NetworkLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope

Risk Level: Medium
Cloud Entity: Network Load Balancer
CloudGuard Rule ID: D9.AWS.NET.AG2.4.NetworkLoadBalancer.8888.TCP
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

NetworkLoadBalancer where inboundRules contain [port <= 8888 and portTo >= 8888 and protocol in ('TCP','ALL')] should not have inboundRules contain [port <= 8888 and portTo >= 8888 and protocol in ('TCP','ALL') and scope numberOfHosts() > 256]

REMEDIATION

It is recommended to remove the rules that allow permissive SSH/Remote/Admin access.

If public interface exists, remove it and limit the access scope within the VPC only to applications or instances that requires access.

Amazon Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html

As a further protection, use CloudGuard Dynamic Access Leasing to limit access to SSH/Remote Desktop only from allowed sources and only when needed.
For more information please refer to: https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Network-Security/DynAccessLease.html?tocpath=Network%20Security%7C_____3

Network Load Balancer

A Network Load Balancer functions at the fourth layer of the Open Systems Interconnection (OSI) model. It can handle millions of requests per second. After the load balancer receives a connection request, it selects a target from the target group for the default rule. It attempts to open a TCP connection to the selected target on the port specified in the listener configuration.

Compliance Frameworks

• LGPD
• NETWSEC-V2