Network Protection
10 Jan 2023
- Important to secure your network from attacks and unauthorized access
- Use a layered approach
- not enough to just focus on securing the network perimeter or the network security between services inside a network.
- helps reduce your risk of exposure through network-based attacks
- secure your internet-facing resource, internal resources, and communication between on-premises networks
- Combine multiple Azure networking and security services
- E.g. use Azure Firewall to protect inbound and outbound traffic to the Internet, and Network Security Groups to limit traffic to resources inside your virtual networks.
Internet protection
- Perimeter of the network
- Focused on limiting and eliminating attacks from the internet.
- Only allow inbound and outbound communication where necessary
- ensure they are restricted to only the ports and protocols required
Firewall
- Service that grants server access based on the originating IP address of each request.
- Helps you to provide inbound protection at the perimeter
- You create firewall rule
- Firewall rule = Ranges of IP addresses to allow access the server.
- Often includes specific network protocol and port information.
Azure Firewall
- Managed, highly available & scalable, network-level, firewall as a service
- Inbound protection for mainly non-HTTP/S protocols.
- E.g. Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP).
- Outbound protection for all ports and protocols
- Also application-level protection for outbound HTTP/S.
Azure Application Gateway
- Load balancer that includes a Web Application Firewall (WAF)
- Provides protection from common, known vulnerabilities in websites.
- Designed to protect HTTP traffic.
Network virtual appliances (NVAs)
- Ideal options for non-HTTP services or advanced configurations
- Similar to hardware firewall appliances.
Distributed Denial of Service (DDoS) Protection
- Any resource exposed on the internet is at risk of being attacked by a denial of service attack.
- 📝 Attacks attempt to overwhelm a network resource
- sends so many requests that the resource becomes slow or unresponsive.
- 💡 Combine Azure DDoS Protection with application design best practices.
Azure DDoS Protection
- Brings DDoS mitigation capacity to every Azure region
- 📝 Protects your Azure applications by monitoring traffic at the Azure network edge before it can impact your service’s availability.
- 📝 You are notified using Azure Monitor metrics within a few minutes of attack detection.
Service tiers
Basic
- Automatically enabled as part of the Azure platform.
- Always-on traffic monitoring and real-time mitigation of common network-level
- Used by Microsoft’s online services use.
Standard
- Tuned specifically to Microsoft Azure Virtual Network resources
- Requires no application changes.
- Dedicated traffic monitoring and machine learning algorithms.
- Policies are applied to public IP addresses associated with resources deployed in virtual networks
- e.g. Azure Load Balancer and Application Gateway.
- Mitigates:
- Volumetric attacks: The attackers goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.
- Protocol attacks: Render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.
- Resource (application) layer attacks: Target web application packets to disrupt the transmission of data between hosts.
Traffic inside your virtual network
- Allows you to limit communication between resources to only what is required.
Virtual network security
Network Security Groups (NSGs)
- 📝 Provide a list of allowed and denied communication to and from network interfaces and subnets.
- Used for communication between virtual machines
- Filter network traffic to and from Azure resources in an Azure virtual network.
- by source and destination IP address, port, and protocol
- Can contain multiple inbound and outbound security rules
Service endpoints
- You can restrict access of services to service endpoints.
- Allows you to remove public internet access to your services
- Service access become limited to your virtual network.
Network integration
- Integrate on-premises networks <=> services in Azure
- Different ways: VPN, ExpressRoute
Virtual private network (VPN)
- Establish secure communication channels between networks.
- Connects Azure Virtual Network to an on-premises VPN device
- Provide secure communication in-between.
Azure ExpressRoute
- Use to provide a dedicated, private connection between your network and Azure
- Lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider.
- Very secure as it sends traffic over the private circuit instead of over the public internet.
- You can send this traffic through appliances for further traffic inspection.