There are more and more companies that, in order to sustain the pace dictated by digital transformation and for other specific reasons, undertake a path of adopting cloud solutions and migrating their workloads to the cloud. To ensure that the resources in the cloud environment are secure, it is necessary to adopt a new security model that adapts more effectively to the complexity of the modern environment, contemplating hybrid environments and protecting applications and data no matter where they reside. This article describes some of the key Azure networking security services that help organizations adopt the Zero Trust model, an integrated and proactive approach to security to be applied on different fronts.
The Zero Trust framework developed by Microsoft is based on the following three principles to protect assets:
- Verify explicitly. Always authenticate and authorize, taking into consideration different aspects such as: the user identity, location, the status of the device, the service or workload, data classification and anomalies.
- Use least privileged access. Restrict user access through: “just-in-time” access (JIT) and “just-enough-access” (JEA), risk-based adaptive policies and data protection.
- Assume breach. Minimize exposure and segment accesses by defining granular perimeters. Use end-to-end encryption and scan for: gain visibility, detect threats and improve defenses.
The Zero Trust approach assumes a violation and accepts the reality that bad guys can be anywhere. For this reason, this model recommends checking all access attempts, restrict user access (JIT and JEA) and strengthen asset protection. However, it is important to associate checks on network communications with all these practices, going to segmenting the network into smaller areas and then checking what traffic can flow between them. An approach where network firewalls are implemented exclusively on the perimeter networks, filtering traffic between trusted and untrusted zones becomes limiting for this model. Instead, it is recommended to filter the traffic also between internal networks, hosts and applications.
There are several networking related security services in Azure, described in the following paragraphs, that allow you to filter and control network communications in a granular way, thus supporting the Zero Trust model.
Network Security Group (NSG)
The Network Security Groups (NSG) are the main tool to control network traffic in Azure. Through the rules of deny and permit you can filter communications between different workloads on an Azure virtual network. Furthermore, you can apply filters on communications with systems that reside
on-premises, connected to the Azure VNet, or for communications to and from Internet. Network Security Groups (NSG) can be applied on a specific subnet of a Azure VNet or directly on the individual network adapters of Azure virtual machines. NSGs may contain rules with Service Tags, that allow you to group with predefined categories of IP addresses, including those assigned to specific Azure services (ex. AzureMonitor, Appservice, Storage, etc.).
The rules of the Network Security Groups can also be referenced Application Security Groups (ASG). These are groups that contain network adapters of virtual machines on Azure. ASGs allow you to group multiple servers with mnemonic names, useful in particular for dynamic workloads. The Application Security Groups therefore allow you to no longer have to manage the IP addresses of Azure virtual machines in the NSG rules, as long as these IPs are related to VMs attested on the same VNet.
Although there is the option to enable firewall solutions at the guest OS level, Azure NSGs can guarantee protection even if the virtual machine in Azure is compromised. In fact,, an attacker who gains access to the virtual machine and elevates its privileges may be able to disable the firewall on the host. In NSG, being implemented outside the virtual machine, they provide strong guarantees against attacks on the firewalling system on board virtual machines.
Figure 1 - Graphical display of network traffic segregation via NSG
Azure Firewall is a network security service, managed and cloud-based, able to protect the resources attested on the Azure Virtual Networks and to centrally govern the related network flows. Furthermore, it has inherent features of high availability and scalability.
Azure Firewall Premium guarantees all the features present in the Azure Firewall Standard tier and in addition adds the following features typical of a next generation firewall.
Figure 2 - Overview of Azure Firewall Premium features
The best practices dictated by the Zero Trust model are to always encrypt data in transit to obtain end-to-end encryption. However, from an operational point of view, often there is a need for greater visibility to apply additional security services to unencrypted data. With the features of Azure Firewall Premium all this is possible. In fact,, the Premium version allows you to obtain an additional level of protection from security threats, through features such as TLS Inspection and IDPS that guarantee greater control of network traffic in order to intercept and block the spread of malware and viruses. For more details regarding the features of Azure Firewall Premium you can consult this article.
The Zero Trust model aims to authenticate and authorize any component residing on the network. Nevertheless, any system capable of receiving network packets is vulnerable to DDoS attacks, even those that use a Zero Trust architecture. Consequently, It is imperative that any Zero Trust implementation also adopts a DDoS protection solution.
In Azure, DDoS protection is available in two different tiers: Basic oppure Standard.
The protection Basic is enabled by default in the Azure platform, which constantly monitors traffic and applies mitigations to the most common network attacks in real time. This tier provides the same level of protection adopted and tested by Microsoft's online services and is active for Azure Public IP addresses (Pv4 and IPv6). No configuration is required for the Basic tier.
Typology Azure DDoS Protection Standard provides additional mitigation features over the Basic tier, that are specifically optimized for resources located in Azure virtual networks. The protection policies are self-configured and are optimized by carrying out specific monitoring of network traffic and applying machine learning algorithms, that allow you to profile your application in the most appropriate and flexible way by studying the traffic generated. When the thresholds set in the DDoS policy are exceeded, the DDoS mitigation process is automatically started, which is suspended when it falls below the established traffic thresholds. These policies are applied to all Azure public IPs associated with the resources present in the virtual networks, like: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances.
Azure Firewall Manager
The security model Zero Trust directs us to adopt an approach related to micro-segmentation and the definition of granular perimeters in its network architecture. To facilitate this approach, you can use Azure Firewall Manager, a tool that, providing a single centralized control panel, is able to simplify the configuration and management of network security policies, which often need to be deployed across multiple Azure Firewall instances. In addition to the management of Azure Firewall policies, Azure Firewall Manager allows you to associate a DDoS protection plan to virtual networks.
Furthermore, Azure Firewall Manager allows you to use SECaaS offerings (Security as a Service) third parties to protect users' Internet access.
Synergies and recommendations for the use of the various protection services
In order to obtain effective network protection, some recommendations are given that are recommended to be taken into consideration for the use of the various security components related to Azure networking:
- Network Security Groups (NSG) and the Azure Firewall are complementary and using them together you get a high degree of defense. The NSGs are recommended to use them to filter traffic between resources residing within a VNet, while the Azure Firewall is useful for providing network and application protection between different Virtual Networks.
- To increase the security of Azure PaaS services, it is recommended to use Private link, which can be used in conjunction with Azure Firewall to consolidate and centralize access logs.
- In case you want to make a protected application publication (HTTP/S in inbound) it is advisable to use the Web Application Firewall present in Azure Application Delivery solutions, then placing it alongside Azure Firewall. Web Application Firewall (WAF), provides protection from common vulnerabilities and attacks, such as X-Site Scripting and SQL Injection attacks.
- Azure Firewall can also be supported by third-party WAF / DDoS solutions.
- In addition to Azure Firewall, it is possible to evaluate the adoption of Network Virtual Appliances (NVA's) provided by third-party vendors and available in the Azure marketplace.
All these protection services, suitably configured in a Hub-Spoke network topology allow you to perform a segregation of network traffic, achieving a high level of control and security.
Figure 3 - Example of a Hub-Spoke architecture with the various security services
Furthermore, providing for integration with Azure security services, such as Microsoft Defender for Cloud, Microsoft Sentinel and Azure Log Analytics, it is possible to further optimize the management of security postures and the protection of workloads.
The security model defined Zero trust by analysts at Forrester Research is now an imperative for the protection of their environments. Azure provides a wide range of services that allow you to achieve high levels of security, acting on different fronts to support this model. To face this process of adopting the Zero Trust model, a winning strategy in Azure networking can be obtained by applying a mix-and-match of the different network security services to have protection on multiple levels.