Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

Severity : Medium

Description: This control ensures that the security list for the internet facing web instances have stateless security rules. OCI allows both stateful and stateless security rules. Stateful rules allows both ingress and corresponding outgoing traffic on same inbound rules using connection tracking. Stateless rules only allows inbound or outbound traffic and does not track connection. So for a successful connection when stateless rules are configured for web application, both direction rules must be configured to allow traffic to and from the web application. Stateless rules are recommended for a high-volume internet-facing website (HTTP/HTTPS traffic). This help mitigate DDoS attacks and speed up network traffic.

Remediation Steps:

Perform following to create subnets in the VNC :

  1. Login to the OCI console at https://www.oracle.com/cloud/sign-in.html.

  2. In navigation click Networking and then click Virtual Cloud Networks.

  3. Click on the VNC reported.

  4. Click Create Subnet.

  5. In Create Subnet, Select Compartment and Enter Name for Subnet.

  6. For Subnet Type, Select Regional type as this can be used in any AD for the Region.

  7. Enter the CIDR block, route table for the subnet.

  8. Select Subnet Access as Private or Public to control access to the subnet.

  9. Configure DNS Label, Domain Name and DHCP options.

  10. Configure Security Lists.

  11. Click Create. Repeat the above steps to add more then one subnets.

Important:

  • If both stateful and stateless rules are configured, and there's traffic that matches both a stateful and stateless rule in a particular direction, the stateless rule takes precedence and the connection is not tracked. In this case a corresponding rule in the other direction is needed for the response traffic to be allowed.

  • If stateless security rules are configured to allow traffic to/from endpoints outside the VCN, it's important to add a security rule that allows ingress ICMP traffic type 3 code 4 from source 0.0.0.0/0 and any source port. This rule enables instances to receive Path MTU Discovery fragmentation messages. This rule is critical for establishing a connection to instances. Without it, instances experience connectivity issues.

  • Instances can send or receive UDP traffic. If a UDP packet is too large for the connection, it is fragmented. However, only the first fragment from the packet contains the protocol and port information. If the security rules that allow this ingress or egress traffic specify a particular port number (source or destination), the fragments after the first one are dropped. If instances expect to send or receive large UDP packets, set both the source and destination ports for the applicable security rules to ALL , instead of a particular port number.

Reference:

  • No labels

Blue Hexagon Proprietary