Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firewall Logging #2023

Closed
aumohr opened this issue Jan 30, 2024 · 1 comment · Fixed by #2032
Closed

Firewall Logging #2023

aumohr opened this issue Jan 30, 2024 · 1 comment · Fixed by #2032
Assignees
@ludoo
Labels
cspr

Comments

@aumohr
Copy link
Collaborator

aumohr commented Jan 30, 2024
edited
Loading

Describe the bug
Firewall logging is not enabled. Firewall logs can help to detect threat actors and to investigate security events. Therefore, it is recommended to have it enabled by default in productive VPCs

Rational
Firewall rules or policies are critical for providing network security by defining rules for traffic incoming and outgoing from your network. Therefore, it is critical to audit and verify that deployed firewall rules or policies are working as intended by auditing what connections are denied and allowed. Firewall logs can be used as a source of network forensics in the case of an incident. Security Command Center Event Threat Detection can use firewall logs to detect threats. Firewall logs are also very helpful in debugging firewall rule and policy issues.

Recommendation
It is recommended to implement firewall rule and policy logging especially for:

  1. sensitive networks so that it can be verified that your firewall rules are functioning as expected.
  2. the deny ingress and egress rule so that you can audit traffic attempting to enter and leave the network but blocked by the firewall.

Consideration: Firewall rule logs have standard Cloud Logging costs associated with them. Firewall logs can be enabled in production, but not in non-production if cost is more of a concern than network forensics. Firewall logs in non-production can be enabled when needed to debug firewall issues.

Expected behavior
Firewall rules should have logging enabled by default. There can be the option to actively opt-in to disable the logs to save costs. This option should have a comment that it is only recommended in non-prod environments.
@aumohr aumohr added the cspr label Jan 30, 2024
@ludoo ludoo self-assigned this Jan 31, 2024
@ludoo
Copy link
Collaborator

ludoo commented Jan 31, 2024

From my point of view, we shouldn't blanket-enable logging for every firewall rule in FAST.

FAST is meant to bootstrap a landing zone, and the explicit assumption is that it needs to be configured to meet specific production requirements, including the desired security level and related spend. As such, blanket enabling logs on every firewall rule will force users to a) bear the cost, or b) edit every rule to disable logging where it's not wanted and this will introduce friction.

What we should do instead, is provide an opinionated default where sensitive rules like SSH ingress have logging enabled, and broad rules like ICMP or ingress for health checks are kept with logging disabled.

I will send a PR shortly that implements this.

@ludoo ludoo mentioned this issue Jan 31, 2024
Merged
ludoo added a commit that referenced this issue Feb 3, 2024
@ludoo
revert #2023
c6b030a
ludoo added a commit that referenced this issue Feb 3, 2024
@ludoo
Leverage net-vpc module for DNS logging in FAST (#2041)
5448ab6 
* revert #2023

* leverage net vpc module for dns logging in fast
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ludoo ludoo

Labels
cspr
Projects
None yet
Milestone
No milestone
2 participants
@ludoo @aumohr