Category Archives: Security

How to control the execution of applications using Azure Security Center

Azure Security Center provides several mechanisms to prevent security threats and reduce the attack surfaces of your environment. One of these mechanisms is theAdaptive Application Controls, a solution that can control which applications are running on the systems. Azure Security Center uses the machine learning engine to analyze applications running on virtual machines and leverages artificial intelligence to provide a list of allowed applications. This article lists the benefits that can be achieved by adopting this solution and how to perform the configuration.

Adopting this solution, available using the tier Standard of Azure Security Center, you can do the following:

  • Be alerted to attempts to run malicious applications, that may potentially not be detected by antimalware solutions. For Windows systems on Azure, you can also apply execution locks.
  • Respect corporate compliance, allowing the execution of only licensed software.
  • Avoid using unwanted or obsolete software in your infrastructure.
  • Control access to sensitive data that takes place using specific applications.

Figure 1 – Azure Security Center Free vs Standard Tier

Adaptive application controls can be used on systems regardless of their geographic location. Currently for systems not located in Azure and Linux VMs, only audit mode is supported.

This feature can be activated directly from the portal by accessing the Azure Security Center.

Figure 2 – Adaptive application controls in the "Advanced cloud defense" of Security Center

Security Center uses a proprietary algorithm to automatically create groups of machines with similar characteristics, to help enforce Application Control policies.

From the management interface, the groups are divided into three types:

  • Configured: list groups containing VMs where this feature is configured.
  • Recommended: there are groups of systems where enabling application control is recommended. Security Center uses machine learning mechanisms to identify VMs on which the same applications are always regularly running, and therefore are good candidates to enable application control.
  • Unconfigured: list of groups that contain the VMs for which there are no specific recommendations regarding the application control. For example, VMs that systematically run different applications.

Figure 3 – Types of groups

By clicking on the groups of virtual machines, you will be able to manage the Application control rules, that will allow you to create rules that evaluate the execution of applications.

Figure 4 – Configuring Application control rules

For each individual rule, you select the machines on which to apply it and the applications that you want to allow. For each application, the detail information is provided, in particular, the "Expoitable" column indicates whether it is an application that can potentially be used maliciously to bypass the list of allowed applications. For this type of application, you should pay close attention before allowing.

This configuration, for Windows systems, involves creating specific rules inApplocker, and it govern the execution of applications.

By default, Security Center enables application control in modeAudit, only to control activity on protected virtual machines without applying any locks on application execution. For each individual group, after verifying that the configuration you have made does not result in any malfunctions on the workloads on the systems, you can bring application control to application mode Enforce, as long as they are Windows virtual machines in the Azure environment, to block the execution of applications that are not expressly allowed. You can always change the name of the group from the same interface.

Figure 5 – Change the name and protection mode

At the end of this configuration, you will see, in the main Security Center panel, notifications concerning potential violations in the execution of applications than allowed.

Figure 6 - Violation notifications of applications Securiy Center

Figure 7 – Full list of the violations found

Figure 8 - Sample of violation

Conclusions

The functionality of Adaptive application controls allows with few easy steps to quickly enable a thorough check on the applications that run on systems. The configuration is simple and intuitive, especially thanks to functionality that allows to group the systems that have similar characteristics with regard to the execution of the application. It is therefore an important mechanism that helps prevent potential security threats and to minimize the attack surfaces of the environment. Added to the additional features, Adaptive application controls helps make Security Center a complete solution for the protection of workloads.

How to remote access virtual machines in Azure

Being able to access via RDP (Remote Desktop Protocol) or via SSH (Secure SHel) to virtual machines present in Azure is a basic requirement for system administrators. Direct exposure of these protocols on Intenet is definitely a practice to be avoided as a high risk security. This article shows the different methodologies that can be taken to gain remote access to systems present in Azure and the characteristics of each of it.

Recently Microsoft has released a security update rated critical and directed to resolution of the vulnerability CVE-2019-0708 identified on the Remote Desktop service for different operating systems. The vulnerability allows code execution via RDP protocol allowing you to take full control of the remote system. This vulnerability is taken as an example to highlight how is actually risky to publish on Internet these access protocols. For this reason you should consider adopting one of the solutions below for even more security.

