Design and implement network security Flashcards
Network Security Recommendations with Microsoft Defender for Cloud
Network Security covers controls to secure and protect Azure networks. These controls include securing virtual networks, establishing private connections, preventing and mitigating external attacks, and securing DNS.
NS-1: Establish network segmentation boundaries - Ensure that your virtual network deployment aligns to your enterprise segmentation strategy. Any workload that incurs higher risk for the organization should be in isolated virtual networks.
NS-2: Secure cloud services with network controls - Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible.
NS-3: Deploy firewall at the edge of enterprise network - Deploy a firewall to perform advanced filtering on network traffic to and from external networks. You can also use firewalls between internal segments to support a segmentation strategy.
NS-4: Deploy intrusion detection/intrusion prevention systems (IDS/IPS) - Use network intrusion detection and intrusion prevention systems (IDS/IPS) to inspect the network and payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alerts to your solution.
NS-5: Deploy DDOS protection - Deploy distributed denial of service (DDoS) protection to protect your network and applications from attacks.
NS-6: Deploy web application firewall - Deploy a web application firewall (WAF) and configure the appropriate rules to protect your web applications and APIs from application-specific attacks.
NS-7: Simplify network security configuration - When managing a complex network environment, use tools to simplify, centralize, and enhance the network security management.
NS-8: Detect and disable insecure services and protocols - Detect and disable insecure services and protocols at the OS, application, or software package layer.
NS-9: Connect on-premises or cloud network privately - Use private connections for secure communication between different networks, such as cloud service provider datacenters and on-premises infrastructure in a colocation environment.
NS-10: Ensure Domain Name System (DNS) security - Ensure that Domain Name System (DNS) security configuration protects against known risks.
Using Microsoft Defender for Cloud for regulatory compliance
Microsoft Defender for Cloud helps streamline the process for meeting regulatory compliance requirements, using the regulatory compliance dashboard.
The regulatory compliance dashboard shows the status of all the assessments within your environment for your chosen standards and regulations. As you act on the recommendations and reduce risk factors in your environment, your compliance posture improves.
Alerts in Microsoft Defender for Cloud
Microsoft Defender for Cloud automatically collects, analyzes, and integrates log data from your Azure resources. A list of prioritized security alerts is shown in Microsoft Defender for Cloud along with the information you need to quickly investigate the problem and steps to take to remediate an attack.
Respond to security alerts
- Mitigate the threat. Provides manual remediation steps for this security alert.
- Prevent future attacks. Provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future attacks.
- Trigger automated response. Provides the option to trigger a logic app as a response to this security alert.
- Suppress similar alerts. Provides the option to suppress future alerts with similar characteristics if the alert isn’t relevant for your organization.
Azure DDoS Protection
A denial of service attack (DoS) is an attack that has the goal of preventing access to services or systems. A DoS attack originates from one location. A distributed denial of service (DDoS) attack originates from multiple networks and systems.
Azure DDoS Protection, combined with application design best practices, provide defense against DDoS attacks. Azure DDoS Protection provides the following service tiers:
- Network Protection. Provides mitigation capabilities over DDoS infrastructure Protection that are tuned specifically to Azure Virtual Network resources. Azure DDoS Protection is simple to enable, and requires no application changes.
- IP Protection. DDoS IP Protection is a pay-per-protected IP model.
DDoS Protection protects resources in a virtual network. Protection includes virtual machine public IP addresses, load balancers, and application gateways. When coupled with the Application Gateway WAF, DDoS Protection can provide full layer 3 to layer 7 mitigation capabilities.
Types of DDoS attacks
- Volumetric attacks. These attacks flood the network layer with a substantial amount of seemingly legitimate traffic.
- Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.
- Resource (application) layer attacks. These attacks target web application packets, to disrupt the transmission of data between hosts.
Azure DDoS protection features
Native platform integration - Natively integrated into Azure and configured through portal.
Turnkey protection - Simplified configuration protecting all resources immediately.
Always-on traffic monitoring - Your application traffic patterns are monitored 24 hours a day.
Adaptive tuning -Profiling and adjusting to your service’s traffic.
Attack analytics - Get detailed reports in five-minute increments during an attack, and a complete summary after the attack ends.
Attack metrics, alerts, and logs - Summarized metrics from each attack are accessible through Azure Monitor.
