Design and implement network security

Question 1

What is network security about?

Answer 1

Network Security covers controls to secure and protect Azure networks. These controls include securing virtual networks, establishing private connections, preventing and mitigating external attacks, and securing DNS.

Question 2

List the 10 Network Security principles and briefly describe them.

Answer 2

NS-1: Establish network segmentation boundaries
Security Principle. Ensure that your virtual network deployment aligns to your enterprise segmentation strategy. Any workload that incurs higher risk for the organization should be in isolated virtual networks.

NS-2: Secure cloud services with network controls
Security Principle. Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible.

NS-3: Deploy firewall at the edge of enterprise network
Security Principle. Deploy a firewall to perform advanced filtering on network traffic to and from external networks. You can also use firewalls between internal segments to support a segmentation strategy. If necessary, use custom routes for your subnet to override the system route. This method forces the network traffic to go through a network appliance for security control purpose.

NS-4: Deploy intrusion detection/intrusion prevention systems (IDS/IPS)
Security Principle. Use network intrusion detection and intrusion prevention systems (IDS/IPS) to inspect the network and payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alerts to your solution.

NS-5: Deploy DDOS protection
Security Principle. Deploy distributed denial of service (DDoS) protection to protect your network and applications from attacks.

NS-6: Deploy web application firewall
Security Principle. Deploy a web application firewall (WAF) and configure the appropriate rules to protect your web applications and APIs from application-specific attacks.

NS-7: Simplify network security configuration
Security Principle. When managing a complex network environment, use tools to simplify, centralize, and enhance the network security management.

NS-8: Detect and disable insecure services and protocols
Security Principle. Detect and disable insecure services and protocols at the OS, application, or software package layer. Deploy compensating controls if disabling insecure services and protocols aren’t possible.

NS-9: Connect on-premises or cloud network privately
Security Principle. Use private connections for secure communication between different networks, such as cloud service provider datacenters and on-premises infrastructure in a colocation environment.

NS-10: Ensure Domain Name System (DNS) security
Security Principle. Ensure that Domain Name System (DNS) security configuration protects against known risks.

Question 3

What is DDoS and how does it work?

Answer 3

A denial of service attack (DoS) is an attack that has the goal of preventing access to services or systems. A DoS attack originates from one location. A distributed denial of service (DDoS) attack originates from multiple networks and systems.

A DDoS attack tries to drain an APIs or application’s resources, making that application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

Question 4

What 2 tiers does Azure DDoS protection provide?

Answer 4

1. Network Protection - Provides mitigation capabilities over DDoS infrastructure Protection that are tuned specifically to Azure Virtual Network resources. Azure DDoS Protection is simple to enable, and requires no application changes. Policies are applied to public IP addresses associated to resources deployed in virtual networks. Real-time telemetry is available through Azure Monitor views during an attack, and for history. Rich attack mitigation analytics are available via diagnostic settings. Application layer protection can be added through the Azure Application Gateway Web Application Firewall (WAF). Protection is provided for IPv4 and IPv6 Azure public IP addresses.
2. IP Protection - DDoS IP Protection is a pay-per-protected IP model. DDoS IP Protection contains the same core engineering features as DDoS Network Protection. However, there are value-added services like DDoS rapid response support, cost protection, and discounts on WAF.

Question 5

What resources does Azure DDoS protection protect?

Answer 5

DDoS Protection protects resources in a virtual network. Protection includes virtual machine public IP addresses, load balancers, and application gateways. When coupled with the Application Gateway WAF, DDoS Protection can provide full layer 3 to layer 7 mitigation capabilities.

Question 6

What 3 attacks can DDoS mitigate?

Answer 6

1. Volumetric attacks - These attacks flood the network layer with a substantial amount of seemingly legitimate traffic. They include UDP floods, amplification floods, and other spoofed-packet floods.
2. Protocol attacks - These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack. Attacks include SYN flood attacks, reflection attacks, and other protocol attacks.
3. Resource (application) layer attacks - These attacks target web application packets, to disrupt the transmission of data between hosts. Attacks include HTTP protocol violations, SQL injection, cross-site scripting, and other layer 7 attacks.