Figure 1 – RDP/SSH attack

VPN access

To have an easy administrative access to the Azure Virtual Network you can enable a Point-to-Site VPN (P2S). Through the P2S VPN can establish connectivity from one location to the Azure environment, easily and securely. When the VPN connection is established you will have the ability to remotely access to systems in Azure. For more information on VPN P2S I invite you to read the article Azure Networking: Point-to-Site VPN access and what's new. Adopting this methodology you should take into consideration the maximum number of connections for each Azure VPN Gateway.

Figure 2 - Protocols available for P2S VPN

Just-in-Time VM Access

It is a feature available in Azure Security Center Standard Tier, allowing you to apply the necessary configurations to the Network Security Groups (NSG) and more recently to Azure Firewall to allow administrative access to systems, properly filtered for source IP and for a certain period of time. Just-in-Time VM Access allows to perform the configurations needed to access remotely to systems quickly, targeted and only for a very specific time period. Without the use of this feature you would need to manually create the appropriate rules within the NSG or Azure Firewall (NAT Rule), and remember to remove them when no longer needed.

Figure 3 - Request access via Just-in-Time VM Access

Jumpbox

A scenario that is used in some situations is the presence of a virtual machine (Jumpbox) accessible remotely and dislocated in a suitably isolated subnet, that is used to access several other systems in communication with that subnet. In a network architecture that reflects the hub-and-spoke topology, typically this system is positioned in the hub network, but it is recommended to apply filters to make sure that this system is only accessible from certain public IP addresses, without exposing it directly on the Internet. In this scenario you should take into consideration that you will have a maximum of two remote connections simultaneously for single JumpBox.

Figure 4 - Positioning of the JumpBox in a hub-spoke architecture

Azure Bastion

It is a PaaS service, recently announced by Microsoft in preview, offering a safe and reliable SSH and RDP access to virtual machines, directly through the Azure portal. The provisioning of Azure Bastion service is carried out within a Virtual Network of Azure and it supports access to all the virtual machines on it attested, without exposing the public IP addresses.

Figure 5 - Azure Bastion Architecture

For more details on this please read the article Azure Bastion: a new security model created by Silvio Di Benedetto.

Azure Bastion is a paid service, to get cost details you can access the page Azure Bastion pricing.

At the time you should take into account that Azure Bastion and Just-in-Time VM Access can not be used to access the same systems.

SSL Gateway

A very valid solution in terms of security is an implementation of a Remote Desktop Services environment in Azure, which includes the use of Remote Desktop Gateway role, specially designed to be directly exposed to the Internet (TCP port 443). With this component you can encapsulate RDP traffic in an HTTP over TLS / SSL tunnel. The Remote Desktop Gateway also supports Multi-Factor Authentication that allows to further increase the level of security for remote access to resources. A similar solution is also available in Citrix environment. In this area you will need to consider, in addition to the costs associated with Azure components, also the license costs.

Figure 6 - Possible Remote Desktop Services architecture in Azure environment

Conclusions

There are several possibilities for providing a secure remote access to virtual machines in the Azure environment. The new Azure Bastion service is a safe and simple method, but that needs to be expanded with more features, the most important are certainly support for Virtual Networks in peering and for multi-factor authentication. These features probably will be available when the solution will be globally available. Waiting to use Azure Bastion in a production environment you can use the other methods listed, thus avoiding having to expose unprotected systems to the Internet.

Security in the cloud with Azure Sentinel solution

Microsoft recently announced a new cloud solution called Azure Sentinel. It is a service that aims to expand the capabilities and potential of the products SIEM (Security Information and Event Management) traditional, going to use the power of the cloud and artificial intelligence to be able to quickly identify and manage security threats affecting your infrastructure. This article lists the main features of the solution.

Azure Sentinel is a solution that allows real-time analysis of security events and information generated within their own hybrid infrastructure, from server, applications, devices and users. It is a cloud-based service, it follows that one can easily scale and have high-speed processing of information, without the need to implement and manage a dedicated infrastructure, to intercept potential security threats.

Azure Sentinel service can be activated directly from the Azure Portal:

Figure 1 - Creation of service Azure Sentinel

Operating principles of Azure Sentinel

Collect data within the infrastructure

Azure Sentinel leans to Azure Monitor that, using the proven and scalable repository of Log Analytics, is able to accommodate a high volume of data, which it is possible to process them effectively thanks to an engine that ensures high performance.

