The threat of Azure service tags
Like all real disruptions, firewall objects have a sunny and a dark side.
In Azure, the most important firewall objects are network Service Tags, which are managed by Microsoft, and IP Groups, which are managed by customers.
AWS counterparts are called prefix lists (some are AWS-managed, others are customer-managed).
The sunny side
In the Public Cloud, firewall objects are super useful when referenced in PaaS firewall rules (network security groups, application groups), because of the dynamic nature of services integration: services scale, assets get (re)deployed by infrastructure-as-code factories, ...
Also because of the shared cloud security responsibility model which demands an efficient, almost real-time way for a party to adapt when the order party changes things.
The dark side
When a single feature is used to serve two separate purposes, there is a high danger of confusion. Unfortunately, this is what happened to network service tags: yes, Microsoft manages all network service tags. No, Microsoft does not manage all assets hidden behind those tags.
All network service tags cannot be mapped to trusted Microsoft sources.
We've known this for years. We knew that, sooner or later, someone would leverage the confusion for the better or for the worst...
This is what happened yesterday! Liv Matan , a highly proficient security researcher working for Tenable proposed a proof-of-concept .
Microsoft's stand
On the blog of the security response center, Microsoft stated:
"we've updated our documentation to remind customers of the function of service tags".
This is no joke.
I don't know if customers should laugh or cry.
领英推荐
Analysis of Microsoft's stand
Microsoft seem to be facing three serious problems:
A security accountability issue. As already raised by the CSRB during the Midnight Blizzard incident investigation, Microsoft seems to deny part of the role it plays in the shared security responsibility model. If something is managed by Microsoft, it is not up to customers to compensate for poor design choices. Service tags and NOT IP groups: they fall clearly and squarely into Microsoft accountability domain.
A risk prioritization issue: clearly, security is not job zero at Microsoft (this was also a point raised by the CSRB). When in a bad mood, I would rather say security is "job null". How could the confusion between trusted and untrusted sources remain that long into the mind of security managers in charge of service tags (if any manager is in charge)?
A network reachability issue. Recently, Microsoft announced with bells and whistles that flow logs could produce synthetic data to help tracking connectivity issues... Synthetic data is the stone age of reachability analysis. Two years ago, I reverse-engineered sec Guru, a very powerful tool developed by Microsoft research to perform automated network routing policy updates validation.
If a lonely rider like me can do that as a local pet project, then why Microsoft network engineering teams wouldn't?
Ironically, AWS used sec Guru (and several other sources) to create Tiros, a downright, full-featured network reachability formal prover.
AWS doesn't need synthetic data to determine whether an asset is reachable.
Here is the claim from their original paper:
Could Tiros help prevent AWS-managed prefixes from being subverted to exploit customer assets? I strongly believe so.
What about you?
Cloud Platforms Engineer at Deutsche B?rse
5 个月When you wanted to do nothing this weekend and then come across this article...
Cloud Infrastructure Architect
5 个月Insightful!
Principal Engineer at Microsoft
5 个月I am not sure I agree with this angle. This problem has been well-known for a while: filtering solely based on IP addresses is not enough when dealing with traffic from multi-tenant platforms, and this is well-documented in services such as Front Door (or AWS CloudFront, or CloudFlare). The original article seems to imply with its title that there is a problem with service tags, while I believe the issue is another one: multi-tenant services should be able to differentiate a specific instance (owned by the customer) from any other one. You can use HTTP headers, Private Link, TLS client auth or dedicated IPs, and it has to be well documented. Hence, I do think that this is a problem of both incomplete documentation and missing functionality of those multi-tenant services, but not in service tags.
Cloud Infrastructure and Security Architect, CISSP, CCSP, CCSK
5 个月This one isn’t anything new, but it’s good to see it’s being better documented. Service tags, service endpoints, trusted services, are all topics I cover with customers at the beginning of any design conversations because of the risks that come with their usage. It’s important to be aware of the considerations when assembling and architecture. Key thing for anyone using these services is to be aware of the benefits and considerations and how to balance those with their business need and risk appetite. There is nothing wrong with not using a service because it doesn’t meet security requirements.