- Overview of Azure Network Security
Microsoft has this concept called defence in depth, which I’ll explain. So instead of having a single firewall or single point at which security is enforced, the concept is that you’re going to enforce security almost all the way through your application, from the beginning to the end. The analogy is that your front door is your only source of security. And if someone has the key and can unlock your front door, they have full and complete access to your house. That’s all well and good, but some people have multiple layers of locks. So you not only have the lock on the front door, but you also have a security alarm that you have to punch in a code to unlock. And then maybe you have a safe that also has a password, and your computer, which is in your office, also has a password that’s required to get into it.
So the idea behind defense and death is that you have multiple points of checking and authentication to get from the beginning of your house all the way to where people want to go, to steal your bank accounts or steal your money, and you’re safe, and so on. So in the concept of Microsoft Azure and cloud computing, the layers we’re talking about start from the bottom. The physical layer is composed of the data centres that Microsoft controls, the fences around its security guards, the door locks, and the fingerprint authentication required to get into the buildings.
But up to Azure Active Directory, which is your corporate user IDs and passwords, the firewalls and denial-of-service attack protections, the network-level security called network security groups subnets, and how you’ve got really tight security around your networks, individual security of your virtual machines and your apps, making sure that the operating systems are up-to-date with the latest patches. turning off Remote Desktop Protocol unless you specifically need it for a short period of time. The application layer and even the database layer have their own security, including encryption and limiting the types of applications that can get access to your data.
So the more security you have, the safer you are. And if you only have a single point of security, then if someone reaches that, they’ve basically got access to everything. Another way to look at defense in depth is to sort of look at all of the security techniques that a cloud provider offers. Some are under your control, while others are not. However, if we look at the encryption and firewall Internet of things, the way the network is divided into subnets, and the NSGs, or network security groups, that surround that, we can see that So the more of these that you can implement, the safer you are. Now, it’s probably impossible to implement them all and very costly because a lot of these services have costs associated with them. But the more critical your infrastructure, the more you’re going to have to devote more budget, more time, and more energy to securing it.
2. NSG, Firewall and DDoS Protection
So now we’re going to talk about three of the specific security technologies within Azure that can be used to secure your network. The first one that we need to discuss is called the Network Security Group, or NSG. Earlier in this course, we set up and created a virtual network. You watched me live. I’ve been one of the first to demonstrate creating a virtual network. And as we saw in that video, a virtual network can be divided into what are called “subnets” or “subnetworks.” And in the diagram on screen, there is a front-end subnet and a back-end subnet. The concept here is that you’re going to have your public-facing services—your web servers, for instance—in the front-end subnet. And all of your protected services, like databases and other application servers, would be on the back end, and you’d have different security rules for each of those.
So the Network Security Group, or NSG, is a static set of rules that protect each network. And so it’s basically also called an “access control list” in some contexts. But it’s basically a list of IP addresses and port numbers—the source and destination—that are allowed through. If you’re coming from an IP address, you’re only allowed to access port 80, for instance, which is the web port. But you’re not allowed to access other ports because the NSG rules are configured not to allow it. If you remember, when we were creating the virtual network or when we were creating the virtual machine, we did have to choose which traffic to allow through. And so we chose RDP traffic only. And in that example, it would have allowed RDP traffic but not web traffic. So the NSG is a very simplistic set of rules, but if you set them up right, you can actually turn off a lot of access to a lot of areas. And it’s not complicated, right? It’s very simple to see what’s allowed in. Everything else is denied. It’s a “deny by default” setup where you have to specifically allow traffic through. Now, that contrasts with something like the Azure Firewall Service, which is more of an intelligent device that basically analyses traffic, trying to see if it matches certain known bad patterns.
So hackers are going to try to inject SQL commands into your website, or the firewall is going to recognize that there are SQL commands in the body of the data and reject the request. Or if it’s a cross-site scripting XSS attack, it will reject that request as well. And so in this case, the firewall is an application gateway device. We also have more intelligent firewalls that will detect traffic and see if there is any suspicious pattern to it. The third thing that we’ll talk about that’s relevant to the exam is the denial-of-service attack protection we talked about earlier. There is a freebasic level denial of service attack in this course. You can see it on the left. It’s always monitoring traffic coming into Azure. It is going to try to mitigate levels three and four, which are, I believe, the network layer and the TCP/IP layer. And so someone’s trying to attack your application using those types of attacks. That is included. Level seven protection is the web layer. It’s the http and https URLs that come in the packets of the web request.
So your basic dial-in service attack protects against that. Now, the standard protection, which is the upgrade that you pay for, is basically designed to protect you specifically. So it contains rules that are unique to your use of Azure as opposed to general rules that apply to everybody. It also includes logging and alerting. You get notified when your site is under a denial-of-service attack. And again, if these protections are turned on, it won’t affect your application as much, but at least you’ll get a text message saying millions of packets are being denied because they are malicious. Again, this does cost money, but this is the type of network-focused protection you can get that’s network focused protection.
So those are just some of the policies to secure your network. Obviously, it’s a lot more complicated than this. It is super important. Microsoft Azure does have a security certification, the AZ 500 certification, for people who are tasked with protecting networks, protecting applications, and more. On the administrator side and the infrastructure side, the AZ-104 certification gets a lot deeper into this as well. For this level of the course, then, we just need to know that they exist, roughly what they do, and that the defense In-depth is the approach, and it is advised that you have protection from all sides, rather than just a single front door protecting your entire house.