Figure 2 - Adding Azure Sentinel to an existing Log Analytics workspace

With Azure Sentinel you can aggregate different security data from many sources, using the appropriate connectors embedded in the solution. Azure Sentinel is able to connect, in addition to the different platform solutions, even the most widespread and popular network solutions of third-party vendors, including Palo Alto Networks, F5, Symantec, Fortinet and Check Point. Azure Sentinel also has a native integration with logs that meet the standard formats, as common event and syslog.

Figure 3 -Data Connectors

Using this solution, you also have the ability to easily import data from Microsoft Office 365 and combine them with other security data, in order to get a detailed analysis of your environment and have visibility into the entire sequence of an attack.

Figure 4 – Office 365 Connector

Azure Sentinel also integrates with’Microsoft Graph Security API, which allows you to import your own threat intelligence feeds and customize detection rules of potential security incidents and notification.

Analyze and quickly identify the threats by using artificial intelligence

Azure Sentinel uses scalable machine learning algorithms, able to correlate a high amount of security data, to present to the analyst only potential security incidents, all with a high level of reliability. Thanks to this mechanism Azure Sentinel differs from other SIEM solutions, adopting traditional correlation engines, drastically reducing noise and consequently the effort for the analysis required in detecting threats.

Figure 5 – Azure Sentinel Overview

After enabling the Data Collectors required, you will begin to receive data in the workspace of Log Analytics and setting up ofAlert Rules, it can generateCases to report potential security threats. For more details on how to detect threats with Azure Sentinel, see the Microsoft's official documentation.

Investigate suspicious security activities

The data processed by the solution can be found using the dashboards, customizable to suit your needs. Dashboards allow you to conduct investigations by reducing the time needed to understand the scope of an attack and its impact.

Figure 6 – Dashboards available in Azure Sentinel

Figure 7 – Azure Network Watcher dashboard

If security threats are detected, against the Alert Rules set, it is generated a Case, for which you can set the severity, the status and its assignment.

Figure 8 – Cases

Using the console, you can proceed with the investigation of the case:

Figure 9 – Case Investigation

In the same dashboard you can also perform actions. Proactive research activities of suspicious transactions are a fundamental aspect for security analysts, that with Azure Sentinel can be made through two specific features that allow you to automate the analysis: search query (hunting queries) and Azure Notebooks (based on notebook Jupyter), that are constantly updated.

Figure 10 – Hunting queries

Figure 11 -Example of an Azure Notebook

Automate common tasks and response to threats

Azure Sentinel provides the ability to automate and orchestrate the response to common problems, so you don't have to manually perform repetitive tasks. By means of predefined and customizable playbooks you can quickly respond to security threats.

Figure 12 – Alert playbooks

Figure 13 – Logic Apps Designer

Microsoft also announced that more defense and investigation tools will be integrated in the solution increased.

Conclusions

Azure Sentinel is a complete solution that provides native SIEM in the cloud and introduces significant benefits over traditional SIEM solutions, which require to sustain high costs for the maintenance of the infrastructure and for data processing. Azure Sentinel enables customers to simplify the tasks required to maintain high security in the infrastructure and to scale gradually to suit your needs, providing a wide integration with third party solutions.

Azure management services and System Center: What's New in February 2019

The month of February was full of news and there are different updates that affected the Azure management services and System Center. This article summarizes to have a comprehensive overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

Azure Monitor

Multi-resource support for metric alerts

With this new feature, you can configure a single metric alert rule to monitor:

  • A list of virtual machines in an Azure region.
  • All virtual machines in one or more resource groups in an Azure region.
  • All virtual machines of a subscription, present in a given Azure region.

Azure Automation

The runbook Update Azure Modules is open source

Azure Automation allows you to update the Azure PowerShell modules imported into an automation account with the latest versions available in the PowerShell Gallery. This possibility is provided through the actionUpdate Azure Moduleson the page Modules of the Automation Account, and is implemented through a hidden runbook. In order to improve diagnostics and troubleshooting activity and provide the ability to customize the module, this has been made open source.

