Description:
Evaluating Public IP addresses on a periodic basis helps ensure that they are properly managed, secured, and not exposed unnecessarily to the internet. This evaluation can identify unused, unprotected, or misconfigured public IPs that might expose your cloud resources to security risks. Periodic evaluation of public IPs helps prevent potential misuse, such as unauthorized access, DDoS attacks, or other vulnerabilities associated with exposed resources.
Rationale:
Public IP addresses represent entry points to cloud resources and can be targeted by malicious actors. Regular evaluation ensures that public IPs are appropriately assigned, used, and protected by appropriate security measures such as Network Security Groups (NSG), firewalls, or load balancers. This process can also help identify and remove unused public IPs to minimize the attack surface.
Impact:
Regularly evaluating public IPs ensures that only the necessary services are exposed to the internet and that appropriate security measures are in place. It also helps prevent the accidental exposure of services due to misconfigurations. This periodic process, however, can require administrative overhead to review configurations, audit IP assignments, and assess their security.
Default Value:
By default, Azure does not automatically evaluate public IPs for security, and it is the responsibility of the organization to ensure public IPs are appropriately managed. The periodic evaluation needs to be manually configured and implemented.
Pre-requisites:
Azure subscription.
Global Administrator or Network Contributor role permissions to review and configure public IP addresses.
Access to Azure Network Watcher or Azure Monitor for reviewing IP configurations and activity.
Network Security Groups (NSGs) or Azure Firewall should be configured to protect public IP addresses.
Audit:
Sign in to the Azure portal as a Global Administrator or Network Contributor.
Navigate to Azure Network Watcher or Azure Monitor.
Verify that a process is in place to periodically evaluate Public IP addresses and review associated security configurations, such as NSG rules or firewall settings.
Implementation Steps (Manual):
Sign in to Azure portal:
Use an account with Global Administrator or Network Contributor permissions.
Navigate to Public IPs:
In the Azure portal, go to All services and search for Public IP addresses.
Review the list of Public IPs assigned to your resources (e.g., Virtual Machines, Load Balancers, VPN Gateways).
Evaluate Public IP Assignment and Security:
Evaluate the necessity of each public IP address. Remove any unused or unassigned public IP addresses to minimize exposure.
Check that Public IP addresses are associated with appropriate resources and secured by Network Security Groups (NSGs), Azure Firewall, or Application Gateway.
Configure Network Security Groups (NSGs) for Public IPs:
Ensure that Network Security Groups (NSGs) are configured for public IPs to allow only necessary traffic (e.g., HTTP/HTTPS).
Review the NSG rules for public-facing resources to ensure that only required ports are open.
Implement DDoS protection if required for the public IPs used for critical services.
Automate Evaluation via Azure Policies:
Use Azure Policy to create policies that regularly evaluate the use of Public IP addresses. For example, you can create a policy to ensure that public IPs are only assigned to required resources and that they are secured with proper NSG rules.
Go to Azure Policy in the Azure portal.
Create or modify a policy definition that audits the configuration of public IPs and their association with security resources (NSGs, Azure Firewall).
Set Up Alerts for Exposed Public IPs:
Use Azure Monitor to configure alerts for any public IPs that might be exposed to the internet without the proper security measures (e.g., open ports, no NSG attached).
Create Log Analytics queries to periodically check the status of public IPs and trigger alerts if any vulnerabilities or misconfigurations are found.
Schedule Periodic Reviews:
Set up a periodic review schedule (e.g., monthly, quarterly) to evaluate the usage and security configuration of public IP addresses.
You can use Azure Automation to automate some aspects of this review, such as checking if public IPs have NSGs attached or if DDoS protection is enabled.
Review Logs for Access Attempts:
Use Azure Network Watcher and NSG Flow Logs to monitor traffic patterns for public IP addresses. Look for any unusual or unauthorized access attempts that might indicate a misconfiguration or security vulnerability.
Regularly check the Sign-in Logs in Azure AD to ensure there is no unauthorized access linked to public IP addresses.
Test and Verify:
After evaluating and securing public IPs, test access from various sources to verify that only authorized traffic is allowed, and public IPs are protected according to the security policies.
Backout Plan (Manual):
Sign in to Azure portal:
Use an account with Global Administrator or Network Contributor privileges.
Navigate to Public IPs:
Go to Public IP addresses in Azure portal.
Revert Public IP Configuration:
Revert any changes made to public IP configurations, such as NSG rules, security group settings, or Azure Firewall configurations.
If any unused public IPs were removed, they can be re-created and reassigned to resources if necessary.
Disable Alerts or Automation:
If you set up Azure Monitor alerts or Azure Policy, disable these configurations to stop periodic evaluations of public IP addresses.
Test Reverted Configuration:
After reverting the settings, test the resources to ensure that public IPs are working as expected and that no unintended changes have occurred.