Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Severity :

...

Medium

Description:

...

This control ensures that load balancer in public subnet have network security groups (NSG) configured to allow restricted network access. the NSG acts as virtual firewall with the security rules configured to allow restricted traffic. The NSG also allows the backend server NSG as source on the backend to allow traffic from backend servers. .

Remediation Steps:

Perform following to update security group for load balancer:

  1. Login to the OCI console at https://www.oracle.com/cloud/sign-in.html.

  2. In the navigation, click Networking

  3. Click Virtual Cloud Networks.

    1. Click the name of the VCN

    2. Under Resources, click Network Security Groups.

    3. To Create a new Security group, Click Create Network Security Group.

      1. Enter Basic info as Name and Component, Tags. Click Next.

      2. In Security Rules, configure rules.

        • Keep the stateful rule type.

        • Select Ingress, in Direction.

        • Click Source Type, choose CIDR to allow traffic from other CIDR or sources.Enter the CIDR value.

        • Click IP Protocol, Select Protocol for the application.

        • In Source Port Range, configure source ports or ALL.

        • In Destination Port Range , enter port range for application.

        • Enter Description for the rule.

        • Click + Another Rule to create additional Rules for Egress or other source, protocol and port.

        • When all rule configured, click Create.

    4. To update already existing NSG,

      1. Select the Network Security group.

      2. Under Resources, click Security Rules.

      3. Click Add Rules.

      4. In Add Security Rules, configure rules.

        • Keep the stateful rule type.

        • Select Ingress, in Direction.

        • Click Source Type, choose CIDR to allow traffic from other CIDR or sources.Enter the CIDR value.

        • Click IP Protocol, Select Protocol for the application.

        • In Source Port Range, configure source ports or ALL.

        • In Destination Port Range , enter port range for application.

        • Enter Description for the rule.

        • Click + Another Rule to create additional Rules for Egress or other source, protocol and port.

        • When all rule configured, click Add.

  4. To add/update Network Security group to load balancer

    1. n the navigation, click Networking

    2. Click Load Balancers.

    3. Select the Compartment from the list.

    4. Click the network load balancer whose network security groups must be updated.

    5. Click Edit next to Network Security Groups.

    6. Select an NSG which is created/updated above the list.

    7. Click Submit.

Important:

Reference: