Implement Platform Protection: Perimeter Security (Part 1)

 



To read part 2 please click here

Defense In Depth

The defense in depth approach includes additional controls in the design to mitigate risk to the organization in the event if primary security control fails. All services in Azure are designed and operated to support multiple layers of defense, spanning your data apps, virtual machines, network perimeter related policies, and physical security within our data centers. As more and more of a company's digital resources reside outside the corporate network, in the cloud and on personal devices, it becomes obvious that a perimeter only based security like firewalls, DMZ, VNets, etc. are no longer adequate to do the job.

The adoption of software-defined networking (SDN) and software-defined data center (SDDC) technologies are driving Network Segmentation concepts to be more granular, i.e. Network Micro-Segmentation.

Network Micro-Segmentation

Micro-segmentation is a way to create secure zones in data centers and Azure deployments that allow you to isolate workloads and protect them individually. The best practice recommendation is to adopt a zero trust strategy based on the user, device, and application identities. 

  • Azure Network Security Groups can be used for basic layer access controls between Azure Virtual Networks, their subnets, and the Internet.

  • Application Security Groups enables you to determine fine-grained network security policies based on workloads and centralized on applications instead of explicit IP addresses.

  • Azure Web Application Firewall and the Azure Firewall can be used for more advanced network access controls that require application layer support.

  • Local Admin Password Solution (LAPS) or a third party Privileged Access Management can set strong local admin passwords and just in time access to them.  

Additionally, third party offers micro-segmentation approaches that may enhance your network controls by applying zero trust principles to the networks you control with legacy assets on them. 

Virtual Network Security

Azure Networking Components

Azure virtual networks are a key component of Azure security services. Azure supports dedicated WAN link connectivity to your on-premises network and an Azure Virtual Network with ExpressRoute. If your Azure application is running in multiple datacenters, you can use Azure Traffic Manager to route requests from users intelligently across instances of the application. 

Virtual Networks

Virtual networks are made up of subnets which is a range of IP addresses within your virtual network. Subnets, like virtual networks, are scoped to a single Azure region and multiple virtual networks can be implemented within each Azure subscription and Azure region. Each virtual network is isolated from the other virtual networks and for each virtual network you can:

  • Specify custom private IP address space using public and private addresses. 
  • Segment the virtual network into one or more subnets and allocate a portion of the virtual network's address space to each subnet.
  • Use Azure-provided name resolution, or specify your own DNS server, for use by resources in a virtual network.

IP Addresses

A virtual network uses two types of IP addresses:

  • Private- It is dynamically or statically allocated to a VM from the defined scope of IP addresses in the virtual network. VMs use these addresses to communicate with the other VMs in the same or connected virtual networks through a gateway/ Azure ExpressRoute connection.

  • Public- These type of IP addresses that allows Azure resources to communicate with external clients, are assigned directly to the virtual network adapter of the VM or to the load balancer. All IP blocks in the virtual network will be routable only within the customer's network, and they won't be reachable from outside.

You can also control the dynamic IP addresses assigned to VMs and cloud services within an Azure virtual network by specifying an IP addressing scheme. 

Subnets

You can further divide your network with the help of subnets for the logical and security-related isolation of Azure resources. Subnetting hides the details of internal network organization from external routers and also segments the host within the network, making it easier to apply network security at the interconnections between subnets.

Network Adapters

VMs communicates with the other VMs and resources on the network by using virtual network adapters. They can configure VMs with private and, optionally, public IP addresses. A VM can have more than one network adapter for different network configurations.

Distributed Denial Of Service (DDOS)

A denial of service (DOS) attack is one that has the goal of preventing access to services or systems. If the attack originates from one location, then it is called a DOS but if it originates from multiple networks and systems, then it is called distributed denial of service (DDOS). Hence, DDOS is a collection of attacks aimed at disrupting the availability of a target.

DDOS Implementation

Azure DDOS protection provides the following service tiers:

  • Basic- It is automatically enabled as a part of Azure platform and provides on-traffic monitoring, real-time mitigation of common network-level attacks, and the same defenses utilized by Microsoft's online services.
  • Standard- It offers additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources. It is very simple to enable and requires no application changes with all the protection policies tuned through dedicated traffic monitoring and machine learning algorithms. 

How Azure DDOS Protection works?

DDOS Protection Standard monitors actual traffic utilization and constantly compares it against the thresholds defined in the DOS policy. When the traffics threshold is exceeded, DDOS mitigation is automatically initiated and when the traffic returns to the level below the threshold, the mitigation is removed. During mitigation, DDOS Protection redirects traffic sent to the protected resource and performs several checks, including:

  •  Ensuring that packets confirm to internet specifications and aren't malformed.
  • Interacting with the client to determine if the traffic might be a spoofed packet.
  • Using rate-limit packets if it can't perform any other enforcement method.

DDOS Protection blocks attacking traffic and forward the remaining traffic to nits intended destination.

Types of DDOS attacks that DDOS Protection Standard mitigates

  • Volumetric attacks- This attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. DDOS Protection Standard mitigates these potential multi-gigabyte attacksby absorbing and scrubbing them with Azure's global network scale automatically.

  • Protocol Attacks- These attacks renders a target inaccessible by exploiting a weakness in layer 3 and 4 protocol stack. DDOS Protection Standard mitigates these attacks, by differentiating between malicious and legitimate traffic, by interacting with the client and blocking malicious traffic.

  • Resource (application) layer attacks- These types of attacks target web application packets, to disrupt the transmission of data between hosts. You can use a Web Application Firewall, like the Azure Application Gateway web application firewall, as well as DDOS Protection Standard to provide defense against these attacks.  

DDOS Protection Standard protects resources in a virtual network including public IP addresses associated with virtual machines, load balances, and application gateways while providing full layer 3 to 7 mitigation capability.



To read part 2 please click here









Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)