1. Module Introduction
Welcome to the third module of SC 900 Certification Preparation. Describe the capabilities of Microsoft security solutions. Let’s understand what you’ll be learning in this module. Well, the first thing is that we’re going to start with understanding the basic security capabilities in Azure. How you will be protecting the networks, how you will be protecting the virtual machines, and how encryption on Azure can protect your data Well, these are the three concepts that you’ll be referring to and talking about throughout this module. We always used to talk about the “traditional network security perimeter.” And today that perimeter is constantly changing because they are either moving to the cloud or creating a hybrid environment. Protecting your organization’s assets is key, and data is essential. Threats can come from any direction.
For instance, a denial-of-service attack on your organization’s service, or probably a hacker trying to access your network And this could be done by penetrating your firewall. While Azure offers a wide array of configurable security tools that can be customised to give you the security and control that your organisation needs, In this module, we will discuss the various services and features that Azure offers to protect your networks, assets, and resources, such as network security groups, Azure Firewalls, and Azure DDoS protection. And we’ll look at different methods of encryption to ensure that your data is protected. So, once again, to summarise this, we’ll talk about the security capabilities protecting your network in Azure. as well as, the, and Finally, learn how to secure your data by encrypting it on Azure. Thanks for watching so far, and stay tuned to this module.
2. Network security groups
In today’s modern work environment, more users are working remotely from home. Managing access to assets as well as accessing resources on your Azure Virtual Network is very essential. You learn about Azure network security groups that can automatically allow or deny traffic to your cloud-based resources and assets. What exactly is an Azure Virtual Network? It is a virtual network that is similar to the network you find in your organization. It’s just that it’s in the cloud. It’s virtual in nature. And you can also host different kinds of Azure resources inside it. For example, in an Azure virtual machine, that VM can communicate with the internet as well as with other resources in different virtual networks and with your on-premises network. A virtual network is usually divided into subnets. So that’s also called as subnetworking or subnetworks. As a result, your virtual network will be located within that subnet. The subnet will connect to your virtual network.
So when you create resources, you need to assign a subnet to them. So how do you secure these resources within the subnet? You will be using network security groups to do that. Now, what is a network security group? A network security group will let you allow or deny network traffic to and from Azure resources that exist in your Azure Virtual Network. For example, think about a virtual machine. Now, when you create a network security group, it can be associated with subnets or the network interface in your virtual network. So the filtering of the packets can be done at the subnet level and also at the VM level because the network interface card is linked to your virtual machine. Now, within this network security group, you can define rules that define how the traffic is filtered. The network security group is evaluated by priority using five information points: source, source, port, destination, the destination port, and the protocol to either allow or deny the traffic. As a guideline, you should not create two security rules with the same priority and direction. So these are the five information points for the packet. If you look at the picture, which is a simplified diagram, you can see that there is a virtual network with two subnets that are connected to the Internet. And then each subnet has a virtual machine. Subnet one has a network security group assigned to it that’s filtering inbound and outbound access to the virtual machine. That means it needs a higher level of access. Take a look at Virtual Machine 2. This could represent a public-facing machine that does not require a network security group. You also have inbound and outbound security rules that can be linked up to a network security group. Let’s talk about them because there’s a lot more to talk about. It will be in the next session.
3. Inbound and outbound security rules
Let’s talk about the inbound and outbound security rules that are attached to the network security group. The network security group controls access to the resources on your virtual network and any of your subnets as well. A network security group is made up of inbound and outbound security rules. For each rule you can specify a source and destination port protocol and the required action.
If it’s triggered, it could allow or deny. As I previously mentioned, the rules are processed based on their priority. By default, Azure creates a series of rules—three inbound and three outbound rules—to provide a baseline level of security. You cannot remove the default rules; they are there, but you can definitely override them by creating new rules with a higher priority. Now, every rule has a couple of properties, including name, priority, source or destination, protocol, direction, port, range, and action. The first is that every network security group rule needs to have a unique name that describes its purpose. For example, access only, allow access, deny access, or admin access only. Well, these are the names that will help you identify the name of the network security group as a priority. Now, this is a number between 1040 and 96. The rules are processed in priority order.
