Implement Platform Protection: Perimeter Security (Part 1)

By Ashwin Venugopal -

 



To read part 2 please click here

Defense In Depth

The defense in depth approach includes additional controls in the design to mitigate risk to the organization in the event if primary security control fails. All services in Azure are designed and operated to support multiple layers of defense, spanning your data apps, virtual machines, network perimeter related policies, and physical security within our data centers. As more and more of a company's digital resources reside outside the corporate network, in the cloud and on personal devices, it becomes obvious that a perimeter only based security like firewalls, DMZ, VNets, etc. are no longer adequate to do the job.

The adoption of software-defined networking (SDN) and software-defined data center (SDDC) technologies are driving Network Segmentation concepts to be more granular, i.e. Network Micro-Segmentation.

Network Micro-Segmentation

Micro-segmentation is a way to create secure zones in data centers and Azure deployments that allow you to isolate workloads and protect them individually. The best practice recommendation is to adopt a zero trust strategy based on the user, device, and application identities. 

  • Azure Network Security Groups can be used for basic layer access controls between Azure Virtual Networks, their subnets, and the Internet.

  • Application Security Groups enables you to determine fine-grained network security policies based on workloads and centralized on applications instead of explicit IP addresses.

  • Azure Web Application Firewall and the Azure Firewall can be used for more advanced network access controls that require application layer support.

  • Local Admin Password Solution (LAPS) or a third party Privileged Access Management can set strong local admin passwords and just in time access to them.  

Additionally, third party offers micro-segmentation approaches that may enhance your network controls by applying zero trust principles to the networks you control with legacy assets on them. 

Virtual Network Security

Azure Networking Components

Azure virtual networks are a key component of Azure security services. Azure supports dedicated WAN link connectivity to your on-premises network and an Azure Virtual Network with ExpressRoute. If your Azure application is running in multiple datacenters, you can use Azure Traffic Manager to route requests from users intelligently across instances of the application. 

Virtual Networks

Virtual networks are made up of subnets which is a range of IP addresses within your virtual network. Subnets, like virtual networks, are scoped to a single Azure region and multiple virtual networks can be implemented within each Azure subscription and Azure region. Each virtual network is isolated from the other virtual networks and for each virtual network you can:

  • Specify custom private IP address space using public and private addresses. 
  • Segment the virtual network into one or more subnets and allocate a portion of the virtual network's address space to each subnet.
  • Use Azure-provided name resolution, or specify your own DNS server, for use by resources in a virtual network.

IP Addresses

A virtual network uses two types of IP addresses:

  • Private- It is dynamically or statically allocated to a VM from the defined scope of IP addresses in the virtual network. VMs use these addresses to communicate with the other VMs in the same or connected virtual networks through a gateway/ Azure ExpressRoute connection.

  • Public- These type of IP addresses that allows Azure resources to communicate with external clients, are assigned directly to the virtual network adapter of the VM or to the load balancer. All IP blocks in the virtual network will be routable only within the customer's network, and they won't be reachable from outside.

You can also control the dynamic IP addresses assigned to VMs and cloud services within an Azure virtual network by specifying an IP addressing scheme. 

Subnets

You can further divide your network with the help of subnets for the logical and security-related isolation of Azure resources. Subnetting hides the details of internal network organization from external routers and also segments the host within the network, making it easier to apply network security at the interconnections between subnets.

Network Adapters

VMs communicates with the other VMs and resources on the network by using virtual network adapters. They can configure VMs with private and, optionally, public IP addresses. A VM can have more than one network adapter for different network configurations.

Distributed Denial Of Service (DDOS)

A denial of service (DOS) attack is one that has the goal of preventing access to services or systems. If the attack originates from one location, then it is called a DOS but if it originates from multiple networks and systems, then it is called distributed denial of service (DDOS). Hence, DDOS is a collection of attacks aimed at disrupting the availability of a target.

DDOS Implementation

Azure DDOS protection provides the following service tiers:

  • Basic- It is automatically enabled as a part of Azure platform and provides on-traffic monitoring, real-time mitigation of common network-level attacks, and the same defenses utilized by Microsoft's online services.
  • Standard- It offers additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources. It is very simple to enable and requires no application changes with all the protection policies tuned through dedicated traffic monitoring and machine learning algorithms. 

How Azure DDOS Protection works?

DDOS Protection Standard monitors actual traffic utilization and constantly compares it against the thresholds defined in the DOS policy. When the traffics threshold is exceeded, DDOS mitigation is automatically initiated and when the traffic returns to the level below the threshold, the mitigation is removed. During mitigation, DDOS Protection redirects traffic sent to the protected resource and performs several checks, including:

  •  Ensuring that packets confirm to internet specifications and aren't malformed.
  • Interacting with the client to determine if the traffic might be a spoofed packet.
  • Using rate-limit packets if it can't perform any other enforcement method.

DDOS Protection blocks attacking traffic and forward the remaining traffic to nits intended destination.

Types of DDOS attacks that DDOS Protection Standard mitigates

  • Volumetric attacks- This attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. DDOS Protection Standard mitigates these potential multi-gigabyte attacksby absorbing and scrubbing them with Azure's global network scale automatically.

  • Protocol Attacks- These attacks renders a target inaccessible by exploiting a weakness in layer 3 and 4 protocol stack. DDOS Protection Standard mitigates these attacks, by differentiating between malicious and legitimate traffic, by interacting with the client and blocking malicious traffic.

  • Resource (application) layer attacks- These types of attacks target web application packets, to disrupt the transmission of data between hosts. You can use a Web Application Firewall, like the Azure Application Gateway web application firewall, as well as DDOS Protection Standard to provide defense against these attacks.  

DDOS Protection Standard protects resources in a virtual network including public IP addresses associated with virtual machines, load balances, and application gateways while providing full layer 3 to 7 mitigation capability.



To read part 2 please click here









Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more