4.1 Azure Security Features

Question 1

What is Azure Security Center?

Answer 1

It helps you keep up with security best practices and provides steps to keep resources configured in a secure matter.

Question 2

How many tiers does Azure Security Center offer?

Answer 2

Two tiers

Free tier: provides general assessment and recommendations for securing Azure resources. Also provides a security score.

Azure Defender tier: enables the securing of VMs, applications, and networks. It also has advanced threat detection, analysis from Microsoft Threat Intelligence, and enables the management of regulatory compliance. It also provides Microsoft Endpoint for servers.

Question 3

What is Azure Key Vault?

Answer 3

It provides a secure way to store secrets, keys, and certificates.

Access to these secrets is controlled by security policies.

Key Vault is encrypted and Microsoft cannot see the encryption key or data.

Question 4

What are the two pricing tiers of Azure Key Vault?

Answer 4

Standard and Premium. There is only one difference. Premium tier stores keys in HARDWARE SECURITY MODULES (HSM).

Question 5

What is a HARDWARE SECURITY MODULE that is used in the premium version of Azure Key Vault?

Answer 5

A Hardware Security Module is hardware designed to securely store encrypted data and specializes in processing cryptographic data.

Question 6

What does the Federal Information processing Standard (FIPS) 140-2 require for the storage of encryption keys?

Answer 6

It requires encryption keys to be stored in an HSM. Azure Key Vault Premium meets this requirement.

Question 7

Can Azure Key Vault generate keys and certificates?

Answer 7

Yes

Question 8

How are keys accessed in Azure Key Vault?

Answer 8

Keys are accessed programmatically and retrieved each time an application needs the key rather than storing it in memory.

Question 9

Can Azure Key Vault be used for VHD disk encryption for VMs?

Answer 9

Yes

Question 10

What is Azure Sentinel

Answer 10

Azure Sentinel enables you to implement SOAR and SIEM.

Question 11

What does SOAR stand for?

Answer 11

Security Orchestration, Automation, and Response

Question 12

What does SIEM stand for?

Answer 12

Security Information and Event Management.

Question 13

In Azure Sentinel, what does a PLAYBOOK do?

Answer 13

A Playbook is a workflow that runs in response to an alert in Sentinel.

Question 14

What doe PLAYBOOKS in Azure Sentinel use for their workflows?

Answer 14

Sentinel uses Logic Apps to process workflows.

Question 15

What is Azure Dedicated Host?

Answer 15

Azure Dedicated Host reserves an entire physical host computer to run VMs. This is important for the security compliance of specific industries.

Question 16

How are updates applied to a host computer that is operating as an Azure Dedicated Host?

Answer 16

The person who has the dedicated host subscription chooses the timeframe of when updates are applied to the host computer.

Question 17

What are HOST GROUPs in Azure Dedicated Host?

Answer 17

Host groups support the use of availability zones and fault domains for fault tolerance.

Host groups contain Azure Dedicated Hosts and VMs that are deployed to the hosts in the group.

Question 18

What is a Network Security Group (NSG)?

Answer 18

A NSG lets you filter and apply rules to network traffic.

Azure predefined rules for NSGs to enable resources to communicate together.

NSGs can be used to control traffic into and out of a network or resource.

Question 19

What can Network Security Groups (NSG) be associated with?

Answer 19

NSGs can be associated with a subnet or network interface attached to a VM.

Question 20

How many NSGs can be assigned to each network interface or subnet?

Answer 20

Only one NSG can be assigned BUT one NSG can support up to 1000 rules.

Question 21

In a NSG, what do priority numbers range between?

Answer 21

In NSGs, priority numbers range between 100 and 4096.

Question 22

Why are rules created within a NSG assigned a priority number?

Answer 22

Assigning a PRIORITY NUMBER prevents rules from interfering with each other. The LOWEST priority number takes precedent over rules with HIGHER priority numbers.

Question 23

Why do Network Security Groups (NSGs) use a FLOW RECORD?

Answer 23

FLOW RECORDs store the state of a connection, thus allowing NSGs to allow traffic that corresponds to the flow record without an explicit rule.

This ensures that it is not necessary to create an inbound rule for every outbound rule and visa versa.

Question 24

When dealing with NSGs, what role does a SERVICE TAG play?

Answer 24

SERVICE TAGs are a special identifier that applies to the internet or specific service types within Azure.

Question 25

What is Azure Firewall?

Answer 25

Azure Firewall is a PaaS offering. It scales based on network needs thus preventing traffic spikes that cause latency or downtime of applications.

Azure Firewall is a STATEFUL firewall. Stateful firewalls stores data in memory about the state of the network connections that flow through it.

Question 26

In Azure Firewall, what is a JUMPBOX?

Answer 26

A JUMPBOX is a VM that you can remote into in order to manage other VMs in the network.

Question 27

What does a typical Azure Firewall setup look like?

Answer 27

A CENTRALIZED HUB NETWORK: Contains the Azure Firewall and a VM running the JUMPBOX. Exposes a public IP but is protected by the firewall.

SPOKE NETWORKS: Contain Azure resources. Do not expose their IP to the public.

Question 28

How do you remote into a VM that is located in a SPOKE NETWORK?

Answer 28

First you must remote into the JUMPBOX VM. From there, you remote into the VM located in the HUB NETWORK.

Question 29

After setting up an Azure Firewall, what next step should you take?

Answer 29

After setting up an Azure Firewall, you must direct Azure traffic to the firewall and configure firewall rules. These rules ensure that the firewall knows what to do with the traffic recieved.

You must also configure a ROUTE TABLE.

Question 30

What is a Route Table in Azure and what is it used for?

Answer 30

A Route table is an Azure resource that is associated with a subnet.

It contains rules (routes) that define how network traffic in the subnet is handled.

Question 31

What are the three RULE COLLECTIONS in Azure Firewall?

Answer 31

NAT RULE COLLECTION: This rule forwards traffic from the firewall to another device on the network.

NETWORK RULE COLLECTION: Allow traffic on specific IP address ranges and ports.

APPLICATION RULES COLLECTION: Allow applications to communicate across the network. Can also allow particular domain names.

Question 32

How does Azure Firewall prioritize all security rules?

Answer 32

Azure Firewall combines specific rule types into a RULE COLLECTION. The rules are prioritized from 100 to 65000. Lower numbers are higher priority

Question 33

In what order are Azure Firewall rule collections applied?

Answer 33

They are applied in order: NAT rules, Network rules, and then Application rules are applied.

Question 34

What are the two tiers of Azure DDoS Protection?

Answer 34

BASIC: protects against DDoS attacks by distributing the DDoS traffic across the entire Azure network infrastructure. Does not provide logging/reporting of DDoS mitigation, and does not provide reports.

STANDARD: combined with Azure Application Gateway, offers protection from attacks on application security. Offers logging and alerting, and provides expert help during a DDoS attack. Applies only to IPv6 public IP addresses.

Question 35

Can you add virtual networks from multiple Azure subscriptions to the same DDoS Protection plan?

Answer 35

Yes