Security profile overview (original) (raw)
Security profiles help you define Layer 7 inspection policy for your Google Cloud resources. They are generic policy structures that are used by firewall endpoints to scan intercepted traffic to provide application Layer services, such as the URL filtering service and the intrusion detection and prevention service.
This document provides a detailed overview of security profiles and their capabilities.
Specifications
- Cloud Next Generation Firewall supports security profiles of
URL_FILTERINGandTHREAT_PREVENTIONtypes. - Each security profile is uniquely identified by a URL with the following elements:
- Organization ID or Project ID (Preview): ID of the host organization or the host project.
- Location: scope of security profile. Location is always set to
global. - Name: security profile name in the following format:
* A string 1-63 characters long
* Includes only alphanumeric characters or hyphens (-)
* Must not start with a number
- To construct a unique URL identifier for a security profile, use the following format:
- For an organizational-level security profile:
organizations/ORGANIZATION_ID/locations/global/securityProfiles/SECURITY_PROFILE_NAME For example, a security profile example-security-profilein organization 2345678432 has the following unique identifier:
organizations/2345678432/locations/global/securityProfiles/example-security-profile - For a project-level security profile (Preview):
projects/PROJECT_ID/locations/global/securityProfiles/SECURITY_PROFILE_NAME For example, a security profile example-security-profilein project my-project-123 has the following unique identifier:
projects/my-project-123/locations/global/securityProfiles/example-security-profile - After you create a security profile, manually attach it to a security profile group. This security profile group is referenced by the firewall policy of the Virtual Private Cloud (VPC) network where you want to enforce Layer 7 inspection.
- Each security profile must have an associated project ID. The associated project is used for quotas and access restrictions on security profile resources. If you authenticate your service account by using thegcloud auth activate-service-account command, you can associate your service account with the security profile. To learn more about how to create a security profile, see Create a threat prevention security profileand Create a URL filtering security profile.
- When you add security profiles to a security profile group, the following constraints apply:
URL filtering security profile
Cloud NGFW uses a URL filtering security profile to configure theURL filtering service.
A URL filtering security profile is a type of security profile that uses one or more URL filters to define security policies for the firewall endpoints. A URL filter is a list of matcher strings with a unique priority and an action. Matcher strings contain domain names that Cloud NGFW matches against the HTTP message being evaluated. For encrypted messages, Cloud NGFW checks the matcher strings against the SNI sent during TLS negotiation. If you enable TLS inspection, Cloud NGFW decrypts the message header and also evaluates the host header. For unencrypted traffic, Cloud NGFW always compares the matcher strings against the host header of the HTTP message.
The priority of a URL filter is determined by the unique value that you specify using the priority field. The priority value of a URL filter can range from 0 to2147483647. Cloud NGFW processes the lowest numeric value (representing the highest priority) first, followed by the next higher numeric value until it finds a match. Cloud NGFW doesn't evaluate the individual domains within a URL filtering list in priority order.
To learn more about creating and managing URL filtering security profiles, see Create and manage URL filtering security profiles.
To learn more about how to configure URL filtering, seeConfigure the URL filtering service.
Threat prevention security profile
Cloud NGFW uses threat prevention security profiles to provideintrusion detection and prevention service.
When you create a security profile of type THREAT_PREVENTION, the followingdefault threat signatureswith default severity and associated actions are added to the profile:
- Vulnerability detection signatures
- Anti-spyware signatures
- Antivirus signatures
- DNS signatures
You have the option to add severity overrides to your threat prevention security profiles. Each default signature has a threat severity level. The severity level indicates the risk of the detected threat. Each severity level also has an associated default action. The default action specifies the measures Cloud NGFW takes to handle threats with a specific severity level. You can use threat prevention security profiles to override the default action for a severity level.
The following actions are supported:
- No override: performs the default action associated with the threat.
- Deny: logs the threat and drops the packet.
- Alert: logs the threat and allows the session.
- Allow: ignores the threat, if detected.
When you create a threat prevention security profile, the default override action for all severity levels is set to No override.
You can also add signature overrides to your threat prevention security profiles. Each threat signature has an associated default action. You can use threat prevention security profiles to override the default actions of the threat signatures by using the preceding actions. Signature overrides take precedence over severity overrides.
To learn more about how to configure threat prevention, seeConfigure intrusion detection and prevention service.
Identity and Access Management roles
Identity and Access Management (IAM) roles govern the following security profiles actions:
- Creating a security profile in an organization or a project
- Modifying or deleting a security profile in an organization or a project
- Viewing details of a security profile in an organization or a project
- Viewing a list of security profiles in an organization or a project
- Using a security profile in a security profile group
The following table describes the roles that are necessary for each step.
| Ability | Necessary role |
|---|---|
| Create a security profile | Compute Network Admin (roles/compute.networkAdmin) and Security Profile Admin (roles/networksecurity.securityProfileAdmin) at the organization level for organization-level security profiles, and at either the project ([Preview](https://cloud.google.com/products#product-launch-stages)) or organization level for security profiles |
| Modify a security profile | Compute Network Admin (roles/compute.networkAdmin) and Security Profile Admin (roles/networksecurity.securityProfileAdmin) at the organization level for organization-level security profiles, and at either the project ([Preview](https://cloud.google.com/products#product-launch-stages)) or organization level for security profiles |
| Delete a security profile | Compute Network Admin (roles/compute.networkAdmin) role on the organization for organization-level security profiles, and on the project for project-level security profiles ([Preview](https://cloud.google.com/products#product-launch-stages)) where the profile exists. |
| View details about the security profile in an organization | Any of the following roles for the organization: Compute Network Admin (roles/compute.networkAdmin) Compute Network User (roles/compute.networkUser) Compute Network Viewer (roles/compute.networkViewer) Security Profile Admin (roles/networksecurity.securityProfileAdmin) at the organization level for organization-level security profiles, and at either the project ([Preview](https://cloud.google.com/products#product-launch-stages)) or organization level for security profiles |
| View all of the security profiles in an organization | Any of the following roles for the organization: Compute Network Admin (roles/compute.networkAdmin) Compute Network User (roles/compute.networkUser) Compute Network Viewer (roles/compute.networkViewer) Security Profile Admin (roles/networksecurity.securityProfileAdmin) at the organization level for organization-level security profiles, and at either the project ([Preview](https://cloud.google.com/products#product-launch-stages)) or organization level for security profiles |
| Use a security profile in a security profile group | Any of the following roles for the organization: Compute Network Admin (roles/compute.networkAdmin) Compute Network User (roles/compute.networkUser) Security Profile Admin (roles/networksecurity.securityProfileAdmin) at the organization level for organization-level security profiles, and at either the project ([Preview](https://cloud.google.com/products#product-launch-stages)) or organization level for security profiles |
Quotas
To view quotas associated with security profiles, see Quotas and limits.