Question 7

Name 5 key features that Azure DDoS protection provides?

Answer 7

Some of Azure DDoS protection features include:

• Native platform integration. Natively integrated into Azure and configured through portal.
• Turnkey protection. Simplified configuration protecting all resources immediately.
• Always-on traffic monitoring. Your application traffic patterns are monitored 24 hours a day, 7 days a week, looking for indicators of DDoS attacks.
• Adaptive tuning. Profiling and adjusting to your service’s traffic.
• Attack analytics. Get detailed reports in five-minute increments during an attack, and a complete summary after the attack ends.
• Attack metrics and alerts. Summarized metrics from each attack are accessible through Azure Monitor. Alerts can be configured at the start and stop of an attack, and over the attack’s duration, using built-in attack metrics.
• Multi-layered protection. When deployed with a WAF, DDoS Protection protects both at the network layer and the application layer.

Question 8

What is a Network Security Group?

Answer 8

A Network Security Group (NSG) in Azure allows you to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

Question 9

What does a NSG evaluate when processing traffic?

Answer 9

The firewall evaluates the rules using the source, source port, destination, destination port, and protocol.

Question 10

What is the caveat for inbound & outbound traffic in relation to NSGs?

Answer 10

For inbound traffic Azure processes the rules in a network security group associated to a subnet first, if there’s one, and then the rules in a network security group associated to the network interface, if there’s one.

For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there’s one, and then the rules in a network security group associated to the subnet, if there’s one.

Question 11

What does an Application Security Group provide?

Answer 11

An Application Security Group (ASG) enables you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses.

Question 12

What is Azure Firewall and what does it offer?

Answer 12

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Question 13

Name 5 features azure firewall provides.

Answer 13

• Built-in high availability: High availability is built in, so no extra load balancers are required and there’s nothing you need to configure.
• Unrestricted cloud scalability: Azure Firewall can scale out as much as you need to accommodate changing network traffic flows, so you don’t need to budget for your peak traffic.
• Application FQDN filtering rules: You can limit outbound HTTP/S traffic or Azure SQL traffic to a specified list of fully qualified domain names (FQDN) including wild cards. This feature doesn’t require TLS termination.
• Network traffic filtering rules: You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.
• FQDN tags: These tags make it easy for you to allow well-known Azure service network traffic through your firewall. For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag. Now network traffic from Windows Update can flow through your firewall.
• Service tags: A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. You can’t create your own service tag, nor specify which IP addresses are included within a tag. Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change.
• Threat intelligence: Threat intelligence-based filtering (IDPS) can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.
• TLS inspection: The firewall can decrypt outbound traffic, processes the data, then encrypt the data and sends it to the destination.
• Outbound SNAT support: All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation (SNAT)). You can identify and allow traffic originating from your virtual network to remote Internet destinations.
• Inbound DNAT support: Inbound Internet network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.
• Multiple public IP addresses: You can associate multiple public IP addresses (up to 250) with your firewall, to enable specific DNAT and SNAT scenarios.
• Azure Monitor logging: All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your Event Hubs, or send them to Azure Monitor logs.
• Forced tunneling: You can configure Azure Firewall to route all Internet-bound traffic to a designated next hop instead of going directly to the Internet. For example, you have an on-premises edge firewall or other network virtual appliance (NVA) to process Internet network traffic.
• Web categories: Web categories let administrators allow or deny user access to web site categories such as gambling websites, social media websites, and others. Web categories are included in Azure Firewall Standard, but it’s more fine-tuned in Azure Firewall Premium Preview. As opposed to the Web categories capability in the Standard SKU that matches the category based on an FQDN, the Premium SKU matches the category according to the entire URL for both HTTP and HTTPS traffic.
• Certifications: Azure Firewall is Payment Card Industry (PCI), Service Organization Controls (SOC), International Organization for Standardization (ISO), and ICSA Labs compliant.

Question 14

Name & briefly describe the 2 ways rules are processed in Azure Firewall.

