Logo of Trend Micro

Enable Virtual Machine IP Forwarding Monitoring

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-023

Ensure that the IP Forwarding feature available for your Microsoft Azure virtual machines (VMs) is monitored by the Azure Security Center service for security and compliance purposes.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Enabling IP forwarding on a virtual machine's network interface (NIC) allows the machine to act as a router and receive traffic addressed to other destinations. IP forwarding is rarely required (for example, when using the virtual machine as a network virtual appliance), therefore the feature should be monitored in order to be audited by your network security team.

Audit

To determine if IP forwarding for virtual machines is continuously monitored using Microsoft Azure Security Center, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to examine to access the policy configuration settings for the selected subscription.

05 On the Security Policy page, choose the Security center default policy, then click View effective policy to open the policy.

06 On the default security policy page, within the Identity section, check the IP Forwarding on your virtual machine should be disabled setting status. If the configuration setting is Disabled, the IP forwarding on your virtual machines (VMs) is not monitored using Microsoft Azure Security Center.

07 Repeat step no. 4 – 6 for each subscription available in your Microsoft Azure account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to describe the monitoring status of the IP forwarding feature available for your Azure VMs: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.disableIPForwardingMonitoringEffect.value'

02 The command output should return the requested Azure Security Center monitoring status: 

"Disabled"

If the command output returns "Disabled", as shown in the output example above, the IP forwarding feature available for your virtual machines is not monitored using Microsoft Azure Security Center.

03 Repeat step no. 1 and 2 for each subscription created in your Microsoft Azure account.

Remediation / Resolution

To enable virtual machine IP forwarding monitoring using Microsoft Azure Security Center service, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to reconfigure to access the policy settings available for the selected subscription.

05 On the Security Policy page, click on the ASC Default (subscription: <azure-subscription-id>) link to edit the default policy assignment.

06 On the selected policy assignment page, perform the following actions:

  1. Choose the Parameters tab to access the policy parameters.
  2. Select AuditIfNotExists from IP Forwarding on your virtual machine should be disabled dropdown list to enable IP forwarding monitoring for the Azure virtual machines deployed in the selected subscription.
  3. Click Review + save to review the configuration changes, then click Save to apply the changes. If successful, the following message should be displayed: "Updating policy assignment succeeded". Once the configuration changes are saved, the Security Center service should start monitoring the IP forwarding feature status for virtual machines.

07 If required, repeat steps no. 4 – 6 for other Microsoft Azure cloud subscriptions available.

Using Azure CLI

01 Define the necessary specifications for the account get-access-token command, where the disableIPForwardingMonitoringEffect configuration parameter is enabled using the "AuditIfNotExists" flag. Save the following content to a JSON file named enable-ip-forwarding-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account details: 

{
   "properties":{
      "displayName":"ASC Default (subscription: <azure-subscription-id>)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
      "scope":"/subscriptions/<azure-subscription-id>",
      "parameters":{
         "disableIPForwardingMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      }
   },
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the specifications defined at the previous step (i.e. enable-ip-forwarding-monitoring.json file) to start monitoring the IP forwarding feature status within the current Azure subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-ip-forwarding-monitoring.json"'

03 If successful, the command output should return the updated Azure Security Center policy: 

{
   "sku":{
      "name":"A0",
      "tier":"Free"
   },
   "properties":{
      "displayName":"ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
      "scope":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",
      "parameters":{
         "disableIPForwardingMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      },
      "metadata":{
         "createdBy":"1234abcd-1234-abcd-1234-abcd1234abcd",
         "createdOn":"2019-05-19T14:34:30.00000000",
         "updatedBy":"abcd1234-abcd-1234-abcd-1234abcd1234",
         "updatedOn":"2020-03-10T15:10:30.00000000"
      }
   },
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscriptions available.

References

Publication date Mar 27, 2020

Related SecurityCenter rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Virtual Machine IP Forwarding Monitoring

Risk level: Medium