Skip to content

Latest commit

 

History

History
115 lines (82 loc) · 5.06 KB

4.6. Network Protection.md

File metadata and controls

115 lines (82 loc) · 5.06 KB
Raw

Network Protection

  • Important to secure your network from attacks and unauthorized access
  • Use a layered approach
    • not enough to just focus on securing the network perimeter or the network security between services inside a network.
    • helps reduce your risk of exposure through network-based attacks
    • secure your internet-facing resource, internal resources, and communication between on-premises networks
    • Combine multiple Azure networking and security services
      • E.g. use Azure Firewall to protect inbound and outbound traffic to the Internet, and Network Security Groups to limit traffic to resources inside your virtual networks.

Internet protection

  • Perimeter of the network
  • Focused on limiting and eliminating attacks from the internet.
  • Only allow inbound and outbound communication where necessary
    • ensure they are restricted to only the ports and protocols required

Firewall

  • Service that grants server access based on the originating IP address of each request.
  • Helps you to provide inbound protection at the perimeter
  • You create firewall rule
    • Firewall rule = Ranges of IP addresses to allow access the server.
    • Often includes specific network protocol and port information.

Azure Firewall

  • Managed, highly available & scalable, network-level, firewall as a service
  • Inbound protection for mainly non-HTTP/S protocols.
    • E.g. Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP).
  • Outbound protection for all ports and protocols
    • Also application-level protection for outbound HTTP/S.

Azure Application Gateway

  • Load balancer that includes a Web Application Firewall (WAF)
    • Provides protection from common, known vulnerabilities in websites.
  • Designed to protect HTTP traffic.

Network virtual appliances (NVAs)

  • Ideal options for non-HTTP services or advanced configurations
  • Similar to hardware firewall appliances.

Distributed Denial of Service (DDoS) Protection

  • Any resource exposed on the internet is at risk of being attacked by a denial of service attack.
  • 📝 Attacks attempt to overwhelm a network resource
    • sends so many requests that the resource becomes slow or unresponsive.
  • 💡 Combine Azure DDoS Protection with application design best practices.

Azure DDoS Protection

  • Brings DDoS mitigation capacity to every Azure region
  • 📝 Protects your Azure applications by monitoring traffic at the Azure network edge before it can impact your service's availability.
  • 📝 You are notified using Azure Monitor metrics within a few minutes of attack detection.
Service tiers
Basic
  • Automatically enabled as part of the Azure platform.
  • Always-on traffic monitoring and real-time mitigation of common network-level
  • Used by Microsoft's online services use.
Standard
  • Tuned specifically to Microsoft Azure Virtual Network resources
  • Requires no application changes.
  • Dedicated traffic monitoring and machine learning algorithms.
  • Policies are applied to public IP addresses associated with resources deployed in virtual networks
    • e.g. Azure Load Balancer and Application Gateway.
  • Mitigates:
    • Volumetric attacks: The attackers goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.
    • Protocol attacks: Render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.
    • Resource (application) layer attacks: Target web application packets to disrupt the transmission of data between hosts.

Traffic inside your virtual network

  • Allows you to limit communication between resources to only what is required.

Virtual network security

Network Security Groups (NSGs)

  • 📝 Provide a list of allowed and denied communication to and from network interfaces and subnets.
    • Used for communication between virtual machines
  • Filter network traffic to and from Azure resources in an Azure virtual network.
    • by source and destination IP address, port, and protocol
  • Can contain multiple inbound and outbound security rules

Service endpoints

  • You can restrict access of services to service endpoints.
    • Allows you to remove public internet access to your services
  • Service access become limited to your virtual network.

Network integration

  • Integrate on-premises networks <=> services in Azure
  • Different ways: VPN, ExpressRoute

Virtual private network (VPN)

  • Establish secure communication channels between networks.
  • Connects Azure Virtual Network to an on-premises VPN device
  • Provide secure communication in-between.

Azure ExpressRoute

  • Use to provide a dedicated, private connection between your network and Azure
  • Lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider.
  • Very secure as it sends traffic over the private circuit instead of over the public internet.
    • You can send this traffic through appliances for further traffic inspection.