Ineffective DENY Rules for Network ACLs

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: VPC-015

Ensure that your Amazon VPC Network Access Control Lists (NACLs) don't have ineffective or misconfigured DENY rules. A Network ACL is an additional layer of defense for your Virtual Private Cloud (VPC), basically a network firewall where you can set rules that allow or deny access to a specific port or IP range. A NACL contains a numbered list of rules that are evaluated starting with the lowest numbered rule. As soon as an NACL rule matches traffic, it's applied regardless of any higher-numbered rule that might contradict it. Therefore, the order of the DENY rules within your Network ACLs is crucial. A DENY rule is considered "ineffective" if an existing ALLOW rule with the same traffic parameters has a higher priority (lower rule number), because the ALLOW rule will override and ignore the DENY rule during evaluation. In order to be effective, ensure that the DENY rules designed to restrict traffic via certain ports, IP ranges, or protocols are placed at a higher priority (lower rule number) than the associated ALLOW rules."

This rule resolution is part of the Cloud Conformity solution

Security

Using effective DENY rules for your Network Access Control Lists (NACLs) in order to regulate the traffic to and from your Amazon VPC network, will add an additional layer of security and protect against malicious activities such as hacking, brute-force attacks, and Denial of Service (DoS) attacks.


Audit

To determine if your Network ACLs (NACLs) have ineffective or misconfigured DENY rules, perform the following actions:

Each NACL includes a rule whose rule number is an asterisk (also known as default DENY rule). This rule ensures that if a packet doesn't match any of the other numbered rules, it's denied. You can't modify or remove this rule. This default DENY rule is ignored during the Audit process.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY, choose Network ACLs.

04 Select the Network ACL that you want to examine.

05 Choose the Inbound rules tab from the console bottom panel and check for DENY rules that match ALLOW rules within the selected Network ACL. To match an ALLOW rule, an inbound DENY rule must have the same traffic configuration, i.e. the Type, the Port range, and the Source must be the same. If a DENY rule matches an ALLOW rule that has a higher priority (i.e. the Rule number is lower), the inbound DENY rule is considered ineffective because the ALLOW rule will override it during evaluation.

06 Choose the Outbound rules tab from the console bottom panel and check for DENY rules that match ALLOW rules within the selected NACL. To match an ALLOW rule, an outbound DENY rule must have the same traffic parameters, i.e. the Type, the Port range, and the Destination must be the same. If a DENY rule matches an ALLOW rule that has a higher priority (i.e. the Rule number is lower), the outbound DENY rule is considered ineffective.

07 Repeat steps no. 4 – 6 for other Network ACLs available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-network-acls command (OSX/Linux/UNIX) with custom query filters to list the ID of each Network ACL (NACL) available in the selected AWS region:

aws ec2 describe-network-acls
  --region us-east-1
  --output table
  --query 'NetworkAcls[*].NetworkAclId'

02 The command output should return a table with the requested NACL IDs:

---------------------
|DescribeNetworkAcls|
+-------------------+
|   acl-abcd1234    |
|   acl-1234abcd    |
+-------------------+

03 Run describe-network-acls command (OSX/Linux/UNIX) using the ID of the Network ACL that you want to examine as the identifier parameter and custom filtering to list the inbound rules defined for the selected NACL:

aws ec2 describe-network-acls
  --region us-east-1
  --network-acl-ids acl-abcd1234
  --query 'NetworkAcls[*].Entries[?(Egress==`false`)]'

04 The command output should return the configuration information requested:

[
  [
    {
      "RuleNumber": 100,
      "Protocol": "6",
      "PortRange": {
        "To": 22,
        "From": 22
      },
      "Egress": false,
      "RuleAction": "allow",
      "CidrBlock": "0.0.0.0/0"
    },
    {
      "RuleNumber": 200,
      "Protocol": "6",
      "PortRange": {
        "To": 3389,
        "From": 3389
      },
      "Egress": false,
      "RuleAction": "allow",
      "CidrBlock": "0.0.0.0/0"
    },
    {
      "RuleNumber": 300,
      "Protocol": "6",
      "PortRange": {
        "To": 22,
        "From": 22
      },
      "Egress": false,
      "RuleAction": "deny",
      "CidrBlock": "0.0.0.0/0"
    }
  ]
]

Each JSON object returned by the describe-network-acls command output, separated by a comma, represents an inbound rule. Check the list of inbound rules for DENY rules that match ALLOW rules within the selected Network ACL. To match an ALLOW rule, an inbound DENY rule must have the same traffic configuration, i.e. the "Protocol", the "PortRange", and the "CidrBlock" must be the same (for ICMP-based rules, include the "IcmpTypeCode" value in the comparison). If a DENY rule matches an ALLOW rule that has a higher priority (i.e. the "RuleNumber" value is lower), the inbound DENY rule is considered ineffective because the ALLOW rule will override it during evaluation.