Support for the Azure PowerShell module Az

Azure Automation introduces support for the PowerShell module Az, thanks to which you can use the updated Azure modules within runbooks, to manage the various Azure services.

Azure Log Analytics

New version of the agent for Linux

This month the new OMS Agent version for Linux systems solves a specific bug during installation. To obtain the updated OMS agent version you can access at the GitHub official page.

Availability in new region of Azure

It is possible to activate a Log Analytics workspace also in the Azure regions of West US 2, Australia East and Central Australia. In this way the data is kept and processed in this regions.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 33 introducing new versions of the following components:

  • Microsoft Azure Site Recovery Unified Setup (version 9.22.5109.1): used for replication scenarios from VMware to Azure.
  • Microsoft Azure Site Recovery Provider (version 5.1.3900.0): used for replication scenarios from Hyper-V to Azure or to a secondary site.
  • Microsoft Azure Recovery Services Agent (version 2.0.9155.0): used for replication scenarios from Hyper-V to Azure.

The installation of this update rollup is possible on all systems running Microsoft Azure Site Recovery Service providers, by including:

  • Microsoft Azure Site Recovery Provider for System Center Virtual Machine Manager (3.3.x. x).
  • Microsoft Azure Site Recovery Hyper-V Provider (4.6.x. x).
  • Microsoft Azure Site Recovery Provider (5.1.3500.0) and later.

The Update Rollup 33 for Microsoft Azure Site Recovery Unified Setup applies to all systems that have installed the version 9.17.4860.1 or later.

For more information on the issues resolved, on improvements from this Update Rollup and to get the procedure for its installation is possible to consult thespecific KB 4489582.

Protection of Storage Space Direct cluster

In Azure Site Recovery (ASR) is introduced, with the Update Rollup 33, also the support for the protection of Storage Space Direct cluster, used to realize Guest Cluster in Azure environment.

Azure Backup

In Azure Backup has been released the feature of Instant Restorefor the virtual machines in Azure, that allows using the stored snapshots for the VMs recovery. Also it is given the option to configure the time of retention for the snapshots in the backup policy (from one to five days, the default is two days). This increases control over the protection of the resources, adapting it to specific requirements and depending on the criticality of the same.

Figure 1 – Retention period of the snapshot

System Center Configuration Manager

Released versions 1902 and 1902.2 for the Technical Preview Branch

Among the main new features of this release is included the ability to manage more effectively the restart notifications on systems managed by Configuration Manager.

For full details of what's new in this release you can consult this document. Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

Management Packs

Following, are reported the news about the SCOM Management Packs:

  • Microsoft System Center 2016 Management Pack for Microsoft Azure version 1.6.0.7
  • Microsoft System Center Management Pack for SQL Server 2017+ Reporting Services version 7.0.12.0
  • Log Analytics Management Pack forSCOM 1801 version7.3.13288.0 and SCOM 2016 version7.2.12074.0
  • System Center Management Pack for Windows DNS Server version 10.0.9.3

Evaluation of Azure and System Center

To test and evaluate free of charge the services offered by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure management services and System Center: What's New in January 2019

The new year has begun with several announcements by Microsoft regarding what happened to Azure management services and System Center. The Cloud Community releases a monthly basis article, allowing you to have a general overview of the main new features of the month, in order to stay up to date on these news and have the necessary references to conduct further study.

As already announced in the past few months, monitoring capabilities, management features, and security functionality of Operations Management Suite (OMS) have been included in the Azure portal. From 15 January 2019 the OMS portal has been officially retired, and all the features are accessible from Azure portal.

Azure Monitor

Azure Monitor logs in Grafana

For Monitor Azure was announced a new pluging to integrate with Grafana. Thanks to this pluging you can see in a simple and intuitive way any data collected in Log Analytics. The plugin requires at least version 5.3 of Grafana and by the Log Analytics API retrieves information directly from the workspace, making them available directly from the Grafana dashboard. For more information, please visit the Microsoft's official documentation.

Figure 1 – Log Analytics integration in Grafana

Azure Monitor for containers

During the month of January, the agent of Azure Monitor for Containers (build version 01/09/19) has been updated to introduce improvements in stability and performance. Agent in cluster environments Azure Kubernetes Service (AKS) will be automatically updated. For further details please consult the release notes of the agent.

