Unrestricted access between network segments - Azure

Need

Implementation of network segmentation and access controls

Context

Usage of Terraform for Infrastructure as Code (IaC)
Usage of azurerm for managing resources in Azure

Description

Non compliant code

        provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "example-network"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = "example-subnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefix       = "10.0.2.0/24"
}

resource "azurerm_network_interface" "example" {
  name                = "example-nic"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.example.id
    private_ip_address_allocation = "Dynamic"
  }
}

In the above code, a resource group is created, and within that resource group a virtual network is created with an address space of 10.0.0.0/16. A subnet is also created within this virtual network with an address prefix of 10.0.2.0/24. Finally, a network interface is created which is associated with the subnet.

The vulnerability lies in the fact that there are no network security groups (NSGs) applied to the subnet or the network interface. NSGs contain security rules that allow or deny inbound or outbound traffic to resources connected to Azure Virtual Networks. Without these, there are no restrictions on the traffic that can flow between different resources within the virtual network, or between the virtual network and the internet. This means that an employee could potentially access database servers from the internet, which is a security risk.

Steps

Implement network segmentation to restrict access between network segments
Identify the different network segments required for the application
Define access control policies to limit communication between network segments
Configure firewall rules or network security groups to enforce the access control policies
Regularly review and update the access control policies to ensure they align with the principle of least privilege
Monitor network traffic and logs to detect any unauthorized access attempts

Compliant code

        provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "example-network"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = "example-subnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefix       = "10.0.2.0/24"
}

resource "azurerm_network_security_group" "example" {
  name                = "example-nsg"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_network_security_rule" "example" {
  name                        = "example-rule"
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Deny"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = azurerm_resource_group.example.name
  network_security_group_name = azurerm_network_security_group.example.name
}

resource "azurerm_subnet_network_security_group_association" "example" {
  subnet_id                 = azurerm_subnet.example.id
  network_security_group_id = azurerm_network_security_group.example.id
}

resource "azurerm_network_interface" "example" {
  name                = "example-nic"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.example.id
    private_ip_address_allocation = "Dynamic"
  }
}

The updated code includes the creation of a Network Security Group (NSG) and a Network Security Rule. The NSG is associated with the subnet to enforce the security rule.

The azurerm_network_security_group resource creates a new NSG named "example-nsg". This NSG is located in the same resource group and location as the other resources.

The azurerm_network_security_rule resource creates a new security rule named "example-rule". This rule is configured to deny all inbound TCP traffic. The rule is associated with the "example-nsg" NSG.

The azurerm_subnet_network_security_group_association resource associates the "example-nsg" NSG with the "example-subnet" subnet. This means that the security rule will be enforced for all resources in the subnet.

The azurerm_network_interface resource is updated to use the "example-subnet" subnet, which is now associated with the NSG.

This configuration ensures that all inbound TCP traffic to the subnet is denied by default, limiting access between network segments. This aligns with the principle of least privilege by only allowing necessary traffic.

References

157. Unrestricted access between network segments