Given the rising number of cyber-attacks and data breaches in recent times, security has become paramount. For a while now, it’s been clear that securing only your network’s perimeter is simply not enough. The idea that we can inherently trust systems or users in “internal networks” is a recipe for disaster. Not to mention, it’s likely that many of your systems and users are not even in an internal network anymore.
In this ever-changing world, attackers are constantly finding new ways to exploit vulnerabilities. This is one of the reasons to consider the strategy of defense-in-depth: if there are multiple layers of protection in place and one of them fails, another security mechanism exists to stand in the way of an attack.
Besides a multi-layered approach to security, having a Zero Trust mindset is important. We focus on three principles when pursuing Zero Trust practices: verify explicitly, use least privileged access, and assume breach.
Do you want to segment your cloud resources and protect against malicious traffic flows?
Ensuring that the systems and resources are well segmented is foundational in network security. However, resources have legitimate reasons to communicate with one another. How can we detect and prevent threats across the resources that are segmented but need to communicate?
With Azure Firewall, you can keep your virtual networks (VNETs) segmented in a hub-and-spoke architecture model. The Azure Firewall is responsible for enforcing rules centrally, allowing or denying traffic that flows to and from resources in VNETs. However, the resources may still need to communicate over the network.
For connections that are allowed, Azure Firewall helps you explicitly verify the security of these connections with Threat Intelligence-based filtering and Intrusion Detection and Prevention System (IDPS). Allowed connections should not be blindly trusted: by assuming breach, we can watch out for potential attacks occurring within our networks. Threat Intelligence actively looks for connections to malicious IPs or domains, taking action to block that traffic even if it was allowed in the first place. IDPS offers an extra layer of defense, allowing for rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.
Do you want administrators to manage resources securely from any device and any location, while minimizing attack surface?
Most of our administrators are no longer in our data centers where they can physically manage systems. The mentality of allowing administrators access to manage resources solely based on their network location does not align with our reality anymore, neither should we expose our systems to the public internet so that administrators can manage them on-the-go.
Most common needs for secure administration include strong authentication mechanisms, minimized direct exposure to the internet, and control over how and when administrators access resources. With Azure Bastion, you can keep virtual machines in Azure completely private and still allow administrators to manage them from any device and any location. In this scenario, virtual machines are managed via Azure Portal with Azure Bastion. This method explicitly verifies credentials before each connection, and multi-factor authentication, least privilege access controls and conditional access policies can be configured and enforced to provide multi-layered protection against potential administrative exploitations.
Do you want to have resilient resources that are up-and-running, even when under attack?
We want to ensure that our services are resilient and available to our users as much as possible. Even if attackers are trying to disrupt the availability of our services, we need the ability to explicitly verify which connections are coming from legitimate users and which ones are malicious.
With Azure DDoS Protection Standard, mitigation of distributed denial-of-service (DDoS) attacks are auto-tuned to the capacity of your resources. When an attack is detected, mitigation starts automatically. It identifies which packets are coming from attackers and drops those connections, while legitimate packets are forwarded to your services, minimizing the impact to valid users while an attack is occurring.
How do these services work together to improve overall network security?
Based on what we explored above, we saw how Azure Bastion and Azure Firewall are essential services to securely manage our resources and catch malicious traffic activity in our networks. Since Azure Bastion and Azure Firewall are services that can have public IP addresses, they may be susceptible to DDoS attacks. With Azure DDoS Protection Standard, we can stand against DDoS attacks that could potentially impact the availability of these crucial security services. Azure DDoS Protection acts as an insurance to keep critical infrastructure running even in the event of an attack.
Next Steps
- Deploy our Network Security Dashboard workbook for Azure Security Center to gain visibility of your Public IPs assets and better gauge your level of exposure.
- Follow this Azure Bastion QuickStart tutorial to configure Azure Bastion and test how you can manage a virtual machine (VM) securely without needing direct public access to the VM.
- Deploy our Azure Network Security Lab from GitHub for hands-on testing of Azure Firewall and Azure DDoS Protection Standard.
References
Posted at https://sl.advdat.com/3BjAtYw