Azure Security Center

New dashboard on regulatory compliance

In Azure Monitor was made available a new dashboard that shows the status of environmental compliance with respect to specific standards and regulations. Currently supported standards are: Azure CIS, PCI DSS 3.2, ISO 27001, and SOC TSP. The dashboard showsthe overall score of compliance and the detail of the evaluations that reports the status of compliance with respect to each standard.

Figure 2 – Regulatory compliance dashboard in Azure Security Center

Azure Backup

Added support for PowerShell and ACLs for Azure Files

In the scenario of protection ofAzure file shares using Azure Backup the following features have been introduced:

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 32 introducing new versions of the following components:

  • Microsoft Azure Site Recovery Unified Setup (version 9.21.5091.1): used for replication scenarios from VMware to Azure.
  • Microsoft Azure Site Recovery Provider (version 5.1.3800.0): used for replication scenarios from Hyper-V to Azure or to a secondary site.
  • Microsoft Azure Recovery Services Agent (version 2.0.9144.0): used for replication scenarios from Hyper-V to Azure.

The installation of this update rollup is possible on all systems running Microsoft Azure Site Recovery Service providers, by including:

  • Microsoft Azure Site Recovery Provider for System Center Virtual Machine Manager (3.3.x. x).
  • Microsoft Azure Site Recovery Hyper-V Provider (4.6.x. x).
  • Microsoft Azure Site Recovery Provider (5.1.3400.0) and later.

The Update Rollup 31 for Microsoft Azure Site Recovery Unified Setup applies to all systems that have installed the version 9.17.4860.1 or later.

For more information on the issues resolved, on improvements from this Update Rollup and to get the procedure for its installation is possible to consult thespecific KB 4485985.

New statement of support

In Azure Site Recovery have recently included the following improvements:

  • Support for physical servers with UEFI boot type. Although Azure VMs are not supported with UEFI boot disks, ASR can handle the migration of these systems by performing a conversion of the type of BIOS boot, also for the physical servers, not just virtual ones. This feature is only for Windows virtual machines (Windows Server 2012 R2 and later).
  • Support for systems that have the system directory ( /[root], /boot, /usr, etc.) even on different disks than the OS and supporting /boot on LVM volume.
  • Extended support for server migration by AWS for the following OSS: RHEL 6.5+, RHEL 7.0+, CentOS 6.5+ and CentOS 7.0+

System Center

System Center Configuration Manager

Version 1901 for the branch Technical Preview of System Center Configuration Manager.

Among the main new features of this release there is a new interactive client health dashboard will report an overview of the client's health and common mistakes in their environment, with the ability to apply filters to exclude obsolete and offline clients.

Figura 3 – New Client Health Dashboard

For full details of what's new in this release you can consult this document. Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

Management Packs

Following, are reported the news about the SCOM Management Packs:

  • Microsoft System Center 2016 Management Pack for Microsoft Azure version 1.6.0.7
  • Microsoft System Center Management Pack for SQL Server 2017+ Reporting Services version 7.0.12.0
  • Log Analytics Management Pack forSCOM 1801 version7.3.13288.0 and SCOM 2016 version7.2.12074.0

Evaluation of Azure and System Center

To test and evaluate free of charge the services offered by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Protection from DDoS attacks in Azure

A cyber attack of type distributed denial-of-service (DDoS attack – Distributed Denial of Service) is intended to exhaust deliberately the resources of a given system that provides a service to clients, such as a website that is hosted on web servers, to the point that it will no longer be able to provide these services to those who require it in a legitimate way. This article will show the security features that you can have in Azure for this type of attacks, in order to best protect the applications on the cloud and ensure their availability against DDoS attacks.

DDoS attacks are becoming more common and sophisticated, to the point where it can reach sizes, in bandwidth, increasingly important, which make it difficult to protect and increase the chances of making a downtime to published services, with a direct impact on company business.

Figure 1 – DDoS Attack Trends

Often this type of attack is also used by hackers to distract the companies and mask other types of cyber attacks (Cyber Smokescreen).

 

Features of the solution

In Azure, DDoS protection is available in two different tiers: Basic or Standard.

