Getting Started with Prisma Cloud - “Cloud Network Analyzer”

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L4 Transporter

By Priyank Patel, Customer Success Engineer

 

The Cloud Network Analyzer engine on Prisma Cloud helps determine the Network exposure of your cloud assets and secure them from Network threats by providing an end-to-end path analysis. At the time of this blog, the Network Analyzer is only supported for AWS environments, however, we are working on a release to support Azure environments as well. In this blog, we will go over some remarkable features regarding the network analyzer, network exposure, and ultimately how to do an investigation and create custom network policies. 

RPrasadi_0-1658955413837.png

Figure 1: Network Analyzer_palo-alto-networks

What is Network exposure?

 

Legacy CSPM solutions generate alerts for any permissive or exposed cloud virtual firewalls (such as an AWS security group), even if the security group is not attached to a Compute instance or if the Compute instance isn’t necessarily exposed to the internet in the first place. The original process sent out many false positives and with proper network exposure, our goal is to mitigate those challenges. 

 

The Cloud Network Analyzer engine takes a multi-dimensional approach to identifying overly-exposed resources by providing:

  1. End-to-End network path visibility from any source (e.g, AWS EC2 virtual machine, DB instance, Lambda application), to any destination (e.g., internet, another VPC, on-prem networks).
  2. Visibility into the associations between security groups and Compute instances (EC2, RDS, redshift etc…) to identify network security risks before they become incidents.  For example, you can address the risk reason when a Compute instance has direct internet access because it has an ENI attached to a public subnet, overly permissive security-groups and is in a VPC that is attached to an internet gateway with route to internet.

 

The CNA engine correlates multiple data points, including routing path(s) & security policy configuration(s) using graph-based modeling and then running a complex calculation to evaluate the net effective action (ALLOW or DENY) for an IP packet from Source-A to Destination-B. The true network exposure evaluation is based on parsing the configuration of the resource(s) to determine all possible network paths. This is a key feature since Prisma Cloud does not have to send actual traffic or read network logs in order to perform a network path analysis, the above process provides a more accurate result. 

 

unnamed.png

Figure 2: Network Analysis_palo-alto-networks

 

Determining true Network exposure with end-to-end path analysis on Prisma Cloud can help your organization in significant ways.

Some of the significant use-cases Prisma Cloud can help you address are:

  1. AWS Internet exposed Instances/Interfaces/workloads
  2. AWS APP/Workloads that can access the internet 
  3. AWS sensitive DB instances exposed to cross-accounts
  4. Overly permissive AWS security-groups attached to sensitive workloads
  5. AWS RDS/sensitive DB workloads exposed to the internet
  6. AWS S3 bucket with sensitive data exposed through network connectivity to an external AWS account(s)

 

 

Investigate Network Exposure and Misconfiguration on Prisma Cloud

 

The ‘Network Config Analyzer’ engine calculates exposure using two main factors:

  1. Routing path exists from Source to Destination
  2. Net effectiveness of ALL security policies in the network path

 

To investigate TRUE Network Exposure of a cloud resource do the following steps:

  1. Head over to the Investigate tab of the console
  2. Enter a query that begins with “config from network where”
  3. If the RQL search is valid you will notice a green checkmark
  4. Be sure to save this search for future use. For example, when creating a custom policy you can utilize your saved search 

 

 

Let's go through an example of a network exposure investigation query.

  1. I will be using the following RQL as an example: “config from network where source.network = '0.0.0.0/0' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS'”

 

unnamed.png

Figure 3: Network Exposure Investigation_palo-alto-networks

 

  1. You can click on the hyperlinked destination.id to get more details. In addition, you can click on Actions on the far right to the detailed Network Path Analysis. The “Network Path Analysis” shows the path that network traffic would take if traffic were to be initiated from Source A to Destination B. Every hop in the path is a decision point in the traffic forwarding path in the cloud.

 

unnamed.png

Figure 4: Actions_palo-alto-networks

 

  1. To further drill-down, you can click on the ‘i’ icon to get more information about routing-table configuration OR security policy that is ALLOWing or DENYing the traffic

RPrasadi_4-1658955413972.png

Figure 5: Drill Down_palo-alto-networks

Network Exposure Policies

Prisma Cloud offers a handful of out-of-the-box policies that you can utilize to get started with network exposure, head over to the policies tab and set a filter for policy type being network. Feel free to utilize these out-of-the-box policies or you can always create a custom policy as well to build a new network exposure policy.

 

To create a custom network exposure policy:

  1. Under the policies tab, select “add policy” in the top right hand corner and select “network”
  2. Provide the details in step 1 including policy name, description, severity, and labels.
  3. Create a custom RQL  based on the “config from network where” RQL query. You can also use a saved search as previously mentioned. For example, the following RQL query finds the interfaces that are accessible from any untrusted Internet source:

config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Interface' and dest.cloud.type = 'AWS' and dest.tag = 'env=prod'

  1. Enter any compliance standard you wish to associate with this custom policy.
  2. Provide any remediation options for this policy (optional). 

 

 

Once you have successfully created a policy, that policy will be available in the policies tab as previously mentioned. 


Key Benefits of Network Exposure
Comprehensive Visibility

With Network Exposure utilizing the network analyzer, you can expect to spend less time combing through configurations and manually stitching together resource mappings to understand the cloud network. Prisma Cloud builds a complete network path to and from cloud resources to give you easy-to-understand visibility. 

Improved Risk Assessment

Easily identify open pathways that allow lateral movement across the cloud infrastructure and make informed security decisions that help you reduce the attack surface radius and partition the network.

Reduced Alert fatigue

Stop false positives and move away from alerts against single network points. Adopt a model that evaluates network exposure of resources before generating an alert giving you more accurate results.

 

RPrasadi_5-1658955414036.png

 

 

  • 6962 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Labels