Multi-layered protection - When deployed with a WAF,
Deploying a DDoS protection plan
- Create a resource group
- Create a DDoS Protection Plan
- Enable DDoS protection on a new or existing virtual network or IP address
- Configure DDoS telemetry
- Configure DDoS diagnostic logs
- Configure DDoS alerts
- Run a test DDoS attack and monitor the results.
Network Security Groups
A Network Security Group (NSG) in Azure allows you to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources
- Can be attached to Subnets or Network Interfaces
Each rule has these properties:
-Name
-Priority - Rules are processed in priority order, Once traffic matches a rule, processing stops.
-Source or destination - Can be set to Any, or an individual IP address, or classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security group.
-Protocol - Can be TCP, UDP, ICMP, ESP, AH, or Any.
-Direction - Can be configured to apply to inbound, or outbound traffic.
-Port range - Can be specified either as an individual port or range of ports. For example, you could specify 80 or 10000-10005.
-Action - Can be configured to allow or deny.
NSG - Default Security Rules
Inbound Rules
* AllowVNetInBound (Priority 65000) – Allows all traffic within the same Virtual Network.
* AllowAzureLoadBalancerInBound (Priority 65001) – Allows traffic from Azure Load Balancer.
* DenyAllInBound (Priority 65500) – Blocks all other inbound traffic.
Outbound Rules
* AllowVNetOutBound (Priority 65000) – Allows all traffic within the same Virtual Network.
* AllowInternetOutBound (Priority 65001) – Allows outbound traffic to the Internet.
* DenyAllOutBound (Priority 65500) – Blocks all other outbound traffic.
Key Takeaway
* Traffic within a Virtual Network is allowed.
* Internet access is allowed outbound but denied inbound by default.
* A deny-all rule exists for both inbound & outbound traffic unless explicitly allowed.
Application Security Groups
An Application Security Group (ASG) enables you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups.
Azure Firewall
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Features
-Built-in high availability
-Unrestricted cloud scalability - Azure Firewall can scale out as much as you need to accommodate changing network traffic flows.
-Application FQDN filtering rules - You can limit outbound HTTP/S traffic or Azure SQL traffic to a specified list of fully qualified domain names (FQDN) including wild cards.
-Network traffic filtering rules - You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol.
-FQDN tags - These tags make it easy for you to allow well-known Azure service network traffic through your firewall. For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag.
-Service tags - Represents a group of IP address prefixes to help minimize complexity for security rule creation.
-Threat intelligence -Threat intelligence-based filtering (IDPS) can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains.
-TLS inspection - The firewall can decrypt outbound traffic, processes the data, then encrypt the data and sends it to the destination.
-Outbound SNAT support - All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation (SNAT)). You can identify and allow traffic originating from your virtual network to remote Internet destinations.
-Inbound DNAT support - Inbound Internet network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.
-Multiple public IP addresses - You can associate multiple public IP addresses (up to 250) with your firewall
-Azure Monitor logging - All events are integrated with Azure Monitor, allowing you to archive logs
-Forced tunneling - You can configure Azure Firewall to route all Internet-bound traffic to a designated next hop instead of going directly to the Internet.
-Web categories - Let administrators allow or deny user access to web site categories such as gambling websites, social media websites, and others
-Certifications - Azure Firewall is Payment Card Industry (PCI), Service Organization Controls (SOC), International Organization for Standardization (ISO), and ICSA Labs compliant.
Rule processing in Azure Firewall
In the Azure Firewall, you can configure NAT rules, network rules, and applications rules. An Azure Firewall denies all traffic by default, until rules are manually configured to allow traffic.
Rule processing with classic rules - With classic rules, rule collections are processed according to the rule type in priority order, lower numbers to higher numbers from 100 to 65,000.
Rule processing with Firewall Policy - With Firewall Policy, rules are organized inside Rule Collections which are contained in Rule Collection Groups. Rule Collections can be of the following types:
1. DNAT (Destination Network Address Translation) - Used to translate and forward inbound traffic from an external source (e.g., the Internet) to an internal private IP.
2. Network - Controls IP-based traffic (Layer 3 & 4) using source/destination IPs, ports, and protocols.
3. Application - Controls FQDN-based traffic (Layer 7) to filter traffic at the application level.
- You can define multiple Rule Collection types within a single Rule Collection Group. You can define zero or more Rules in a Rule Collection, but the rules within a Rule Collection must be of the same type.