Figure 2 - Comparison of the features available in different tiers for DDoS Protection

The protection Basic is enabled by default in the Azure platform, which constantly monitors the traffic and enforces real-time mitigation of the most common network attacks. This tier provides the same level of protection adopted and tested by Microsoft online services and operates for the public IP addresses of Azure (IPv4 and IPv6). No configuration is required for the Basic tier.

The Azure DDoS Protection Standard provides additional mitigation capabilities compared to Basic tier, which are optimized specifically for the resources in Azure virtual network. Security policies are auto-configured and are optimized by a specific network traffic monitoring and by applying machine learning algorithms, that allow you to profile in the most appropriate and flexible way your application studying the traffic generated. In the moment in which the thresholds set in the policy of DDoS are exceeded, DDoS mitigation process is automatically started, and it is suspended when it falls below the traffic thresholds established. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, such as: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances. This protection does not apply to App Service Environments.

Figure 3 – Overview of Azure DDoS Protection Standard

The Azure DDoS Protection Standard is able to cope with the following attacks:

  • Volumetric attacks: the goal of these attacks is to flood the network with a considerable amount of seemingly legitimate traffic (UDP floods, amplification floods, and other spoofed-packet floods).
  • Protocol attacks: These attacks are aiming to make inaccessible a specific destination, exploiting a weakness that is found in the layer 3 and in the layer 4 of the stack (for example SYN flood attacks and reflection attacks).
  • Resource (application) layer attacks: These attacks are targeting the Web application packages, in order to stop transmitting data between systems. Attacks of this type include: violations of the HTTP protocol, SQL injection, cross-site scripting and other attacks in level 7. To protect themselves from attacks of this type is not sufficient DDoS protection standard, but you must use it in conjunction with the Web Application Firewall (WAF) available in Azure Application Gateway, or with third-party web application firewall solution, available in the Azure Marketplace.

 

Enabling DDoS protection Standard

The DDoS protection Standard is enabled in the virtual network and is contemplated for all resources that reside in it. The activation of the Azure DDoS Protection Standard requires you to create a DDoS Protection Plan which collects the virtual networks with DDoS Protection Standard active, cross subscription.

Figure 4 – Creating a DDoS Protection Plan

The protection Plan is created in a particular subscription, which will be associated with the cost of the solution.

Figure 5 – Enabling DDoS protection Standard on an existing Virtual Network

The Standard tier provides a real-time telemetry that can be consulted via views in Azure Monitor.

Figure 6 – DDoS Metrics available in Azure Monitor

Any DDoS protection metrics can be used to generate alerts. Using the metric "Under DDoS attack"you can be notified when an attack is detected and DDoS mitigation action is applied.

DDoS Protection Standard applies three auto-tuned mitigation policies (TCP SYN, TCP & UDP) for each public IP address associated with a protected resource, so that resides on a virtual network with active the DDoS standard service.

Figure 7 – Monitor mitigation metrics available in Azure

To report generation, regarding the actions undertaken to mitigate DDoS attacks, you must configure the diagnostics settings.

Figure 8 – Diagnostics Settings in Azure Monitor

Figure 9 - Enable diagnostics of Public IP to collect logs DDoSMitigationReports

In the diagnostic settings it is possible to also collect other logs relating to mitigation activities and notifications. For more information about it you can see Configure DDoS attack analytics in the Microsoft documentation. The metrics for the DDoS protection Standard are maintained in Azure for Moniotr 30 days.

Figure 10 – Attack flow logs in Azure Log Analytics

How to test the effectiveness of the solution

Microsoft has partnered withBreakingPoint Cloud and, thanks to a very intuitive interface, it allows you to generate traffic, towards the public IPs of Azure, to simulate a DDoS attack. In this way you can:

  • Validate the effectiveness of the solution.
  • Simulate and optimize responses against incident related to DDoS attacks.
  • Document the compliance level for attacks of this type.
  • Train the network security team.

Costs of the solution

The Basic tier foresees no cost, while enabling the DDoS Protection Standard requires a fixed monthly price (not negligible) and a charge for data that are processed. The fixed monthly price includes protection for 100 resources, above which there is an additional unit cost for each protected resource. For more details on Azure DDoS Protection Standard costs you can see the Microsoft's official page.

