Azure Network Security

The article is to discuss Microsoft Security features in Azure which have interested me.

1. Azure Identity Services.

Azure AD?is a?SaaS identity management solution?that is?fully managed?and provides functions?such as an?Identity Providers (IDP)?and?Identity Access Management (IAM)?for managing and securing access to resources based on?Role-Based Access?Control?(RBAC).

The primary cloud authentication protocol used by Azure AD is OpenID, OAuth, and Graph, whereas OnPrem AD uses Kerberos and NTLM.

Since, there is no installable component such as Windows servers and Domain Controllers, there is a requirement to synchronize a company's AD to the Cloud.

Azure AD Connect is a tool used to synchronize objects between AD and Azure AD. Additionally, there is Self-Service Password Reset (SSPR), which can be utilized for end user password management requirements.

2. Azure AD Identity Secure Score

Helps to make informed decisions to protect Azure AD tenancy through a scoring system.

Examples include if we are missing MFA, if there is a password expiration mechanism etc.

As with all IAM, Global Administrators have the highest privilege, and it is recommended to have at least more than 1 Global Admin as backup and less than 5 as a recommendation. Assign roles with a need-to-know basis with least privilege.

3.Azure AD multi-factor authentication - It is said MFA can assist in overcoming 99.9% compromises as per Microsoft studies.

4.Conditional Access policies - Works on a IF/then scenario where the IF statements (like Mandatory MFA, require device to be compliant first etc.) are based on the access rules and THEN the access can be granted.

I implemented the following in an Azure trial subscription and would recommend the same if you would like to get the hands dirty a bit.

• Azure AD tenant Identity and?Access Management
• Azure AD?Password Protection
• Self-Service?Password Reset
• Azure AD?security defaults
• Azure AD?multi-factor authentication
• Conditional?Access policies
• Azure AD?Identity Protection
• Azure AD Privileged?Identity Management.

5. Network Security Groups (NSG)

To protect resources, filter network traffic between resources in Azure Virtual networks, we need the NSG.

Steps to create a NSG:

1. Create?an NSG.
2. Associate the NSG with?subnets.
3. Add inbound rules.
4. Add outbound rules.

It works like simple layer4 firewall with an implicit Deny rule in the end.

6. Azure Firewall

To protect North/South, East/West traffic and cross-premises across regions and subscriptions we need a firewall and Azure Firewall is the offering from Microsoft. It is a Layer7 firewall.

Generally, the Firewall resides in the perimeter and with VNET peering and Route tables, the internal VNets communication to firewall and beyond can be controlled.

Features:

• Intrusion Prevention?System?(IDS)
• Transport Layer Security?(TLS) inspection
• Uniform Resource Locator?(URL) filtering
• Source Network Address?Translation?(SNAT)
• Destination Network Address?Translation?(DNAT)

TLS inspection?is only supported for?outbound?(North) and?lateral?(East/West) traffic, that is, an inspection of traffic from an internal Azure-hosted client to the internet and sent from within Azure and?to/from on-premises.

Azure Firewall Manager provides centralized policy configuration and management for multiple Azure Firewall instances.

7. Web Application Firewall

The WAF uses the?Open Web Application Security Project?(OWASP)?ModSecurity?(ModSec) core rule for?application protection. This provides application protection against the?OWASP Top 10 vulnerabilities, such as?cross-site scripting?and?injection attacks; an injection attack example is?SQL injection.

8. Azure DDoS.

Distributed Denial of Service is offered by Microsoft by default on a basic level. There is also subscription based which is $2,944 monthly cost.

Standard Protection offers:

• Volumetric attacks
• Protocol attacks (Layers 3?and 4)
• Resource-layer attacks (Layer 7)

Subscription based offers the following additional features.

• Application-based?mitigation policies
• Availability guarantee
• Cost protection
• DDoS rapid?response support
• Metrics?and alerts
• Mitigation?flow logs
• Mitigation?policy customizations
• Mitigation reports

I had fun implementing,

• Network?security groups
• Azure Firewall
• Azure Web?Application Firewall
• Azure DDoS.

The above can be played around with a trial license. Especially for DDoS, ensure to turn off because it gets charged with or without traffic on a monthly basis.

9. Azure Bastion service.

Allows RDP and SSH access without needing to open the management ports or provide public IPs for resources on the virtual network.?

Azure Bastion provides the remote access connectivity implementation process?as follows:

1. Deploy Azure Bastion into an Azure?virtual network.
2. Only TCP port?443?communication is allowed to Azure Bastion from the internet; all communication is?TLS protected.
3. No public IP addressing is required for the Azure virtual network, and no VM management ports are required to be open or exposed to the internet, significantly improving our security posture and minimizing our threat?surface area.

10.Azure Network Adapter

To securely connect on-premises Window?Server to Azure virtual network using a Point-to-Site encrypted?Virtual Private Network?(VPN) connection. On Prem server should have Windows Admin Center?(WAC) installed and be registered your Azure subscription.

After creating the Azure network adapter, a logical azure NIC is created on the OnPrem server allowing it to connect to the Azure VM.

This is okay for a small-scale deployment only.

11. Virtual machines security

VMs can be secured using the following.

• VM?Update Management
• VM?Microsoft Antimalware
• VM Azure?Disk Encryption

12. Azure SQL databases

Basic security involves.

• Implementing a service-level?IP firewall
• Implementing a?private endpoint
• Implementing Azure AD authentication?and authorization

13. Storage Security.

Similar to SQL DBs, the security features are similar.

14. Advisor

In a world of Chat GPTs, how nice to have an Advisor who can provide the security scores of the subscription. We can use it to improve the security features on the cloud.

15. Microsoft Defender for Cloud

Provides security posture management and workload protection. Popular ones are NIST, Azure CIS and HIPAA. End point protection for individual VMs can be enabled using Microsoft Defender which is a powerful anti-malware tool.

16. Microsoft Sentinel

SIEM and SOAR tool.

• Collects: Security?data is collected across?an organization
• Detects: Threats are detected through AI-powered?threat intelligence
• Investigates: Threat-generated critical incidents?are investigated
• Responds: Responses are generated through automated reactions?and remediations

SOAR is mainly for automation. Automation includes sending emails for alerts and custom actions taken.

i was able to create a rule for the failed logins to our VM, apply a playbook, review the logs and review actions using Sentinel.

17. Traffic Analysis.

Traffic analytics provides?rich visual representations of?network packet information?by NSG flow logs. The NSG flow logs capture network traffic information, such as IP address?source?and?destination, and the packet’s port and?protocol used. A 'log analytics workspace' is needed to store these logs.

It is to note, that I was able to test all the above features in Azure. If you require any detailed steps on any of the above technologies or need a how-to setup implementation example, I will be happy to share my lab/test account findings.

If I have missed any important security feature, please let me know. I haven't included development side security as it's a different beast altogether, but this article should cover for the infrastructure side of networking and security.