Answer 14

Rule processing with classic rules
With classic rules, rule collections are processed according to the rule type in priority order, lower numbers to higher numbers from 100 to 65,000. It’s best practice to initially space your rule collection priority numbers in increments of 100. Increments give space to add more rule collections when needed.

Rule processing with Firewall Policy
With Firewall Policy, rules are organized inside Rule Collections which are contained in Rule Collection Groups. Rule Collections can be of the following types:

1. DNAT (Destination Network Address Translation)
2. Network
3. Application

With Firewall Policy, rules are processed based on Rule Collection Group Priority and Rule Collection priority. Application rules are always processed after network rules, which are themselves always processed after DNAT rules regardless of Rule Collection Group or Rule Collection priority and policy inheritance.

Question 15

What 3 things must be considered when deploying an Azure Firewall?

Answer 15

1. The firewall can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.
2. The firewall uses a static, public IP address for your virtual network resources.
3. The firewall is fully integrated with Azure Monitor for logging and analytics.

Question 16

What is Azure Firewall Manager?

Answer 16

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

Azure Firewall Manager simplifies the process of centrally defining network and application-level rules for traffic filtering across multiple Azure Firewall instances. You can span different Azure regions and subscriptions in hub and spoke architectures for traffic governance and protection.

Question 17

What 2 network architecture types does Azure FM support?

Answer 17

1. Secured Virtual Hub - This name is given to any Azure Virtual WAN Hub with associated security and routing policies. An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures.
2. Hub Virtual Network - This name given to any standard Azure virtual network with associated security policies. A standard Azure virtual network is a resource that you create and manage yourself. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that aren’t peered to any spoke.

Question 18

Name 4 key features Azure FM offers.

Answer 18

• Central Azure Firewall deployment and configuration: You can centrally deploy and configure multiple Azure Firewall instances that span different Azure regions and subscriptions.
• Hierarchical policies (global and local): You can use Azure Firewall Manager to centrally manage Azure Firewall policies across multiple secured virtual hubs. Your central IT teams can author global firewall policies to enforce organization wide firewall policy across teams. Locally authored firewall policies allow a DevOps self-service model for better agility.
• Integrated with third-party security-as-a-service for advanced security: In addition to Azure Firewall, you can integrate third-party security-as-a-service providers to provide extra network protection for your VNet and branch Internet connections. This feature is available only with secured virtual hub deployments.
• Centralized route management: You can easily route traffic to your secured hub for filtering and logging without the need to manually set up User Defined Routes (UDR) on spoke virtual networks. This feature is available only with secured virtual hub deployments.
• Region availability: You can use Azure Firewall Policies across regions. For example, you can create a policy in the West US region, and still use it in the East US region.
• DDoS protection plan: You can associate your virtual networks with a DDoS protection plan within Azure Firewall Manager.
• Manage Web Application Firewall policies: You can centrally create and associate Web Application Firewall (WAF) policies for your application delivery platforms, including Azure Front Door and Azure Application Gateway.

Question 19

What does Azure Web Apllication Firewall provide?

Answer 19

Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. SQL injection and cross-site scripting are among the most common attacks.

Question 20

What are the 2 modes a WAF operates in?

Answer 20

1. Detection Mode - By default, a WAF policy is in Detection mode. In Detection mode, WAF doesn’t block any requests. Instead, requests matching the WAF rules are logged.
2. Prevention Mode - In Prevention mode, requests that match rules are blocked and logged.

Question 21

Name 5 threat-categories that Azure WAF defaultRuleSet protects against

Answer 21

• Cross-site scripting
• Java attacks
• Local file inclusion
• PHP injection attacks
• Remote command execution
• Remote file inclusion
• Session fixation
• SQL injection protection
• Protocol attackers

Question 22

What are the 2 types of custom rules Azure WAF support?

Answer 22

1. Match Rule - A match rule determines access based on a set of matching conditions.
2. Rate Limit Rule - A rate limit rule determines access based on matching conditions and the rates of incoming requests.