Framework/Configurations/SVT/Services/ERvNet.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
{
  "FeatureName": "ERvNet",
  "Reference": "aka.ms/azsktcp/ervnet",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_ERvNet_NetSec_Dont_Use_PublicIPs",
      "Description": "There must not be any Public IPs (i.e., NICs with PublicIP) on ExpressRoute-connected VMs",
      "Id": "ERvNet110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckPublicIps",
      "Rationale": "Public IP addresses on an ER-connected virtual network can expose the corporate network to security attacks from the internet.",
      "Recommendation": "Any Public IP addresses you added to an ER-connected virtual network must be removed. Refer: https://docs.microsoft.com/en-us/powershell/module/az.network/Remove-AzPublicIpAddress",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "NetSec",
        "ERvNet"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "NICName",
        "VMName",
        "PrimaryStatus",
        "NetworkSecurityGroupName",
        "PublicIpAddress",
        "PrivateIpAddress"
      ]
    },
    {
      "ControlID": "Azure_ERvNet_NetSec_Dont_Use_Multi_NIC_VMs",
      "Description": "There must not be multiple NICs on ExpressRoute-connected VMs",
      "Id": "ERvNet120",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckMultiNICVMUsed",
      "Rationale": "Using multiple NICs, one can route traffic between the ER-connected virtual network and another non-ER-connected virtual network. This can put the corporate network at risk. (Multi-NIC VMs on an ER-connected virtual network may be required in some advanced scenarios. You should engage the network security team for a review in such cases.)",
      "Recommendation": "Remove any additional NICs on VMs which are on an ER-connected virtual network. Refer: http://stackoverflow.com/questions/34526032/how-can-i-programmatically-detach-a-nic-from-its-vm-in-azure-arm",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "NetSec",
        "ERvNet"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_ERvNet_NetSec_Dont_Enable_IPForwarding_for_NICs",
      "Description": "The 'EnableIPForwarding' flag must not be set to true for NICs in the ExpressRoute-connected vNet",
      "Id": "ERvNet130",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckIPForwardingforNICs",
      "Rationale": "Using IP Forwarding one can change the routing of packets from an ER-connected virtual network. This can lead to bypass of network protections that are required and applicable for corpnet traffic. (IP Forwarding on an ER-connected virtual network may be required only in advanced scenarios such as Network Virtual Applicances. You should engage the network security team for a review in such cases.)",
      "Recommendation": "IP Forwarding must be disabled on ExpressRoute-connected NICs. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "NetSec",
        "ERvNet"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "NICName",
        "EnableIPForwarding"
      ]
    },
    {
      "ControlID": "Azure_ERvNet_NetSec_Dont_Use_NSGs_on_GatewaySubnet",
      "Description": "There must not be any NSGs on the GatewaySubnet of the ExpressRoute-connected vNet",
      "Id": "ERvNet140",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckNSGUseonGatewaySubnet",
      "Rationale": "Using NSGs on the Gateway subnet of an ER-connected virtual network can cause the connection to stop functioning and may impact availability.",
      "Recommendation": "If you added any NSGs to the Gateway Subnet of the ER-connected virtual network, remove them. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#delete-a-network-security-group",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "NetSec",
        "ERvNet"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "Name",
        "NetworkSecurityGroup"
      ]
    },
    {
      "ControlID": "Azure_ERvNet_NetSec_Dont_Add_UDRs_on_Subnets",
      "Description": "There must not be a UDR on *any* subnet in an ExpressRoute-connected vNet",
      "Id": "ERvNet150",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckUDRAddedOnSubnet",
      "Rationale": "Using UDRs on any subnet of an ER-connected virtual network can lead to security exposure for corpnet traffic by allowing it to be routed in a way that evades inspection from network security scanners.",
      "Recommendation": "Remove association between any UDRs you may have added and respective subnets using the 'Remove-AzureSubnetRouteTable' command. Run 'Get-Help Remove-AzureSubnetRouteTable -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "NetSec",
        "ERvNet"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "Name",
        "RouteTable"
      ]
    },
    {
      "ControlID": "Azure_ERvNet_NetSec_Dont_Add_VPN_Gateways",
