Skip to main content

πŸ“ Google GCE Instance IP Forwarding is not disabled. 🟒

  • Contextual name: πŸ“ Instance IP Forwarding is not disabled. 🟒
  • ID: /ce/ca/google/compute-engine/disable-instance-ip-forwarding
  • Located in: πŸ“ Google GCE

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.

Forwarding of data packets should be disabled to prevent data loss or information disclosure.

Rationale​

Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. To enable this source and destination IP check, disable the canIpForward field, which allows an instance to send and receive packets with non-matching destination or source IPs.

Impact​

... see more

Remediation​

Open File

Remediation​

You only edit the canIpForward setting at instance creation time. Therefore, you need to delete the instance and create a new one where canIpForward is set to false.

From Google Cloud Console​

  1. Go to the VM Instances page by visiting: https://console.cloud.google.com/compute/instances.
  2. Select the VM Instance you want to remediate.
  3. Click the Delete button.
  4. On the VM Instances page, click CREATE INSTANCE.
  5. Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.

From Google Cloud CLI​

  1. Delete the instance:

         gcloud compute instances delete INSTANCE_NAME

  2. Create a new instance to replace it, with IP forwarding set to Off

         gcloud compute instances create

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 4.6 Ensure that IP forwarding is not enabled on Instances - Level 1 (Automated)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 4.6 Ensure That IP Forwarding Is Not Enabled on Instances - Level 1 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 4.6 Ensure That IP Forwarding Is Not Enabled on Instances - Level 1 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 4.6 Ensure That IP Forwarding Is Not Enabled on Instances - Level 1 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access53
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10845
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)30
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)739
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.AM-3: Organizational communication and data flows are mapped47
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events115
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained45
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage66
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό CA-9 INTERNAL SYSTEM CONNECTIONS11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7 Boundary Protection29447
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1 Establish and implement firewall and router configuration standards7138
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.7825
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.34
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.1 NSCs are implemented between trusted and untrusted networks.17
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.2434
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.1 NSCs are implemented between trusted and untrusted networks.717
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-1 Restricts Access1619
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-4 Implements Boundary Protection Systems4