Introduction to Azure Firewall

-

 


What is Azure Firewall?

    Here you learn the basics of both Azure Firewall and Azure Firewall Manager. This overview should help you decide whether Azure Firewall and Azure Firewall Manager are a good fit with Contoso's network security strategy.

Overview of Azure Firewall

    Azure Firewall is a cloud-based security service that protects your Azure virtual network resources from incoming and outgoing threats. In the next few sections, you'll learn the fundamentals and key features of Azure Firewall.

What is a firewall?

    A firewall is a community safety characteristic that sits among a depended on community and an untrusted community, consisting of the internet. The firewall's process is to investigate all incoming and outgoing community site visitors. Based on that analysis, the firewall both permits the site visitors to byskip, or it denies the site visitors. Ideally, the firewall permits all valid site visitors whilst denying malicious site visitors consisting of malware and intrusion attempts.

    By default, maximum firewalls deny all incoming and outgoing site visitors. When a firewall analyzes community site visitors, it tests for sure situations to be met earlier than it permits the site visitors to byskip through. Those situations might be a precise IP address, FQDN, community port, community protocol, or any combination.

    Together, those situations outline a firewall rule. A firewall may have simplest a unmarried rule, however maximum firewalls are configured with many guidelines. Only community site visitors that meets the situations of the firewall's guidelines is permitted to byskip through.

    Some firewalls are hardware-primarily based totally and are living interior gadgets which can be constructed to behave as firewalls. Other firewalls are software program applications that run on general-reason computing gadgets.

What is Azure Firewall?

    Azure Firewall is a cloud-based firewall service. In most configurations, Azure Firewall is provisioned inside a hub virtual network. Traffic to and from the spoke virtual networks and the on-premises network traverses the firewall with the hub network.

    All traffic to and from the internet is denied by default. Traffic is only allowed if it passes various tests, such as the configured firewall rules.


What is Azure Firewall Premium?

    Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments, such as the payment and healthcare industries.


Overview of Azure Firewall Manager

    Azure Firewall Manager provides a central point of configuration and management of multiple Azure Firewall instances. Azure Firewall Manager enables you to create one or more firewall policies and rapidly apply them to multiple firewalls.

What is a firewall policy?

The configuration of a single Azure Firewall can be complicated. For example, the firewall might be configured with multiple rule collections. A collection is a combination of any or all of the following items:

  • One or more network address translation (NAT) rules
  • One or more network rules
  • One or more application rules
    When you include other firewall settings such as custom DNS and threat intelligence rules, configuring just a single firewall can be a burden. Adding to that burden are two common network security scenarios:

  • Your network architectures require multiple firewalls.
  • You want each firewall to implement both a base level of security rules that apply to everyone, plus special rules for designated groups such as developers, database users, and the marketing department.
    To simplify the complexity of managing these and similar firewall scenarios, you can implement firewall policies. A firewall policy is an Azure resource that contains one or more collections of NAT, network, and application rules, custom DNS settings, threat intelligence settings, and more.

    The key point here is that Azure offers a resource called Firewall Policy. A firewall policy that you create is an instance of that resource. As a separate resource, you can rapidly apply the policy to multiple firewalls using Azure Firewall Manager. You can create one policy to be the base policy, then have more specialized policies inherit the base policy's rules.


Architecture options

    Azure Firewall Manager provides security management for the following two network architectures:

  • Hub virtual network. A standard Azure virtual network where one or more firewall policies have been applied.
  • Secured virtual hub. An Azure Virtual WAN Hub where one or more firewall policies have been applied.

How Azure Firewall works

    You're familiar with the basic features of both Azure Firewall and Azure Firewall Manager. Now let's examine how these technologies work to provide security for your Azure resources. This information will help you evaluate whether Azure Firewall is the right tool for Contoso's network security strategy.

How Azure Firewall protects an Azure virtual network

    
    To understand how Azure Firewall protects your virtual network, know that there are two key characteristics to any Azure Firewall deployment:

  • The firewall instance has a public IP address to which all inbound traffic is sent.
  • The firewall instance has a private IP address to which all outbound traffic is sent.
    That is, all traffic—inbound and outbound—goes through the firewall. By default, the firewall denies access to everything. Your job is to configure the firewall with the conditions under which traffic is allowed through the firewall. Each condition is called a rule and each rule applies one or more checks on the data. Only traffic that passes every check in all the firewall's rules is allowed to pass through.

    How Azure Firewall manages network traffic depends on where the traffic originates:

  • For allowed inbound traffic, Azure Firewall uses DNAT to translate the firewall's public IP address to the private IP address of the appropriate destination resource in the virtual network.
  • For allowed outbound traffic, Azure Firewall uses SNAT to translate the source IP address to the firewall's public IP address.

