Skip to main content

πŸ“ Google Project has a default network 🟒

  • Contextual name: πŸ“ Project has a default network 🟒
  • ID: /ce/ca/google/project/project-with-default-network
  • Located in: πŸ“ Google Project

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

To prevent use of default network, a project should not have a default network.

Rationale​

The default network has a preconfigured network configuration and automatically generates the following insecure firewall rules:

β€’ default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
β€’ default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
β€’ default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
β€’ default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.

These automatically created firewall rules do not get audit logged by default.

Furthermore, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it's not possible to use Cloud VPN or VPC Network Peering with the default network.

Based on organization security and networking requirements, the organization should create a new network and delete the default network.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to the VPC networks page by visiting: https://console.cloud.google.com/networking/networks/list.
  2. Click the network named default.
  3. On the network detail page, click EDIT.
  4. Click DELETE VPC NETWORK.
  5. If needed, create a new network to replace the default network.

From Google Cloud CLI​

For each Google Cloud Platform project,

  1. Delete the default network:

         gcloud compute networks delete default

  2. If needed, create a new network to replace it:

         gcloud compute networks create NETWORK_NAME

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 3.1 Ensure that the default network does not exist in a project - Level 2 (Automated)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 3.1 Ensure That the Default Network Does Not Exist in a Project - Level 2 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 3.1 Ensure That the Default Network Does Not Exist in a Project - Level 2 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 3.1 Ensure That the Default Network Does Not Exist in a Project - Level 2 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access53
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-18 Wireless Access (L)(M)(H)45
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)212
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)31833
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-9 Configuration Management Plan (M)(H)8
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-18 Wireless Access (L)(M)(H)5
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)11
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)29
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-18 Wireless Access (L)(M)(H)25
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)112
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)333
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-9 Configuration Management Plan (M)(H)8
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.9 Configuration management12
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)426
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles21
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties88
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-18 Wireless Access55
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-6 Configuration Settings412
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-7 Least Functionality923
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-9 Configuration Management Plan18
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1 Establish and implement firewall and router configuration standards7138
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.127
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.7 Requirement to review firewall and router rule sets at least every six months.8
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.619
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.19
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.5 Permit only β€œestablished” connections into the network.19
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.4 Install personal firewall software or equivalent functionality on any portable computing devices that connect to the Internet when outside the network, and which are also used to access the CDE.8
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.5330
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.1.1 All security policies and operational procedures identified in Requirement 1 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.34
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.19
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.1.1 All security policies and operational procedures identified in Requirement 2 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.1 Configuration standards are developed, implemented, and maintained.11
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.1.1 All security policies and operational procedures identified in Requirement 1 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.2434
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.1527
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.627
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.719
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.1.1 All security policies and operational procedures identified in Requirement 2 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.1 Configuration standards are developed, implemented, and maintained.11
πŸ’Ό SOC 2 β†’ πŸ’Ό CC5.2-2 Establishes Relevant Technology Infrastructure Control Activities7