      "Description": "There must not be another virtual network gateway (GatewayType = Vpn) in an ExpressRoute-connected vNet",
      "Id": "ERvNet160",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckGatewayUsed",
      "Rationale": "Using other gateway types on an ER-connected virtual network can lead to pathways for corpnet traffic where the traffic can get exposed to the internet or evade inspection from network security scanners. This creates a direct risk to corpnet security.",
      "Recommendation": "Remove any VPN Gateways from the ExpressRoute-connected virtual network. Refer: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-delete-vnet-gateway-powershell",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "NetSec",
        "ERvNet"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_ERvNet_NetSec_Dont_Use_VNet_Peerings",
      "Description": "There must not be any virtual network peerings on an ExpressRoute-connected vNet",
      "Id": "ERvNet170",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckVnetPeering",
      "Rationale": "A virtual network peering on an ER-connected circuit establishes a link to another virtual network whereby traffic egress and ingress can evade inspection from network security appliances. This creates a direct risk to corpnet security.",
      "Recommendation": "Remove any VNet peering you added using the 'Remove-AzVirtualNetworkPeering' PS command. Run 'Get-Help Remove-AzVirtualNetworkPeering -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "NetSec",
        "ERvNet"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_ERvNet_NetSec_Use_Only_Internal_Load_Balancers",
      "Description": "Only internal load balancers (ILBs) may be used inside an ExpressRoute-connected vNet",
      "Id": "ERvNet180",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckInternalLoadBalancers",
      "Rationale": "External load balancers on an ER-connected vNet can expose the corporate network to security attacks from the internet.",
      "Recommendation": "Remove any external load balancers you may have added using the 'Remove-AzLoadBalancer' PS command. Run 'Get-Help Remove-AzLoadBalancer -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "NetSec",
        "ERvNet"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_ERvNet_SI_Add_Only_Network_Resources",
      "Description": "Only resources of type Microsoft.Network/* must be added in the ERNetwork resource group",
      "Id": "ERvNet190",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckOnlyNetworkResourceExist",
      "Rationale": "The ERNetwork resource group is a critical component that facilitates provisioning of an ER-connection for your subscription. This resource group is deployed and managed by the networking team and should not be used as a general purpose resource group or as a container for non-networking resources as it can impact the ER-connectivity of your subscription.",
      "Recommendation": "Move all other resources except Microsoft.Network/* to another resource group. To move a resource, simply go to the Overview tab for it in the Azure portal and select the Move option.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "SI",
        "ERvNet"
      ],
      "Enabled": false,
      "DataObjectProperties": [
        "ResourceType",
        "ResourceID"
      ]
    },
    {
      "ControlID": "Azure_ERvNet_SI_Dont_Remove_Resource_Lock",
      "Description": "Ensure that the ERNetwork resource group is protected with a resource lock",
      "Id": "ERvNet200",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckResourceLockConfigured",
      "Rationale": "The ERNetwork resource group is a critical component that facilitates provisioning of an ER-connection for your subscription. A resource lock is deployed on the ERNetwork resource group to keep you from deleting it accidentally. Removing this lock increases the chances of accidental write/delete of this resource group and that can impact ER-connectivity of your subscription.",
      "Recommendation": "Create a ReadOnly resource lock for every ER Network resource group using command New-AzResourceLock -LockName '{LockName}' -LockLevel 'ReadOnly' -Scope '/subscriptions/{SubscriptionId}/resourceGroups/{ERNetworkResourceGroup}'. Run 'Get-Help New-AzResourceLock -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "SI",
        "ERvNet"
      ],
      "Enabled": false
    },
    {
      "ControlID": "Azure_ERvNet_SI_Dont_Remove_ARM_Policy",
      "Description": "Ensure that ARM policies are deployed to protect the ERNetwork setup",
      "Id": "ERvNet210",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckARMPolicyConfigured",
      "Recommendation": "Run command 'Set-AzSKARMPolicies -Tags SDO' to set ARM Policies. Run 'Get-Help Set-AzSKARMPolicies -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "SI",
        "ERvNet"
      ],
      "Enabled": false
    }
  ]
}