4.1 Azure Security Features Flashcards
What is Azure Security Center?
It helps you keep up with security best practices and provides steps to keep resources configured in a secure matter.
How many tiers does Azure Security Center offer?
Two tiers
Free tier: provides general assessment and recommendations for securing Azure resources. Also provides a security score.
Azure Defender tier: enables the securing of VMs, applications, and networks. It also has advanced threat detection, analysis from Microsoft Threat Intelligence, and enables the management of regulatory compliance. It also provides Microsoft Endpoint for servers.
What is Azure Key Vault?
It provides a secure way to store secrets, keys, and certificates.
Access to these secrets is controlled by security policies.
Key Vault is encrypted and Microsoft cannot see the encryption key or data.
What are the two pricing tiers of Azure Key Vault?
Standard and Premium. There is only one difference. Premium tier stores keys in HARDWARE SECURITY MODULES (HSM).
What is a HARDWARE SECURITY MODULE that is used in the premium version of Azure Key Vault?
A Hardware Security Module is hardware designed to securely store encrypted data and specializes in processing cryptographic data.
What does the Federal Information processing Standard (FIPS) 140-2 require for the storage of encryption keys?
It requires encryption keys to be stored in an HSM. Azure Key Vault Premium meets this requirement.
Can Azure Key Vault generate keys and certificates?
Yes
How are keys accessed in Azure Key Vault?
Keys are accessed programmatically and retrieved each time an application needs the key rather than storing it in memory.
Can Azure Key Vault be used for VHD disk encryption for VMs?
Yes
What is Azure Sentinel
Azure Sentinel enables you to implement SOAR and SIEM.
What does SOAR stand for?
Security Orchestration, Automation, and Response
What does SIEM stand for?
Security Information and Event Management.
In Azure Sentinel, what does a PLAYBOOK do?
A Playbook is a workflow that runs in response to an alert in Sentinel.
What doe PLAYBOOKS in Azure Sentinel use for their workflows?
Sentinel uses Logic Apps to process workflows.
What is Azure Dedicated Host?
Azure Dedicated Host reserves an entire physical host computer to run VMs. This is important for the security compliance of specific industries.
How are updates applied to a host computer that is operating as an Azure Dedicated Host?
The person who has the dedicated host subscription chooses the timeframe of when updates are applied to the host computer.
What are HOST GROUPs in Azure Dedicated Host?
Host groups support the use of availability zones and fault domains for fault tolerance.
Host groups contain Azure Dedicated Hosts and VMs that are deployed to the hosts in the group.
What is a Network Security Group (NSG)?
A NSG lets you filter and apply rules to network traffic.
Azure predefined rules for NSGs to enable resources to communicate together.
NSGs can be used to control traffic into and out of a network or resource.
What can Network Security Groups (NSG) be associated with?
NSGs can be associated with a subnet or network interface attached to a VM.
How many NSGs can be assigned to each network interface or subnet?
Only one NSG can be assigned BUT one NSG can support up to 1000 rules.
In a NSG, what do priority numbers range between?
In NSGs, priority numbers range between 100 and 4096.
Why are rules created within a NSG assigned a priority number?
Assigning a PRIORITY NUMBER prevents rules from interfering with each other. The LOWEST priority number takes precedent over rules with HIGHER priority numbers.
Why do Network Security Groups (NSGs) use a FLOW RECORD?
FLOW RECORDs store the state of a connection, thus allowing NSGs to allow traffic that corresponds to the flow record without an explicit rule.
This ensures that it is not necessary to create an inbound rule for every outbound rule and visa versa.
When dealing with NSGs, what role does a SERVICE TAG play?
SERVICE TAGs are a special identifier that applies to the internet or specific service types within Azure.
What is Azure Firewall?
Azure Firewall is a PaaS offering. It scales based on network needs thus preventing traffic spikes that cause latency or downtime of applications.
Azure Firewall is a STATEFUL firewall. Stateful firewalls stores data in memory about the state of the network connections that flow through it.
In Azure Firewall, what is a JUMPBOX?
A JUMPBOX is a VM that you can remote into in order to manage other VMs in the network.
What does a typical Azure Firewall setup look like?
A CENTRALIZED HUB NETWORK: Contains the Azure Firewall and a VM running the JUMPBOX. Exposes a public IP but is protected by the firewall.
SPOKE NETWORKS: Contain Azure resources. Do not expose their IP to the public.
How do you remote into a VM that is located in a SPOKE NETWORK?
First you must remote into the JUMPBOX VM. From there, you remote into the VM located in the HUB NETWORK.
After setting up an Azure Firewall, what next step should you take?
After setting up an Azure Firewall, you must direct Azure traffic to the firewall and configure firewall rules. These rules ensure that the firewall knows what to do with the traffic recieved.
You must also configure a ROUTE TABLE.
What is a Route Table in Azure and what is it used for?
A Route table is an Azure resource that is associated with a subnet.
It contains rules (routes) that define how network traffic in the subnet is handled.
What are the three RULE COLLECTIONS in Azure Firewall?
NAT RULE COLLECTION: This rule forwards traffic from the firewall to another device on the network.
NETWORK RULE COLLECTION: Allow traffic on specific IP address ranges and ports.
APPLICATION RULES COLLECTION: Allow applications to communicate across the network. Can also allow particular domain names.
How does Azure Firewall prioritize all security rules?
Azure Firewall combines specific rule types into a RULE COLLECTION. The rules are prioritized from 100 to 65000. Lower numbers are higher priority
In what order are Azure Firewall rule collections applied?
They are applied in order: NAT rules, Network rules, and then Application rules are applied.
What are the two tiers of Azure DDoS Protection?
BASIC: protects against DDoS attacks by distributing the DDoS traffic across the entire Azure network infrastructure. Does not provide logging/reporting of DDoS mitigation, and does not provide reports.
STANDARD: combined with Azure Application Gateway, offers protection from attacks on application security. Offers logging and alerting, and provides expert help during a DDoS attack. Applies only to IPv6 public IP addresses.
Can you add virtual networks from multiple Azure subscriptions to the same DDoS Protection plan?
Yes
