Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule for considering order of NACL entries #409

Closed
ghost opened this issue Mar 17, 2020 · 0 comments · Fixed by #423
Closed

Rule for considering order of NACL entries #409

ghost opened this issue Mar 17, 2020 · 0 comments · Fixed by #423
Assignees
@thegonch
Projects
cfn_nag

Comments

@ghost
Copy link

ghost commented Mar 17, 2020

Ineffective or misconfigured DENY rules promotes ‘overly-permissive’ access to a VPC. This results in attacks, such as DoS or DDoS. Be mindful of the order of the DENY rules within your Network ACLs. This is crucial, as ACLs are evaluated in order. For example, in the below image, the DENY rule is defined to block inbound traffic to vulnerable port 2049. If the rule does not block access to everyone (0.0.0.0/0), the inbound DENY rule is declared ineffective and should be reconfigured to protect against attacks

basically, attempt to eval or partial eval on the rules to check whether some of the rules are ineffective because of earlier rules in the template.
@thegonch thegonch self-assigned this Mar 17, 2020
@thegonch thegonch added this to To do in cfn_nag via automation Mar 17, 2020
@thegonch thegonch moved this from To do to In progress in cfn_nag Mar 17, 2020
thegonch added a commit that referenced this issue Mar 25, 2020
@thegonch
#409 Add ineffective NACL rules including ineffective deny, reusing p…
53d6f8b 
…orts, and duplicate rule numbers, along with their spec tests.
@thegonch thegonch mentioned this issue Mar 25, 2020
Merged
thegonch added a commit that referenced this issue Apr 1, 2020
@thegonch
#409 Update cfn-model to 0.4.27
e2479a0
This was referenced Apr 1, 2020
Merged
Merged
thegonch added a commit that referenced this issue Apr 7, 2020
@thegonch
#409 Update NACL entry ineffective rules using cleaner cfn-model setu…
b42963b 
…p, add port overlap check
thegonch added a commit that referenced this issue Apr 8, 2020
@thegonch
#409 Update cfn-model gem. Update new rule numbers and some other cle…
e5890a0 
…anup.
thegonch added a commit that referenced this issue Apr 8, 2020
@thegonch
#409 Clean up select vs. each for NACL ineffective rules. Update warn…
67f9b4e 
…ing rule numbers
thegonch added a commit that referenced this issue Apr 9, 2020
@thegonch
#409 Simplify ineffective rule definitions and predicates
f90ea4b
thegonch added a commit that referenced this issue Apr 10, 2020
@thegonch
#409 Remove ? from methods that do not return a boolean. Add a new du…
a81f6ba 
…plicate rule spec test. Clean up duplicate and reused portRange methods using group_by
thegonch added a commit that referenced this issue Apr 13, 2020
@thegonch
#409 Clean up the ports overlapping rule for NACL entries
ea7a032
@thegonch thegonch linked a pull request Apr 15, 2020 that will close this issue
#409 Ineffective NACL rules #423
Merged
@ghost ghost closed this as completed in #423 Apr 21, 2020
cfn_nag automation moved this from In progress to Done Apr 21, 2020
ghost pushed a commit that referenced this issue Apr 21, 2020
@thegonch
#409 Ineffective NACL rules (#423)
ee9d923 
* Add NACL rules for VPC ID, Protocol, and Port Range

* #10 Remove EC2NetworkAclMissingVpcIdRule and its tests. Remove check and test for ec2 network acl where port ranges could be set to '-1' as it does not seem to be possible for Cloudformation.  Other general cleanup per Eric Kascic's PR review.

* Update EC2NetworkAclEntryPortRangeRule text

* #10 Add check for allow rules only for NACL Protocol Rule opening all ports with appropriate tests and warning text updates

* #409 Add ineffective NACL rules including ineffective deny, reusing ports, and duplicate rule numbers, along with their spec tests.

* #409 Update cfn-model to 0.4.27

* #409 Update NACL entry ineffective rules using cleaner cfn-model setup, add port overlap check

* #409 Update cfn-model gem.  Update new rule numbers and some other cleanup.

* #409 Clean up select vs. each for NACL ineffective rules.  Update warning rule numbers

* #409 Simplify ineffective rule definitions and predicates

* #409 Remove ? from methods that do not return a boolean.  Add a new duplicate rule spec test.  Clean up duplicate and reused portRange methods using group_by

* #409 Clean up the ports overlapping rule for NACL entries

* Change rule name from lib/cfn-nag/custom_rules/EC2NetworkAclEntryReusedPortsRule.rb to lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb.  Clean up overlap logic.
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thegonch thegonch

Labels
None yet
Projects
cfn_nag
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#409 Ineffective NACL rules stelligent/cfn_nag
1 participant
@thegonch