4.6 Ensure That IP Forwarding Is Not Enabled on Instances

Information

Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.

Forwarding of data packets should be disabled to prevent data loss or information disclosure.

Rationale:

Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. To enable this source and destination IP check, disable the canIpForward field, which allows an instance to send and receive packets with non-matching destination or source IPs.

Impact:

Deleting instance(s) acting as routers/packet forwarders may break the network connectivity.

Solution

You only edit the canIpForward setting at instance creation time. Therefore, you need to delete the instance and create a new one where canIpForward is set to false.
From Google Cloud Console

Go to the VM Instances page by visiting: https://console.cloud.google.com/compute/instances.

Select the VM Instance you want to remediate.

Click the Delete button.

On the 'VM Instances' page, click 'CREATE INSTANCE'.

Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.

From Google Cloud CLI

Delete the instance:

gcloud compute instances delete INSTANCE_NAME

Create a new instance to replace it, with IP forwarding set to Off

gcloud compute instances create

Default Value:

By default, instances are not configured to allow IP forwarding.

See Also

https://workbench.cisecurity.org/benchmarks/11843

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|11.1, CSCv7|11.2

Plugin: GCP

Control ID: 9fa5b529b84855c0cae4a19d44f2db5bf8204f46db2a24314aa012442d3a1c26