CNA detects assets that are exposed to unrestricted public network access. This is called internet exposure detection.
CNA detects assets that are exposed to unrestricted public network access. It uses three different methods to determine if an asset is exposed to the internet:
Checks whether a routing path exists from source to destination.
Verifies the effectiveness of all cloud-native network security policies in the path.
Checks inbound reachability from the internet.
When CNA identifies an asset that is potentially exposed to the internet, it requests confirmation from an external scanning service. After the external scan finishes, CNA publishes network exposure findings and issues, as well as an internal network topology to map the path between the internet and the asset. You can review this information and mitigate risks.
External network scanning service
The external network scanning service works with CNA by performing a scan.
When CNA determines that an asset is potentially exposed to the internet, it forwards the public IP address or a fully qualified domain name (FQDN) to the external scanning service. The service verifies whether the IP or FQDN already exists in its database. If a match is found, the service notifies CNA and sends the additional information retrieved by the scan. The scan covers the entire internet rather than a subset of IP addresses owned by Cortex Cloud customers.
The following diagram illustrates what happens when CNA examines a virtual machine:
As illustrated in the diagram:
CNA analyzes the network configuration and determines that the virtual machine is reachable from the internet.
CNA passes the public IP address, FQDN, protocol, and port information to the external network scanning service.
The external network scanning service confirms whether the asset’s public IP address or FQDN is reachable from the internet.
If the virtual machine is exposed to the internet, CNA publishes findings and issues with additional information such as asset information, network path, and remediation guidance.
External scanning service details
The external network scanning service collects protocol, port, and server information.
The external network scanning service scans the entire internet CIDRs two times a day to identify assets that are exposed to the internet. The service is CFAA compliant and unintrusive. It establishes a session to each exposed IP address and collects the minimum amount of information required for CNA to validate the exposure.
The external network scanning service collects the following information:
Information type | Examples |
|---|---|
Protocol and port | tcp/80, tcp/443, tcp/22 |
Server information (Service or daemon connected to an exposed port) | Apache, Microsoft IIS, OpenSSH |
If the exposed asset is a web service, the external network scanning service also collects HTTP server response code details. If an IP address or an FQDN does not respond to requests, the service retries in the next scanning cycle.
Scanned ports
The external network scanning service scans the following protocols and ports.
The external network scanning service scans the following protocols and ports.
The following list of ports and protocols is not exhaustive. For current and complete lists, contact your customer success team.
Protocols: FTS, FTP, HTTP, POP3, Postgres, RDP, SSH, SSL, TCP, Telnet, UDP, VNC, XMPP
Ports: 0, 20, 21, 22, 23, 25, 53, 67, 68, 80, 81, 82, 83, 88, 110, 111, 118, 123, 135, 137, 138, 139, 143, 161, 179, 389, 401, 443, 444, 445, 465, 500, 502, 554, 587, 593, 808, 873, 888, 943, 987, 990, 993, 995, 1000, 1024, 1025, 1026, 1028, 1112, 1234, 1250, 1433, 1434, 1443, 1521, 1717, 1723, 1900, 1911, 2001, 2002, 2078, 2080, 2082, 2083, 2084, 2085, 2086, 2087, 2096, 2121, 2160, 2161, 2222, 2323, 2443, 2483, 2484, 2525, 3000, 3052, 3306, 3333, 3388, 3389, 3390, 3443, 3493, 3905, 3909, 3917, 3929, 3975, 3978, 4002, 4100, 4117, 4172, 4343, 4430, 4433, 4443, 4444, 4500, 4506, 4567, 4786, 4911, 5000, 5001, 5060, 5061, 5222, 5269, 5351, 5353, 5432, 5443, 5555, 5632, 5800, 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909, 5910, 5916, 5984, 5985, 5986, 6001, 6002, 6363, 6379, 6443, 7001, 7080, 7170, 7443, 7547, 7777, 8000, 8005, 8008, 8009, 8010, 8015, 8020, 8080, 8081, 8082, 8083, 8085, 8088, 8090, 8094, 8139, 8140, 8159, 8194, 8195, 8196, 8197, 8198, 8209, 8210, 8211, 8212, 8213, 8214, 8215, 8216, 8217, 8218, 8219, 8220, 8282, 8290, 8291, 8292, 8293, 8294, 8333, 8443, 8444, 8530, 8531, 8800, 8880, 8887, 8888, 8899, 8991, 8999, 9000, 9002, 9042, 9080, 9091, 9092, 9100, 9200, 9418, 9443, 9444, 9595, 9983, 9997, 10000, 10010, 10443, 11211, 11495, 11553, 12345, 16010, 17185, 17516, 17778, 18080, 18574, 20249, 21242, 22460, 25789, 25827, 27017, 28080, 30005, 30006, 30010, 30083, 30303, 32400, 37443, 37777, 38080, 38520, 40000, 40005, 42713, 44344, 44818, 47001, 47693, 47808, 49501, 49502, 50001, 50067, 50070, 50580, 50805, 50995, 50996, 50997, 51005, 51007, 51200, 51401, 52200, 52311, 52590, 52869, 53300, 53524, 53631, 54041, 54498, 54528, 55918, 56222, 58000, 58603, 60000, 60243, 60443, 61337, 62078
External scan IP ranges
The external network scanning service uses the following IP ranges.
