NSG Exposing Unintended Internal Ports to the Internet
NSGs rely on NAT for inbound firewall rules. However NAT (Virtual Server) rules don't allow you select which protocal type you wan to use. For example: If I want to open TCP 443 only I can't do that with NSG. It opens UDP and TCP 443 (at least from what I can tell).
Please add the ability to select protocol type as part of the NAT rules. The absence of this feature is exposing internal surface area that doesn't need to be exposed to the internet.
Additionally, this will result in remediation flags for companies who have penetration tests run. The only problem... it can't be remeadiated in with currently NSG settings without disabling the whole rule.
Happy to clarify if needed.
Comments
-
Hi Daniel, Welcome to our Nebula Community!
I have good news, the ability to select protocol (TCP/UPD/Any) for Virtual server rules will be added in the coming release by the end of this month, so it's a matter of time only ?
Thanks for your valuable input! ?
0 -
Hi @Daniel_PDX
Just to update you, the new Nebula interface already supports the selection of TCP/UDP protocols in the Virtual server rules.
Feel free to check it out ?.
0
Categories
- All Categories
- 347 Beta Program
- 2.1K Nebula
- 114 Nebula Ideas
- 77 Nebula Status and Incidents
- 5K Security
- 44 USG FLEX H Series
- 246 Security Ideas
- 1.2K Switch
- 64 Switch Ideas
- 901 WirelessLAN
- 33 WLAN Ideas
- 5.8K Consumer Product
- 204 Service & License
- 326 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.8K FAQ
- 831 Nebula FAQ
- 401 Security FAQ
- 219 Switch FAQ
- 190 WirelessLAN FAQ
- 45 Consumer Product FAQ
- 136 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 71 About Community
- 61 Security Highlight