Implement Platform Protection: Perimeter Security (Part 1)
Defense In Depth
Network Micro-Segmentation
Micro-segmentation is a way to create secure zones in data centers and Azure deployments that allow you to isolate workloads and protect them individually. The best practice recommendation is to adopt a zero trust strategy based on the user, device, and application identities.
- Azure Network Security Groups can be used for basic layer access controls between Azure Virtual Networks, their subnets, and the Internet.
- Application Security Groups enables you to determine fine-grained network security policies based on workloads and centralized on applications instead of explicit IP addresses.
- Azure Web Application Firewall and the Azure Firewall can be used for more advanced network access controls that require application layer support.
- Local Admin Password Solution (LAPS) or a third party Privileged Access Management can set strong local admin passwords and just in time access to them.
Additionally, third party offers micro-segmentation approaches that may enhance your network controls by applying zero trust principles to the networks you control with legacy assets on them.
Virtual Network Security
Azure Networking Components
Azure virtual networks are a key component of Azure security services. Azure supports dedicated WAN link connectivity to your on-premises network and an Azure Virtual Network with ExpressRoute. If your Azure application is running in multiple datacenters, you can use Azure Traffic Manager to route requests from users intelligently across instances of the application.
Virtual Networks
Virtual networks are made up of subnets which is a range of IP addresses within your virtual network. Subnets, like virtual networks, are scoped to a single Azure region and multiple virtual networks can be implemented within each Azure subscription and Azure region. Each virtual network is isolated from the other virtual networks and for each virtual network you can:
- Specify custom private IP address space using public and private addresses.
- Segment the virtual network into one or more subnets and allocate a portion of the virtual network's address space to each subnet.
- Use Azure-provided name resolution, or specify your own DNS server, for use by resources in a virtual network.
IP Addresses
- Private- It is dynamically or statically allocated to a VM from the defined scope of IP addresses in the virtual network. VMs use these addresses to communicate with the other VMs in the same or connected virtual networks through a gateway/ Azure ExpressRoute connection.
- Public- These type of IP addresses that allows Azure resources to communicate with external clients, are assigned directly to the virtual network adapter of the VM or to the load balancer. All IP blocks in the virtual network will be routable only within the customer's network, and they won't be reachable from outside.
You can also control the dynamic IP addresses assigned to VMs and cloud services within an Azure virtual network by specifying an IP addressing scheme.
Subnets
Network Adapters
Distributed Denial Of Service (DDOS)
DDOS Implementation
- Basic- It is automatically enabled as a part of Azure platform and provides on-traffic monitoring, real-time mitigation of common network-level attacks, and the same defenses utilized by Microsoft's online services.
- Standard- It offers additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources. It is very simple to enable and requires no application changes with all the protection policies tuned through dedicated traffic monitoring and machine learning algorithms.
How Azure DDOS Protection works?
DDOS Protection Standard monitors actual traffic utilization and constantly compares it against the thresholds defined in the DOS policy. When the traffics threshold is exceeded, DDOS mitigation is automatically initiated and when the traffic returns to the level below the threshold, the mitigation is removed. During mitigation, DDOS Protection redirects traffic sent to the protected resource and performs several checks, including:
- Ensuring that packets confirm to internet specifications and aren't malformed.
- Interacting with the client to determine if the traffic might be a spoofed packet.
- Using rate-limit packets if it can't perform any other enforcement method.
DDOS Protection blocks attacking traffic and forward the remaining traffic to nits intended destination.
Types of DDOS attacks that DDOS Protection Standard mitigates
- Volumetric attacks- This attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. DDOS Protection Standard mitigates these potential multi-gigabyte attacksby absorbing and scrubbing them with Azure's global network scale automatically.
- Protocol Attacks- These attacks renders a target inaccessible by exploiting a weakness in layer 3 and 4 protocol stack. DDOS Protection Standard mitigates these attacks, by differentiating between malicious and legitimate traffic, by interacting with the client and blocking malicious traffic.
- Resource (application) layer attacks- These types of attacks target web application packets, to disrupt the transmission of data between hosts. You can use a Web Application Firewall, like the Azure Application Gateway web application firewall, as well as DDOS Protection Standard to provide defense against these attacks.
DDOS Protection Standard protects resources in a virtual network including public IP addresses associated with virtual machines, load balances, and application gateways while providing full layer 3 to 7 mitigation capability.
To read part 2 please click here
Comments
Post a Comment