaces.

 

From Google Cloud CLI:

List all VM instances and their IP forwarding settings:

gcloud compute instances list --format='table(name,canIpForward)'

  1. Verify that the CAN_IP_FORWARD column shows False for all instances.

Exception:

Exclude instances created by Google Kubernetes Engine (GKE), as they require IP forwarding to function. Instances created by GKE typically have names starting with gke-.

Remediation Steps:

From Google Cloud Console:

  1. Go to the VM Instances page: https://console.cloud.google.com/compute/instances.

                       

  1. Select the affected VM instance.

         

  1. Click Delete to remove the instance.

               

  1. Create a new instance with IP forwarding disabled (default setting): 

    • Click CREATE INSTANCE and configure the instance as needed.

   

From Google Cloud CLI:

Delete the instance with IP forwarding enabled:

gcloud compute instances delete INSTANCE_NAME

Create a new instance with IP forwarding disabled:

gcloud compute instances create INSTANCE_NAME

References:

  1. Using Routes in VPC

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

4.4 Implement and Manage a Firewall on Servers

Use a firewall to restrict traffic based on approved protocols and ports.

4.5 Implement and Manage a Firewall on End-User Devices

Implement host-based firewalls or port filtering tools with a default-deny rule.

11.1 Maintain Standard Security Configurations

Maintain secure and documented configurations for all network devices.


11.2 Document Traffic Configuration Rules

Ensure traffic rules are documented with business justifications and responsible owners.