Severity :
...
High
Description:
...
This control ensures that NFS endpoints are not publicly accessible as mount point with public addresses. The NFS are exposed as mount endpoint target in VNC subnet, identifiable with DNS name and IP address. If these endpoint exist in public facing VNC subnet, it will be expose to malicious access and attacks. It's recommends that NFS use VCN security groups or security lists (of the mount target subnet) to configure network access to the mount target from only authorized IP addresses.
Remediation Steps:
Perform following to update File Storage subnet and/or security policies :
Login to the OCI console at https://www.oracle.com/cloud/sign-in.html.
To move file storage from public subnet to private subnet
If the private subnet not exist, Create a new subnet.
In the navigation click Storage.
Under File Storage, click Mount Targets.
In the List Scope section, select a compartment.
Click Create Mount Target.
Enter the required mount target information like Mount Target Name, Availability Domain same as instance where it will be mounted, Compartment, VNC, Subnet Compartment, Subnet created earlier. NSG or Security Lists, tags
Click Create. This will create the mount target in the private subnet.
To Create new export with the same export path in the new mount target to the file system, Click the name of the file system, click Create Export, Choose Select Existing Mount Target , Be sure that the export path for the new export is exactly the same as the export path for the original export.
Switch over the instance mount point to the new mount target . For this , Stop the workload, Unmount the file system, Mount the file system using the new mount target with same mount point as previous, Update any system configuration files that use the old export path, Start workload applications.
Verify that they can access the file system as expected, once verification done , delete the original mount target.
To update the security list for file Storage access from the authorized VNC or addresses
In the navigation, click Networking.
Click Virtual Cloud Networks.
In the Scope, select the compartment that contains the VCN of the mount subnet is in.
Click the name of the VCN.
On the details page for the cloud network, in Resources, and then click Security Lists.
Click the name of the security list used by the subnet used for mount target.
In Resources, click Ingress Rules.
Keep the stateful rule type.
Click Source Type, choose CIDR, and then enter the CIDR block for the subnet
Click IP Protocol, Select TCP.
In Source Port Range, configure source ports or ALL.
Click Destination Port Range , enter port range 2048-2050.
Click + Additional Ingress Rule to create additional Ingress Rule for destination port 111/TCP, 111/UDP, 2048/UDP. Add these rule as Stateful Rule.
When all ingress rule configured, click Add Ingress Rules.
Click Add Egress Rules.
Keep the stateful rule type.
Click Destination Type, choose CIDR, and then enter the CIDR block for the subnet
Click IP Protocol, Select TCP.
In Source Port Range , enter port range 2048-2050.
Click Destination Port Range, configure ALL to allow all outgoing traffic.
Click + Additional Egress Rule to create additional Egress Rule for source port 111/TCP, 111/UDP, 2048/UDP. Add these rule as Stateful Rule.
When all ingress rule configured, click Add Egress Rules.
To update security group for file storage access from the authorized VNC or addresses
In the navigation, click Networking.
Click Virtual Cloud Networks.
Click the name of the VCN
Under Resources, click Network Security Groups.
From the list of available NSG , select the one existing one to update or create new security group.
Click Add Rule for ingress
Keep the stateful rule type.
Click Source Type, choose CIDR, and then enter the CIDR block for the subnet
Click IP Protocol, Select TCP.
In Source Port Range, configure source ports or ALL.
Click Destination Port Range , enter port range 2048-2050.
Click + Another Rule to create additional Ingress Rule for destination port 111/TCP, 111/UDP, 2048/UDP. Add these rule as Stateful Rule.
When all ingress rule configured, click Add.
Click Add Rule for Egress.
Keep the stateful rule type.
Click Destination Type, choose CIDR, and then enter the CIDR block for the subnet
Click IP Protocol, Select TCP.
In Source Port Range , enter port range 2048-2050.
Click Destination Port Range, configure ALL to allow all outgoing traffic.
Click + Add Rule to create additional Egress Rule for source port 111/TCP, 111/UDP, 2048/UDP. Add these rule as Stateful Rule.
When all ingress rule configured, click Add.
Add the mount target to the NSG
In the navigation, click Storage.
Under File Storage, click Mount Targets.
In the List Scope section, select a compartment.
Find the mount target, click Actions menu, and then click View Mount Target Details.
In the Mount Target Information, click the Edit link next to Network Security Groups.
Select a Compartment and NSG from the list.
Click Save.
Add instance to Network security group
In the navigation, click Compute.
Under Compute, click Instances. Click the instance to view its details.
Under Resources, click Attached VNICs.
Click the VNIC of interested.
Next to Network Security Groups, click Edit.
Select the Network security group where file storage access rules are added.
Click Save Changes.
Important:
When security list are used to apply security rules to mount endpoints, the security rules in the security lists associated with the VNIC's subnet applies to mount endpoint.
When Security groups are used apply security rules to mount endpoints, security rules in all NSGs where the VNIC is associated with those groups, are applies to the mount endpoint.
Reference:
https://docs.oracle.com/en-us/iaas/Content/Security/Reference/filestorage_security.htm
https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/networksecuritygroups.htm#To2
https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingVNICs.htm#change_nsg
https://docs.oracle.com/en-us/iaas/Content/File/Tasks/managingfilesystems.htm#exportExistFS