Where Azure Firewall fits into a virtual network

    For Azure Firewall to do its job effectively, you must set it up as a barrier between a trusted network you want to protect and an untrusted network that offers potential threats. Most commonly, you deploy Azure Firewall as a barrier between your Azure virtual network and the internet.

    Azure Firewall is best deployed using a hub and spoke network topology with the following characteristics:

  • A virtual network that acts as the central connectivity point. This network is the hub virtual network.
  • One or more virtual networks that are peered to the hub. These peers are the spoke virtual networks and are used to provision workload servers.
  • You deploy the firewall instance in a subnet of the hub virtual network and then configure all inbound and outbound traffic to go through the firewall.

    Use the following general steps to set up an instance of Azure Firewall:

  1. Create a hub virtual network that includes a subnet for the firewall deployment.
  2. Create the spoke virtual networks and their subnets and servers.
  3. Peer the hub and spoke networks.
  4. Deploy the firewall to the hub's subnet.
  5. For outbound traffic, create a default route that sends traffic from all subnets to the firewall's private IP address.
  6. Configure the firewall with rules to filter inbound and outbound traffic.

When to use Azure Firewall

    You know what Azure Firewall is and how it works. Now you need some criteria to help you evaluate whether Azure Firewall and Azure Firewall Manager are suitable choices for your company. To help you decide, let's consider the following scenarios:

  • You want to protect your network against infiltration.
  • You want to protect your network against user error.
  • Your business includes e-commerce or credit card payments.
  • You want to configure spoke-to-spoke connectivity.
  • You want to monitor incoming and outgoing traffic.
  • Your network requires multiple firewalls.
  • You want to implement hierarchical firewall policies.
    As part of your evaluation of Azure Firewall and Azure Firewall Manager, you know that Contoso has faced several of these scenarios. Read the following corresponding sections for more details.

You want to protect your network against infiltration

    A common goal of many malicious actors is to infiltrate your network. These intruders might want to use your network resources or examine, steal, or destroy sensitive or proprietary data.

    Azure Firewall is designed to help prevent such intrusions. For example, a malicious hacker might try to infiltrate the network by requesting access to a network resource. Azure Firewall uses stateful inspection of network packets to examine the context of such requests. If a request is a response to earlier legitimate activity, then the firewall will likely allow the request; if a request came seemingly out of nowhere-as would the request sent by a would-be infiltrator—then the firewall would deny the request.

You want to protect your network against user error

    Perhaps the most common method for infiltrating a network or installing malware on a network computer is to trick a network user into clicking a link in an email message. That link sends the user to a malicious hacker-controlled website that either installs the malware or tricks the user into entering network credentials.

    Azure Firewall prevents such attacks by using threat intelligence to deny access to known malicious domains and IP addresses.

Your business includes e-commerce or credit card payments

    Does your business have an e-commerce component, or does it process online credit card payments? If so, then your company might have to comply with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of security standards created and maintained by the PCI Security Standards Council. To achieve PCI compliance, the PCI DSS lists a dozen requirements. Here's the first requirement:

  • Install and maintain a firewall configuration to protect cardholder data.

    The PCI DSS specifies that you need to set up a firewall configuration that restricts all inbound and outbound traffic from untrusted networks and hosts. The firewall must also deny all other traffic except for the protocols needed to process payment cards.

You want to configure spoke-to-spoke connectivity

A typical hub and spoke network topology has the following characteristics:

  • One virtual network that acts as a central connection point—the hub.
  • One or more virtual networks that are peered to the hub—the spokes. An on-premises network connected via an ExpressRoute circuit or a VPN gateway can also be considered a spoke in this topology.
    The spoke networks can exchange data with the hub, but the spokes can't communicate directly with each other. You might need such a direct connection. For example, one spoke network might host an application programming interface (API) that requires information from a SQL database deployed in a different spoke.

    One solution is to peer the spoke networks with each other. That works for a few such connections but can quickly grow unwieldy as the number of connections increases.

    An easier and more secure solution is to use Azure Firewall to set up direct connectivity between spokes. You achieve this connectivity by first deploying an Azure Firewall instance in the hub. You then configure the spoke virtual networks with user-defined routes (UDRs) that specifically route data through the firewall and on to the other spoke.


    

You want to monitor incoming and outgoing traffic

    Your company might want to analyze detailed reports on inbound and outbound network traffic. There are many reasons for requiring such reports, including regulatory compliance, enforcing company policies on internet usage, and troubleshooting problems.