- With Firewall Policy, rules are processed based on Rule Collection Group Priority and Rule Collection priority. Priority is any number between 100 (highest priority) and 65,000 (lowest priority)
- Application rules are always processed after network rules, which are themselves always processed after DNAT rules regardless of Rule Collection Group or Rule Collection priority and policy inheritance.
Azure Firewall Manager
Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.
- Simplifies the process of centrally defining network and application-level rules for traffic filtering across multiple Azure Firewall instances.
- If you manage multiple firewalls, it’s often difficult to keep the firewall rules in sync.
Firewall Manager can provide security management for two network architecture types:
- Secured Virtual Hub. This name is given to any Azure Virtual WAN Hub with associated security and routing policies.
- Hub Virtual Network. This name given to any standard Azure virtual network with associated security policies
Firewall Manager - Features
Central Azure Firewall deployment and configuration
Hierarchical policies (global and local) - Your central IT teams can author global firewall policies to enforce organization wide firewall policy across teams.
Integrated with third-party security-as-a-service for advanced security - In addition to Azure Firewall, you can integrate third-party security-as-a-service providers to provide extra network protection.
Centralized route management - You can easily route traffic to your secured hub for filtering and logging without the need to manually set up User Defined Routes (UDR) on spoke virtual networks.
Region availability - You can use Azure Firewall Policies across regions.
DDoS protection plan - You can associate your virtual networks with a DDoS protection plan within Azure Firewall Manager.
Manage Web Application Firewall policies - You can centrally create and associate Web Application Firewall (WAF) policies for your application delivery platforms, including Azure Front Door and Azure Application Gateway.
Firewall Manager - Policies
A Firewall policy is an Azure resource that contains NAT, network, and application rule collections and Threat Intelligence settings. It’s a global resource that can be used across multiple Azure Firewall instances in Secured Virtual Hubs and Hub Virtual Networks.
- You can create Firewall Policy and associations with Azure Firewall Manager.
Deploying Azure Firewall Manager for Hub Virtual Networks
The recommended process to deploy Azure Firewall Manager for Hub Virtual Networks is:
1. Create a firewall policy. You can either create a new policy, derive a base policy, and customize a local policy, or import rules from an existing Azure Firewall.
2. Create a hub and spoke architecture.
3. Select security providers and associate firewall policy. Currently, only Azure Firewall is a supported provider.
4. Configure User Defined Routes to route traffic to the Hub Virtual Network firewall.
Deploying Azure Firewall Manager for Secured Virtual Hubs
The recommended process to deploy Azure Firewall Manager for Secured Virtual Hubs is as follows:
1. Create a hub and spoke architecture.
2. Select security providers. Create a Secured Virtual Hub, or convert an existing Virtual WAN Hub to a Secure Virtual Hub.
3. Create a firewall policy and associate it with your hub. Only applicable if you’re using Azure Firewall.
**4. Configure route settings to route traffic to your Secured Virtual Hub. ** You can easily route traffic to your secured hub for filtering and logging without User Defined Routes (UDR) on spoke Virtual Networks by using the Secured Virtual Hub Route Setting page.
Web Application Firewall on Azure Front Door
Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities.
Web Application Firewall policy modes
- By default, a WAF policy is in Detection mode. In Detection mode, WAF doesn’t block any requests. Instead, requests matching the WAF rules are logged.
- In Prevention mode, requests that match rules are blocked and logged.
Web Application Firewall Default Rule Set rule groups and rules
Azure Front Door web application firewall protects web applications from common vulnerabilities and exploits. Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats.
Azure-managed Default Rule Set includes rules against these threat categories:
- Cross-site scripting, Java attacks, Local file inclusion, PHP injection attacks, Remote command execution, Remote file inclusion, Session fixation, SQL injection protection, Protocol attackers
- Azure-managed Default Rule Set is enabled by default.
- You can disable an individual rule
Custom rules
Azure WAF with Front Door allows you to control access to your web applications based on the conditions you define. A custom WAF rule consists of a priority number, rule type, match conditions, and an action.
**What are the two types of custom rule in a WAF policy? ** Match rules and Rate limit rules.
Create a Web Application Firewall policy on Azure Front Door
The key steps to create a WAF policy on Azure Front Door using the Azure portal are:
1. Create a Web Application Firewall policy. Create a basic WAF policy with managed Default Rule Set (DRS).
2. Associate the WAF policy with a Front Door profile.
3. Configure WAF policy settings and rules.