The external network scanning service uses the following IP ranges. Exclude these IP ranges from anti-scanning rules.
35.203.210.0/24
35.203.211.0/24
144.86.173.0/24
147.185.132.0/24
147.185.133.0/24
162.216.149.0/24
162.216.150.0/24
172.105.147.0/24
198.235.24.0/24
205.210.31.0/24
Internet exposure rules
Cortex Cloud includes out-of-the box internet exposure rules and allows you to define custom internet exposure rules. See Create a Network Exposure Rule .
Supported asset types
CNA detects internet exposure for the following cloud services and asset types.
CNA detects internet exposure for the following cloud services and asset types:
Provider/ Service | AWS | Azure | GCP |
|---|---|---|---|
Managed virtual machines |
|
|
|
Managed databases |
|
| – |
Serverless functions |
| – | – |
Managed Kubernetes |
|
|
|
CNA supports Kubernetes containers exposed to the internet behind a load balancer or behind an ingress.
Internet exposure detection for Kubernetes services
CNA detects workloads exposed to the internet in Kubernetes clusters using Kubernetes configuration analysis and external scanning.
CNA detects workloads exposed to the internet in Kubernetes clusters using Kubernetes configuration analysis and external scanning. The workloads must meet these requirements:
Kubernetes clusters must be onboarded to Cortex Cloud as described in Onboard the Kubernetes Connector.
Managed Kubernetes offerings in AWS (EKS, ROSA), Azure (AKS, ARO), and GCP (GKE) are supported.
Supported workloads include ReplicaSet, Deployment, DaemonSet, StatefulSet, and CronJob.
A workload is considered reachable from the internet when the following criteria are met:
The Kubernetes workload is exposed behind a load balancer or an ingress.
Kubernetes network policies permit inbound traffic.
Internet exposure detection for instances deployed behind a Palo Alto Networks Next-Generation firewall
CNA detects inbound exposure of workloads deployed behind a Palo Alto Networks Next-Generation firewall (NGFW).
CNA detects inbound exposure of workloads deployed behind a Palo Alto Networks Next-Generation firewall (NGFW). To scale security appliances in AWS, you can use Gateway Load Balancers (GWLBs) for "transparent" firewall deployments where AWS encapsulates/decapsulates traffic. This topology is considered isolated or distributed, since the firewall deployment is “embedded” within the VPC.
The following diagram illustrates a network topology supported by CNA:
The example network topology includes a single VPC where traffic to the target web server (top right) is forced to go through the GWLB (and thus through the NGFW VM-Series instances) to allow firewall inspection of the incoming and outgoing traffic. In a real-life scenario, there may be several firewall instances in the GWLB target group, however for brevity the diagram only shows one. The firewall EC2 instance itself (bottom right) is detected as a NGFW based on its image.
Cortex Cloud analyzes your VPC topology and verifies that it is similar to the one described in this example. Next, it verifies that the GWLB target group instances are NGFW VM-Series instances.
Note
Currently, CNA supports only an isolated architecture with an AWS Gateway Load Balancer (GWLB) within a single VPC. Other more centralized topologies including one security VPC that forwards traffic to other workload VPCs are currently not supported.
Internet exposure detection for instances deployed behind AWS WAF
CNA detects inbound exposure of workloads deployed behind an AWS Web Application Firewall (AWS WAF).
CNA detects inbound exposure of workloads deployed behind an AWS Web Application Firewall (AWS WAF). AWS WAF is a managed web application firewall service that can be associated with an Application Load Balancer (ALB) to inspect and filter incoming HTTP/HTTPS traffic based on configurable security rules (Web ACLs).
The following diagram illustrates a network topology supported by CNA:
The example network topology includes a VPC where traffic to the target web server (top right) is forced to go through the AWS WAF Web ACL, which inspects incoming HTTP/HTTPS requests before they are forwarded by the ALB to the target instance.
Cortex Cloud analyzes your VPC topology, identifies ALBs with associated WAF Web ACLs, and includes the WAF as a protective node in the exposure path. Workloads behind a WAF-protected ALB are marked as protected by a firewall in the exposure findings.