The following guidelines for the minimum viable security platform align with the network security pillar.
Basic level guidelines
Implement the following network security guidelines first.
| Item | Block default network creation |
|---|---|
| Description | The The default network is an auto-mode Virtual Private Cloud (VPC) network with pre-populated IPv4 firewall rules to allow internal communication paths. Generally, this setup isn't a recommended security posture for production environments. |
| Related information | |
| Item ID | MVSP-CO-1-47 |
| Mapping |
Related NIST-800-53 controls:
Related CRI profile controls:
Compliance Manager control: |
| Item | Enable Private Google Access |
|---|---|
| Description | Enable Private Google Access on all subnets. Enabling Private Google Access lets services access Google Cloud services that don't have external IP addresses. By default, Private Google Access isn't enabled on new resources and requires additional steps to explicitly enable it. |
| Related information | |
| Item ID | MVSP-CO-1.52 |
| Mapping |
Related NIST-800-53 controls:
Related CRI profile controls:
Compliance Manager control: |
Intermediate level guidelines
After you implemented the basic guidelines, implement the following network security guidelines.
| Item | Use Cloud Armor policies |
|---|---|
| Description | For applications that are exposed behind Cloud Load Balancing, use Google Cloud Armor default policies or configure your own policies to add Layer 3 to Layer 7 network protection for externally-facing applications or services. Cloud Armor security policies help protect your application by providing Layer 7 filtering. These policies also review incoming requests for common web attacks or other Layer 7 attributes to potentially block traffic before the traffic reaches your load-balanced backend services or backend buckets. Each security policy is made up of a set of rules that include attributes from Layer 3 through Layer 7. |
| Related information | |
| Item ID | MVSP-CO-1.49 |
| Mapping |
Related NIST-800-53 controls:
Related CRI profile controls:
Compliance Manager control: |
| Item | Restrict outbound traffic |
|---|---|
| Description | Limit access to external sources because by default, all access is allowed out. Set specific firewall rules for intended patterns of traffic needing to egress. By default, systems are often allowed to make outbound connections to the internet, which can be deemed a security risk. A deny-by-default policy blocks outbound traffic and requires specific rules to be created for only the known, necessary destinations. |
| Related information | |
| Item ID | MVSP-CO-1.50 |
| Mapping |
Related NIST-800-53 controls:
Related CRI profile controls:
Compliance Manager control: |
| Item | Limit inbound access to SSH and RDP ports |
|---|---|
| Description | Where possible, restrict inbound access to specific resources and resource ranges only. If Identity-Aware Proxy (IAP) is configured, set inbound SSH and Remote Desktop Protocol (RDP) firewall rules to IAP IP ranges as sources. Permissive SSH and RDP firewall rules allow for brute force attacks. Instead, use Google Cloud identity-aware proxies (such as IAP) for SSH and RDP. |
| Related information | |
| Item ID | MVSP-CO-1.51 |
| Mapping |
Related NIST-800-53 controls:
Related CRI profile controls:
Compliance Manager control: |
Advanced level guidelines
After you implemented the intermediate guidelines, implement the following network security guidelines.
| Item | Enable VPC Service Controls |
|---|---|
| Description | Enable VPC Service Controls as an additional layer of protection to prevent potential data loss. VPC Service Controls can help prevent data exfiltration by creating isolation perimeters around your cloud resources, sensitive data, and networks. |
| Related information | |
| Item ID | MVSP-CO-1.48 |
| Mapping |
Related NIST-800-53 controls:
Related CRI profile controls:
Compliance Manager control: |