Ensure No HTTPS Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites

Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers. To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile; or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or (3) a CUSTOM profile that does not support any of the following features: TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

Risk Level: High
Cloud Entity: Https Load Balancer Proxy
CloudGuard Rule ID: D9.GCP.NET.29
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

HttpsLoadBalancerTargetProxy should have getResource('LoadBalancerSslPolicy',sslPolicyName,'name') with [profile='RESTRICTED' or (minTlsVersion='TLS_1_2' and profile='MODERN') or (profile='CUSTOM' and not customFeatures contain [$ in ('TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA')])]

REMEDIATION

From Portal

  1. If the TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.
  2. Navigate to the SSL Policies page by visiting: https://console.cloud.google.com/net-security/sslpolicies
  3. Click on the name of the insecure policy to go to its SSL policy details page.
  4. Click EDIT.
  5. Set Minimum TLS version to TLS 1.2.
  6. Set Profile to Modern or Restricted.
  7. Alternatively, if the user selects the profile Custom, make sure that the following features are disabled:
    TLS_RSA_WITH_AES_128_GCM_SHA256
    TLS_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA

From Command Line

  1. For each insecure SSL policy, update it to use secure cyphers:
gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]
  1. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.
gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME

From TF
Resource: google_compute_ssl_policy
Arguments: profile, min_tls_version , custom_features

Set the arguments below values as per your requirement.
profile = MODERN or Restricted or CUSTOM,
min_tls_version = TLS_1_2
custom_features =["TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"]
See below example of each case;

resource "google_compute_ssl_policy" "SSL-POLICY" {
name = "MY-SSL-POLICY"
profile = "MODERN"
min_tls_version = "TLS_1_2"
}

resource "google_compute_ssl_policy" "SSL-POLICY" {
name = "MY-SSL-POLICY"
profile = "Restricted"
min_tls_version = "TLS_1_2"
}

resource "google_compute_ssl_policy" "SSL-POLICY" {
name = "MY-CUSTOM-SSL-POLICY"
min_tls_version = "TLS_1_2"
profile = "CUSTOM"
custom_features = ["TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"]
}

References

  1. https://workbench.cisecurity.org/sections/507171/recommendations/827589
  2. https://cloud.google.com/load-balancing/docs/use-ssl-policies
  3. https://cloud.google.com/sdk/gcloud/reference/compute/target-https-proxies/update
  4. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ssl_policy

Https Load Balancer Proxy

Target proxies are referenced by one or more forwarding rules. In the case of external HTTP(S) load balancers and internal HTTP(S) load balancers, proxies route incoming requests to a URL map. In the case of SSL proxy load balancers and TCP proxy load balancers, target proxies route incoming requests directly to backend services.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0