05 Run describe-network-acls command (OSX/Linux/UNIX) using the ID of the Network ACL that you want to examine as the identifier parameter and custom query filters to list the outbound rules configured for the selected NACL:

aws ec2 describe-network-acls
  --region us-east-1
  --network-acl-ids acl-abcd1234
  --query 'NetworkAcls[*].Entries[?(Egress==`true`)]'

06 The command output should return the configuration information requested:

[
  [
    {
      "RuleNumber": 100,
      "Protocol": "6",
      "PortRange": {
        "To": 22,
        "From": 22
      },
      "Egress": true,
      "RuleAction": "allow",
      "CidrBlock": "0.0.0.0/0"
    },
    {
      "RuleNumber": 110,
      "Protocol": "6",
      "PortRange": {
        "To": 443,
        "From": 443
      },
      "Egress": true,
      "RuleAction": "allow",
      "CidrBlock": "0.0.0.0/0"
    },
    {
      "RuleNumber": 120,
      "Protocol": "6",
      "PortRange": {
        "To": 22,
        "From": 22
      },
      "Egress": true,
      "RuleAction": "deny",
      "CidrBlock": "0.0.0.0/0"
    }
  ]
]

Check the list of outbound rules returned by the describe-network-acls command output for DENY rules that match ALLOW rules within the selected NACL. To match an ALLOW rule, an outbound DENY rule must have the same traffic parameters, i.e. the "Protocol", the "PortRange", and the "CidrBlock" must be the same (for ICMP-based rules, include the "IcmpTypeCode" value in the comparison). If a DENY rule matches an ALLOW rule that has a higher priority (i.e. the "RuleNumber" value is lower), the outbound DENY rule is considered ineffective.

07 Repeat steps no. 3 – 6 for other Network ACLs available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To be effective, ensure that the DENY rules designed to restrict traffic are placed at a higher priority (i.e. lower rule number) than the associated ALLOW rules. To reconfigure ineffective inbound and outbound DENY rules in order to block certain traffic at the subnet level, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY, choose Network ACLs.

04 Select the Network ACL that you want to reconfigure.

05 Select the Inbound rules tab from the console bottom panel and choose Edit inbound rules.

06 On the Edit inbound rules page, choose the ineffective DENY rule and change the number available in the Rule number box with a number lower than the rule number of the associated ALLOW rule. This will place the reconfigured DENY rule to a higher priority and enable the selected Network ACL (NACL) to re-evaluate the list of rules in order to restrict the traffic specified by the rule parameters. Choose Save changes to apply the changes.

07 Select the Outbound rules tab from the console bottom panel and choose Edit outbound rules.

08 On the Edit outbound rules page, choose the ineffective DENY rule and change the number available in the Rule number box with a number that is lower than the rule number of the associated ALLOW rule. This will place the reconfigured DENY rule earlier in the table (i.e. higher priority) and enable the selected Network ACL (NACL) to re-evaluate the list of rules in order to restrict the traffic specified by the rule parameters. Choose Save changes to apply the changes.

09 Repeat steps no. 4 – 8 for other Network ACLs (NACLs) that you want to reconfigure available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 For inbound DENY rules:

  1. Run delete-network-acl-entry command (OSX/Linux/UNIX) to remove the ineffective DENY rule from the selected Network ACL (NACL). The following command example deletes an ineffective inbound DENY rule identified by the rule number 300 (the command does not produce an output):
    aws ec2 delete-network-acl-entry
      --region us-east-1
      --network-acl-id acl-abcd1234
      --ingress
      --rule-number 300
    
  2. Run create-network-acl-entry command (OSX/Linux/UNIX) to re-create the DENY rule deleted at the previous step with a higher priority than the associated ALLOW rule. The following command example creates a new inbound DENY rule with the rule number set to 50. This will place the DENY rule to a higher priority than the associated rule and enable the selected NACL to re-evaluate the list of rules in order to restrict the traffic specified by the rule parameters (if successful, the command does not produce an output):
    aws ec2 create-network-acl-entry
      --region us-east-1
      --network-acl-id acl-abcd1234
      --ingress
      --rule-number 50
      --protocol tcp
      --port-range From=22,To=22
      --cidr-block 0.0.0.0/0
      --rule-action deny
    

02 For outbound DENY rules:

  1. Run delete-network-acl-entry command (OSX/Linux/UNIX) to remove the ineffective DENY rule from the selected Network ACL (NACL). The following command example deletes an ineffective inbound DENY rule identified by the rule number 120 (the command does not produce an output):
    aws ec2 delete-network-acl-entry
      --region us-east-1
      --network-acl-id acl-abcd1234
      --egress
      --rule-number 120
    
  2. Run create-network-acl-entry command (OSX/Linux/UNIX) to re-create the DENY rule deleted at the previous step with a higher priority than the associated ALLOW rule. The following command example creates an outbound DENY rule with the rule number set to 90. This will place the DENY rule to a higher priority than the associated rule and enable the Network ACL to re-evaluate the list of rules in order to restrict the traffic specified by the rule parameters (the command does not produce an output):
    aws ec2 create-network-acl-entry
      --region us-east-1
      --network-acl-id acl-abcd1234
      --egress
      --rule-number 90
      --protocol tcp
      --port-range From=22,To=22
      --cidr-block 0.0.0.0/0
      --rule-action deny
    

03 Repeat steps no. 1 and 2 for other Network ACLs (NACLs) that you want to reconfigure available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date May 2, 2017

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Ineffective DENY Rules for Network ACLs

Risk level: High