Conclusions

The protection from DDoS attacks in Azure allows us to always have active a basic protection to deal with such attacks. Depending on the application criticality, can be evaluated the Standard protection, which in conjunction with a web application firewall solution, allows you to have full functionality to mitigate distributed denial-of-service attacks.

Azure Security Center: introduction to the solution

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect the resources and workloads on hybrid environments. This article lists the main characteristics and features, to address the use cases and to understand the potential of the instrument.

Key features and characteristics of Azure Security Center

  • It manages security policies centrally. It ensures compliance with the safety requirements to be imposed on business and regulatory. Everything is handled centrally through security policies that can be applied to different workloads.

Figure 1 – Policy & Compliance Overview

Figure 2 – Policy management

  • It makes Security Assessment. It monitors the situation continuously in terms of security of machines, networks, storage and applications, in order to identify potential security problems.
  • It provides recommendations that you can implement. Are given indications that are recommended to implement to fix the security vulnerabilities that affect your environment, before they can be exploited in potential cyber attacks.

Figure 3 – Recommendations list

  • It assigns priorities to warnings and possible security incidents. Through this prioritization you can focus first on the security threats that may impact more on the infrastructure.

Figure 4 – Assigning severity for each report

Figure 5 – Assigning severity for each potential security incident detected

  • It allows to configure your cloud environment in order to protect it effectively. It is made available a simple method, quickly and securely to allowjust-in-time access to system management ports and applications running on the VM, by applying adaptive controls.

Figure 6 – Enabling Just-in-time VM access

  • It provides a fully integrated security solution. Allows you to collect, investigate and analyze security data from different sources, including the ability to integrate with third-party solution.

Figure 7 – Integration with other security solutions

 

The Cost of the Solution

Security Center is offered in two different tiers:

  • Free tier. In this tier Azure Security Center is completely free and provides visibility into security of resources residing only in Azure. Among the features offered there are: basic security policy, security requirements and integration with third-party security products and services.
  • Standard tier. Compared to tier free adds enhanced threat detection (including threat intelligence), behavioral analysis, anomaly detection and security incidents and reports of conferral of threats. The tier standard extends the visibility on the security of the resources that reside on-premises, and hybrid workloads. Through machine learning techniques and having the ability to create whitelist it allows to block malware and unwanted applications.

Figure 8 – Comparison of features between the available pricing tiers

For the Standard tier, you can try it for free for 60 days after that, if you want to continue using the solution, you have a monthly fee for single node. For more information on costs of the solution you can access to the official page of costs.

Figure 9 – Standard tier upgrade screen

To take advantage of all the Security Center features is necessary to apply the Standard Tier to the subscribtion or to the resource group that contains the virtual machines. Configuring the tier Standard does not automatically enable all features, but some of these require specific configurations, for example VM just in time, adaptive control of applications and network detection for resources in Azure.

 

Basic principles of operation

The collection of security data from systems, regardless of their location, is via the Microsoft Monitoring Agent, that it provides to its sending to a Log Analytics workspace. Security Center requires a workspace on which you enabled the following solution according to tier chosen:

  • Free tier: the Security Center enables the solution SecurityCenterFree.
  • Standard tier: the Security Center enables the solution Security. If in the workspace is already installed the solution Security & Auditit is used and nothing else is installed.

To save the data collected from the Security Center you can use a Log Analytics workspace created by default or select a specific one associated with the relative Azure subscription.

Figure 10 – Configuration of the workspace of Log Analytics where you collect the data

Conclusions

Azure Security Center is an appropriate, mature and structured solution to meet the security requirements for cloud, on-premises, or hybrid environments. Thanks to several features covered provides the knowledge that Microsoft has matured in the management of its services, combining it with powerful new technologies, as machine learning and big data, to treat and manage consciously and effectively the security.

Introduction to Azure Firewall

Microsoft recently announced the availability of a long-awaited service required by the users of systems in the Azure environment , it is the’Azure Firewall. The Azure Firewall is a new managed service and fully integrated into the Microsoft public cloud, that allows you to secure the resources present on the Virtual Networks of Azure. This article will look at the main features of this new service, currently in preview, and it will indicate the procedure to be followed for its activation and configuration.

