Low Severity on Port 22 Monitoring Policies in Prisma Cloud

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Low Severity on Port 22 Monitoring Policies in Prisma Cloud

L1 Bithead

 

Hi everyone,

I have a question and would like to hear if others share the same concern. Why are the Prisma Cloud policies related to monitoring port 22 configured with a severity level of "Low" or "Informational"?

In my opinion, the severity should be higher, since having port 22 open—especially on edge devices—can pose a serious security risk. Unauthorized users could potentially gain access through this port, which could lead to major issues down the line.

 

Here are some of the policies I’ve found that are marked with low or informational severity:

  • AWS Lightsail Instance does not restrict traffic on admin ports
  • AWS Network ACLs allow ingress traffic on Admin ports 22/3389
  • AWS EC2 instance with network path from the internet (0.0.0.0/0) on Admin ports
  • AWS NACL allows ingress from 0.0.0.0/0 to port 22
  • OpenStack Security groups allow ingress from 0.0.0.0:0 to port 22 (tcp/udp)
  • Port 22 is exposed
  • OCI Default Security List of every VCN allows all traffic on SSH port (22)
  • OCI security group allows unrestricted ingress access to port 22
  • OCI Security List allows all traffic on SSH port (22)
  • Azure Network Security Group allows all traffic on SSH port 22
  • AWS Security Group allows all traffic on SSH port (22)

I’d really appreciate hearing your thoughts on this. Do you think the severity level should be reconsidered?

Thanks!

1 REPLY 1

L3 Networker

Hello! 

I understand your concern. These default policies can be modified based and you can change them to the severity level you see fit for your environment. Prisma Cloud has the following policy severity to focus more on:

  • Alert Prioritization - Helps in prioritizing the resolution of open alerts
  • Provides better visibility for highly contextual alerts
  • Better prioritization of Corrective Action Plan for Compliance Reports

 

Policy severity by definition 

Low

Vulnerability or misconfiguration that is not directly exploitable (requires significant effort to exploit) and has minimal impact. A Low severity alert may be addressed as part of a regular maintenance cycle and do not require immediate attention.

Informational

An Informational severity is not a direct security threat, but rather a security best practice or compliance recommendation, detection of service or port status, or a potential weakness that may require attention or monitoring. These alerts have lower severity than the other alerts but still need to be addressed based on customer's compliance requirements.

 

  • 245 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!