Skip to main content

lacework-global-686

2.5 Ensure the default security list of every Virtual Cloud Network (VCN) restricts all traffic except Internet Control Message Protocol (ICMP) (Automated)

Description

A default security list gets created upon creation of a Virtual Cloud Network (VCN). Security lists provide stateful filtering of ingress and egress network traffic to OCI resources. Best practices recommend that no security list allows unrestricted ingress access to Secure Shell (SSH) via port 22.

Remediation

From Console:

  1. Login into the OCI Console.
  2. Click Networking -> Virtual Cloud Networks from the services menu.
  3. For each VCN listed Click Security Lists.
  4. Click Default Security List for the VCN.
  5. Identify the Ingress Rule with 'Source 0.0.0.0/0, IP Protocol 6 (TCP) and Destination Port Range 22'.
  6. Either Edit the Security rule to restrict the source and/or port range or delete the rule.

Impact:

For updating an existing environment, take care to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another security group.

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__SECURITY_LISTS_OPEN_PORTS

Last updated on