OCI-Networking-Stateless-Security-Rules

Severity : Medium

Description: This control ensures that the security list for the internet facing web instances have stateless security rules. OCI allows both stateful and stateless security rules. Stateful rules allows both ingress and corresponding outgoing traffic on same inbound rules using connection tracking. Stateless rules only allows inbound or outbound traffic and does not track connection. So for a successful connection when stateless rules are configured for web application, both direction rules must be configured to allow traffic to and from the web application. Stateless rules are recommended for a high-volume internet-facing website (HTTP/HTTPS traffic). This help mitigate DDoS attacks and speed up network traffic.

Remediation Steps:

Perform following to update the security rules in security List :

  1. Login to the OCI console at Cloud Sign In.

  2. In navigation click Networking and then click Virtual Cloud Networks.

  3. Click on the VNC reported.

  4. Under Resources, click Security Lists.

  5. Select the security List for the reported rules.

  6. Under Resources, click either Ingress Rules or Egress Rules depending on the type of rule to work with.

  7. To delete an existing stateful rule, click the Actions menu, and then click Remove.

  8. To add a stateless rule, click Add Ingress Rule (or Add Egress Rule). Enter the source CIDR for ingress or destination CIDR for egress, Select IP protocol, and other details for the rule, enter description for rule.

  9. Repeat the step to add stateless rule in other direction by clicking Add egress rule (or Add Ingress Rule).

Important:

  • If both stateful and stateless rules are configured, and there's traffic that matches both a stateful and stateless rule in a particular direction, the stateless rule takes precedence and the connection is not tracked. In this case a corresponding rule in the other direction is needed for the response traffic to be allowed.

  • If stateless security rules are configured to allow traffic to/from endpoints outside the VCN, it's important to add a security rule that allows ingress ICMP traffic type 3 code 4 from source 0.0.0.0/0 and any source port. This rule enables instances to receive Path MTU Discovery fragmentation messages. This rule is critical for establishing a connection to instances. Without it, instances experience connectivity issues.

  • Instances can send or receive UDP traffic. If a UDP packet is too large for the connection, it is fragmented. However, only the first fragment from the packet contains the protocol and port information. If the security rules that allow this ingress or egress traffic specify a particular port number (source or destination), the fragments after the first one are dropped. If instances expect to send or receive large UDP packets, set both the source and destination ports for the applicable security rules to ALL , instead of a particular port number.

Reference:

Blue Hexagon Proprietary