Figure 1 – Positioning of Azure Firewall in network architecture

The Azure Firewall is a type of firewall stateful, which makes it possible to centrally control, through policy enforcement, network communication streams, all cross subscriptions and cross virtual networks. This service, in the presence of type of network architectures hub-and-spoke, lends itself to be placed in the Hub network, in order to obtain a complete control of the traffic.

The Azure Firewall features, currently available in this phase of public preview, are the following:

  • High availability (HA) Built-in: high availability is integrated into the service and are not required specific configurations or add-ons to make it effective. This is definitely an element that distinguishes it compared to third-party solutions that, for the configuration of Network Virtual Appliance (NVA) in HA, typically require the configuration of additional load balancers.
  • Unrestricted cloud scalability: Azure Firewall allows you to scale easily to adapt to any change of network streams.
  • FQDN filtering: you have the option to restrict outbound HTTP/S traffic towards a specific list of fully qualified domain names (FQDN), with the ability to use wild card characters in the creation of rules.
  • Network traffic filtering rules: You can create rules to allow or of deny to filter the network traffic based on the following elements: source IP address, destination IP address, ports and protocols.
  • Outbound SNAT support: to the Azure Firewall is assigned a public static IP address, which will be used by outbound traffic (Source Network Address Translation), generated by the resources of the Azure virtual network, allowing easy identification from remote Internet destinations.
  • Azure Monitor logging: all events of Azure Firewall can be integrated into Azure Monitor. In the settings of the diagnostic logs you are allowed to enable archiving of logs in a storage account, stream to an Event Hub, or set the sending to a workspace of OMS Log Analytics.

Azure Firewall is currently in a managed public preview, which means that to implement it is necessary to explicitly perform the enable via the PowerShell command Register-AzureRmProviderFeature.

Figure 02 – PowerShell commands for enabling the public preview of Azure Firewall

Feature registration can take up to 30 minutes and you can monitor the status of registration with the following PowerShell commands:

Figure 03 – PowerShell commands to verify the status of enabling Azure Firewall

After registration, you must run the following PowerShell command:

Figure 04 – Registration command of Network Provider

To deploy the Azure Firewall on a specific Virtual Network requires the presence of a subnet called AzureFirewallSubnet, that must be configured with a sunbnet mask at least /25.

Figure 05 – Creation of the subnet AzureFirewallSubnet

To deploy Azure Firewall from the Azure portal, you must select Create a resource, Networking and later See all:

Figure 06 - Search Azure Firewall in Azure resources

Filtering for Firewall will also appear the new resource Azure Firewall:

Figure 07 – Microsoft Firewall resource selection

By starting the creation process you will see the following screen that prompts you to enter the necessary parameters for the deployment:

Figure 08 – Parameters required for the deployment of the Firewall

Figure 09 – Review of selected parameters and confirmation of creation

In order to bring outbound traffic of a given subnet to the firewall you must create a route table that contains a route with the following characteristics:

Figure 10 - Creation of the Rule of traffic forwarding to the Firewall Service

Although Azure Firewall is a managed service, you must specify Virtual appliance as next hop. The address of the next hop will be the private IP of Azure Firewall.

The route table must be associated with the virtual network that you want to control with Azure Firewall.

Figure 11 - Association of the route table to the subnet

At this point, for systems on the subnet that forwards the traffic to the Firewall, is not allowed outgoing traffic, as long as it is not explicitly enabled:

Figure 12 – Try to access blocked website from Azure Firewall

Azure Firewall provides the following types of rules to control outbound traffic.

Figure 13 – The available rule Types

  • Application rules: to configure access to specific fully qualified domain names (FQDNs) from a given subnet.

Figure 14 - Creating Application rule to allow access to a specific website

  • Network rules: enable the configuration of rules that contain the source address, the protocol, the address and port of destination.

Figure 15 – Creating Network rule to allow traffic on port 53 (DNS) towards a specific DNS Server

Conclusions

The availability of a fully integrated firewall in the Azure fabric is certainly an important advantage that helps to enrich the capabilities provided natively by Azure. At the time are configurable basic operations, but the feature set is definitely destined to get rich quickly. Please note that this service is currently in preview, and no service level agreement is guaranteed and is not recommended to use it in production environments.