The Cloud Network Analyzerengine on Prisma Cloud helps determine the Network exposure of your cloud assets and secure them from Network threats by providing an end-to-end path analysis. At the time of this blog, the Network Analyzer is only supported for AWS environments, however, we are working on a release to support Azure environments as well. In this blog, we will go over some remarkable features regarding the network analyzer, network exposure, and ultimately how to do an investigation and create custom network policies.
What is Network exposure?
Legacy CSPM solutions generate alerts for any permissive or exposed cloud virtual firewalls (such as an AWS security group), even if the security group is not attached to a Compute instance or if the Compute instance isn’t necessarily exposed to the internet in the first place. The original process sent out many false positives and with proper network exposure, our goal is to mitigate those challenges.
The Cloud Network Analyzer engine takes a multi-dimensional approach to identifying overly-exposed resources by providing:
End-to-End network path visibility from any source (e.g, AWS EC2 virtual machine, DB instance, Lambda application), to any destination (e.g., internet, another VPC, on-prem networks).
Visibility into the associations between security groups and Compute instances (EC2, RDS, redshift etc…) to identify network security risks before they become incidents. For example, you can address the risk reason when a Compute instance has direct internet access because it has an ENI attached to a public subnet, overly permissive security-groups and is in a VPC that is attached to an internet gateway with route to internet.
The CNA engine correlates multiple data points, including routing path(s) & security policy configuration(s) using graph-based modeling and then running a complex calculation to evaluate the net effective action (ALLOW or DENY) for an IP packet from Source-A to Destination-B. The true network exposure evaluation is based on parsing the configuration of the resource(s) to determine all possible network paths. This is a key feature since Prisma Cloud does not have to send actual traffic or read network logs in order to perform a network path analysis, the above process provides a more accurate result.
Determining true Network exposure with end-to-end path analysis on Prisma Cloud can help your organization in significant ways.
Some of the significant use-cases Prisma Cloud can help you address are:
AWS Internet exposed Instances/Interfaces/workloads
AWS APP/Workloads that can access the internet
AWS sensitive DB instances exposed to cross-accounts
Overly permissive AWS security-groups attached to sensitive workloads
AWS RDS/sensitive DB workloads exposed to the internet
AWS S3 bucket with sensitive data exposed through network connectivity to an external AWS account(s)
Investigate Network Exposure and Misconfiguration on Prisma Cloud
The ‘Network Config Analyzer’ engine calculates exposure using two main factors:
Routing path exists from Source to Destination
Net effectiveness of ALL security policies in the network path
To investigate TRUE Network Exposure of a cloud resource do the following steps:
Head over to the Investigate tab of the console
Enter a query that begins with “config from network where”
If the RQL search is valid you will notice a green checkmark
Be sure to save this search for future use. For example, when creating a custom policy you can utilize your saved search
Let's go through an example of a network exposure investigation query.
I will be using the following RQL as an example: “config from network where source.network = '0.0.0.0/0' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS'”
You can click on the hyperlinked destination.id to get more details. In addition, you can click on Actions on the far right to the detailed Network Path Analysis. The “Network Path Analysis” shows the path that network traffic would take if traffic were to be initiated from Source A to Destination B. Every hop in the path is a decision point in the traffic forwarding path in the cloud.
To further drill-down, you can click on the ‘i’ icon to get more information about routing-table configuration OR security policy that is ALLOWing or DENYing the traffic
Network Exposure Policies
Prisma Cloud offers a handful of out-of-the-box policies that you can utilize to get started with network exposure, head over to the policies tab and set a filter for policy type being network. Feel free to utilize these out-of-the-box policies or you can always create a custom policy as well to build a new network exposure policy.
To create a custom network exposure policy:
Under the policies tab, select “add policy” in the top right hand corner and select “network”
Provide the details in step 1 including policy name, description, severity, and labels.
Create a custom RQL based on the “config from network where” RQL query. You can also use a saved search as previously mentioned. For example, the following RQL query finds the interfaces that are accessible from any untrusted Internet source:
config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Interface' and dest.cloud.type = 'AWS' and dest.tag = 'env=prod'
Enter any compliance standard you wish to associate with this custom policy.
Provide any remediation options for this policy (optional).
Once you have successfully created a policy, that policy will be available in the policies tab as previously mentioned.
Key Benefits of Network Exposure Comprehensive Visibility
With Network Exposure utilizing the network analyzer, you can expect to spend less time combing through configurations and manually stitching together resource mappings to understand the cloud network. Prisma Cloud builds a complete network path to and from cloud resources to give you easy-to-understand visibility.
Improved Risk Assessment
Easily identify open pathways that allow lateral movement across the cloud infrastructure and make informed security decisions that help you reduce the attack surface radius and partition the network.
Reduced Alert fatigue
Stop false positives and move away from alerts against single network points. Adopt a model that evaluates network exposure of resources before generating an alert giving you more accurate results.