You can configure Azure Firewall to maintain diagnostic logs of four types of firewall activity:
  • Application rules
  • Network rules
  • Threat intelligence
  • DNS proxy
    For example, the log for your firewall's application rules might include entries such as the following for an outbound request:

  • HTTPS request from 10.1.0.20:24352 to somewebsite.com:443. Action: Allow. Rule Collection: collection100. Rule: rule105
Similarly, the log for your firewall's network rules might include entries such as the following for an inbound request:

  • TCP request from 73.121.236.17:12354 to 10.0.0.30:3389. Action: Deny
    Once you've enabled diagnostic logging, you can monitor and analyze the logs in the following ways:

  • You can examine the logs directly in their native JSON format.
  • You can examine the logs in Azure Monitor.
  • You can examine and analyze the logs in Azure Firewall Workbook.

Your network requires multiple firewalls

    If your company's Azure footprint spans multiple Azure regions, you have multiple internet connections, which means you need a firewall instance deployed for each of these connections. You could configure and manage those firewalls separately, but doing so creates several problems:

  • Managing multiple firewalls is a great deal of work.
  • Global rule and settings changes must be propagated to every firewall.
  • It's difficult to maintain consistency across all the firewalls.
    Azure Firewall Manager solves these problems by giving you a central management interface for every Azure Firewall instance across all your Azure regions and subscriptions. You can create firewall policies and then apply them to every firewall to maintain consistency. Changes to a policy are automatically propagated to all firewall instances.

You want to implement hierarchical firewall policies

Many smaller companies can simply use a one-size-fits-all firewall policy. That is, small companies can often create a single firewall policy that applies to every user and resource on the network.

For most larger companies, however, a more nuanced and detailed approach is required. For example, consider the following two scenarios:

  • A DevOps shop might have a virtual network for developing an app, another virtual network for staging the app, and a third virtual network for the production version of the app.
  • A large business might have separate teams for database users, engineering, and sales. Each of those teams has its own set of applications running in separate virtual networks.
    Although there will certainly be firewall rules that are common to all, the users and resources in each virtual network will require specific firewall rules. So, larger companies almost always require hierarchical firewall policies. Hierarchical firewall policies consist of the following two components:

  • A single base firewall policy that implements the rules that need to be enforced company wide.
  • One or more local firewall policies that implement rules that are specific to a particular app, team, or service. Local policies inherit the base firewall policy and then add rules related to the underlying app, team, or service.
    When using Azure Firewall Manager, you can set up a base firewall policy, then create local policies that inherit the base policy and implement specific rules designed for the underlying resource.

Komentar

Posting Komentar

Postingan populer dari blog ini

Implement CI/CD with Azure DevOps

-
Gambar
  Introduction      Imagine you are part of a team of data engineers who are collaborating on one or more notebooks within a development environment, using Azure Databricks. When you are ready to deploy your changes to production, you must coordinate with an operations team to copy the notebooks over to a production Azure Databricks workspace since company policy dictates that you and your team are not allowed to manually copy the changed files over. This process causes bottlenecks and extra work. Leadership has asked you to find an automated process that incorporates version control, automated testing capabilities, and controls for deployment approvals if needed. Automated testing and deployment is a common practice in software development. However, those same principles also apply to data engineering and data science. Data engineers and data scientists need to collaborate on parts of the system and be able to deploy to production without constantly relying on opera...
Baca selengkapnya

Introduction to ASP.NET Core SignalR

-
Gambar
  What is ASP.NET Core SignalR?      All internet-connected applications are composed of servers and clients. Clients rely on servers for data, and their primary mechanism for receiving data is through making Hypertext Transfer Protocol (HTTP) requests. Some client applications require data that changes frequently.      ASP.NET Core SignalR provides an API for creating server-to-client remote procedure calls (RPCs). RPCs invoke functions on clients from the server-side .NET Core code. There are several supported platforms, each with its own client SDK. Because of this, the programming language being invoked by RPC calls varies.      It's helpful to familiarize yourself with the common terminology that's associated with SignalR. In this unit, you'll learn what SignalR components are required in a server application versus those in client applications. Additionally, you'll gain an understanding of the various duplex communication mechanism...
Baca selengkapnya

Microsoft Security, Compliance, and Identity : Describe the concepts of security, compliance, and identity

-
Gambar
    Everybody, and each gadget, has an personality that can be utilized to get to assets. Personality is the way in which individuals and things are recognized on your corporate arrange, and within the cloud. Being certain almost who or what is getting to your organization’s data and other assets may be a essential portion of securing your environment. This zone is known as personality and get to administration, and is made up of two key steps: confirming and authorizing identities. In this module, you'll learn why identity is imperative in securing corporate resources. After completing this module, you will be able to: Describe the concept of identity as a security perimeter. Understand the difference between authentication and authorization. Describe identity-related services. Describe common identity attacks      A few of the foremost common sorts of security dangers that organizations confront nowadays are personality assaults. These assaults are outlined to...
Baca selengkapnya