Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Review Network Interfaces with IP Forwarding Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Network-013

Ensure that all the Microsoft Azure network interfaces (NICs) with IP forwarding enabled are regularly reviewed for security and compliance reasons. The IP Forwarding feature enables the virtual machine (VM) associated with the network interface attached, to receive network traffic that is not intended for one of the IP addresses defined within the IP configurations attached to the network interface, and send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations. Therefore, IP forwarding is used only by Azure virtual machines that need to forward traffic (also known as a network virtual appliances).

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The IP Forwarding feature enabled on a virtual machine's network interface (NIC) allows the VM to act as a router and receive traffic addressed to other destinations. Because IP forwarding is rarely required (except when the virtual machine is used as a network virtual appliance), each associated network interface should be reviewed by your network security team in order to decide whether or not IP forwarding is really needed.


Audit

To review each Azure network interface (NIC) with IP forwarding enabled, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Subscription filter box, select the Azure account subscription that you want to examine.

04 From the Type filter box, select Network interface to list the network interfaces available in the selected Azure subscription.

05 Click on the name of the network interface (NIC) that you want to examine.

06 In the navigation panel, under Settings, select IP configurations to access the network and IP configuration defined for the selected NIC.

07 On the IP configurations page, check the IP forwarding setting status. If IP forwarding is set to Enabled, the selected Microsoft Azure network interface (NIC) has IP forwarding enabled, therefore the verified Azure resource must be reviewed in order to decide whether or not IP forwarding is required.

08 Repeat steps no. 5 – 7 for Azure network interface available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network nic list command (Windows/macOS/Linux) using custom query filters to list the names of all network interfaces (and the name of their associated resource groups) available in the current Azure subscription:

az network nic list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested information:

Name                     ResourceGroup
-----------------------  ------------------------------
cc-virtual-appliance726  cloud-shell-storage-westeurope
cc-production-server960  cloud-shell-storage-westeurope

03 Run network nic show command (Windows/macOS/Linux) using the name of the Azure network interface (NIC) that you want to examine and its associated resource group as identifier parameters to describe the IP Forwarding feature status for the selected network interface:

az network nic show
	--name cc-virtual-appliance726
	--resource-group cloud-shell-storage-westeurope
	--query 'enableIpForwarding'

04 The command output should return the requested configuration status (true for enabled, false for disabled):

true

If the network nic show command output returns true, the selected Microsoft Azure network interface (NIC) has IP forwarding enabled, therefore the verified NIC resource must be reviewed in order to decide whether or not IP forwarding is required.

05 Repeat step no. 3 and 4 for each Azure network interface created within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

Case A: IP forwarding is not required for the Microsoft Azure virtual machine associated with the network interface (NIC). In this case, perform the following operations to disable the feature:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Subscription filter box, select the Azure account subscription that you want to access.

04 From the Type filter box, select Network interface to list the network interfaces available in the selected Azure subscription.

05 Click on the name of the network interface (NIC) that you want to reconfigure (see Audit section part I to identify the right resource).

06 In the navigation panel, under Settings, select IP configurations to access the network and IP configuration defined for the selected NIC.

07 On the IP configurations page, select Disabled next to IP forwarding, to disable the IP Forwarding feature for the selected Microsoft Azure network interface.

08 If required, repeat steps no. 5 – 7 to disable IP forwarding for other Azure network interfaces (NICs) available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network nic update command (Windows/macOS/Linux) using the name of the Azure network interface that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) to update the network configuration for the selected Azure network interface (NIC) in order to disable IP forwarding:

az network nic update
	--name cc-virtual-appliance726
	--resource-group cloud-shell-storage-westeurope
	--ip-forwarding false

02 The command output should return the metadata for the reconfigured network interface:

{
  "enableAcceleratedNetworking": false,
  "enableIpForwarding": false,
  "location": "westeurope",
  "name": "cc-virtual-appliance726",
  "networkSecurityGroup": {
    "defaultSecurityRules": null,
    "location": null,
    "networkInterfaces": null,
    "provisioningState": null,
    "resourceGroup": "cloud-shell-storage-westeurope",
    "resourceGuid": null,
    "securityRules": null,
    "subnets": null,
  },

  ...

  "primary": true,
  "privateEndpoint": null,
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "resourceGuid": "abcd1234-abcd-1234-abcd-1234abcd1234",
  "tags": null,
  "tapConfigurations": [],
  "type": "Microsoft.Network/networkInterfaces",
  "virtualMachine": {
    "id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-virtual-appliance-vm",
    "resourceGroup": "cloud-shell-storage-westeurope"
  }
}

03 If required, repeat step no. 1 and 2 to disable IP forwarding for other Azure network interfaces available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

Case B: IP forwarding is required for the Microsoft Azure virtual machine associated with the Network Interface (NIC). In this case the feature is enabled by design and intentional, and no further actions need to be taken.

References

Publication date Apr 6, 2020