The ones that have the lowest number will have the highest priority. So when the traffic gets there, it looks at those numbers one by one, starting with the lowest number first and then with the highest number. So when the traffic matches the rule, the processing stops. This means that any other rules with lower priority or higher numbers will not be processed. So you need to be careful when creating a priority for a particular rule, because remember that when the traffic matches a particular rule, then the whole processing will stop and the traffic will be either allowed or denied. The processing will not go further to the next set of rules, whether source or destination. You need to specify either the individual IP address or IP address range, a service tag, or an application security group. Specifying a range is similar to specifying a source from which traffic can enter the protocol. What network protocol will the rule check? The protocol can be TCP, UDP, ICMP, or any of these if you want it to be inbound or outbound traffic. The rule should be applied to either inbound or outbound traffic depending on which direction means displaying support for your application on the device or virtual machine it is listening on.
You can specify an individual or a range of ports. For example, you could use port 80 for HTTP traffic. Or you can also specify large ports, like 10,000 to 10,000. So that’s like a range. So specifying ranges enables you to create fewer security rules, so you don’t have to specify one rule per port. You can specify a range like that. You cannot specify multiple ports or port ranges in the same security rule in a network security group created through the classic deployment model. The classic deployment model is being phased out, so you’ll only have the resource manager method and the action to decide what happens when this rule is triggered. Right. Whether it should be allowed or denied is the question. There are limits to the number of security rules you can create in a network security group. It cannot be unlimited. And you will use the Azure Network Security Group to automatically allow or deny the traffic to your cloud-based resources and assets.
4. What is DDOS
Any company, large or small, can become the target of a large-scale network attack. The attacker may have launched these attacks against your network simply to make a statement or to challenge you. DDoS, or Distributed Denial of Service, is an attack that is used to overwhelm the resources on your applications and servers. When this happens, your servers will become unresponsive or slow for legitimate users. A DDoS attack will usually target any publicly accessible endpoint that can be accessed through the Internet. Since we’re discussing DDoS attacks, it’s important to distinguish between the various types of DDoS attacks. So there is a volumetric attack protocol. attack as well as resource-layer or application-layer attacks The volumetric attacks Now, these are volume-based attacks that flood the network with seemingly legitimate traffic, which overwhelms the available bandwidth. So what does that mean? It means that legitimate traffic will not be able to get through. So these types of attacks are measured in bits per second. The protocol attacks Protocol attacks make a target inaccessible by depleting server resources with false protocol requests that exploit weaknesses in layer three network or, in some cases, layer four transport protocols.
These types of attacks are typically measured in packets per second. Now, when you look at the last one, which is resource layer attacks, these attacks target the web applications or web application packets in order to disrupt the transmission of data between the hosts. And for all of these, you need DDoS protection. even if the resources are in the cloud. We used to have it on-premises, but now we have it in the cloud as well. Since you are hosting your applications and your mission-critical servers in the cloud, you need some kind of DDoS protection. Azure provides DDoS protection by default, and we need to understand the different models inside. This is how Azure protects your resources so that your legitimate customers and legitimate traffic can access your Azure resources without interruption of service. So let’s talk about the different tiers inside DDoS in the next session.
5. Azure DDOS protection plans and pricing
Azure DDoS protection is designed to help protect your applications in Azure and servers as well by analyzing the network traffic and discarding anything that looks like a DDoS attack. If you look at the picture here, there’s an Azure DDoS protection that is identifying the attacker’s attempt to overwhelm the network, and therefore it is blocking the traffic from the attacker. And this ensures that the traffic never reaches your Azure resources.
The legitimate traffic from your customers still flows into Azure without an interruption of services. Azure DDoS protection uses the scale and elasticity of the Microsoft Global Network to bring DDoS mitigation capacity to every region. Now, during a DDoS attack, Azure can scale your computing needs to meet the demand, and DDoS protection can manage your cloud consumption by ensuring that your network load only reflects actual customer usage. Azure DDoS protection comes in two tiers: basic and standard. The Basic tier is automatically enabled, so you get DDoS protection by default at no extra cost. because this is part of Azure’s platform.
There’s always traffic monitoring and real-time mitigation of common network-level attacks that will be provided, along with the same defences that Microsoft’s online services use. Azure’s Global Network is used to distribute and mitigate attack traffic across the regions. Now, there is the Standard tier of DDoS protection, which means that it provides extra mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. The DDoS Protection standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. There are policies that are applied to public IP addresses that are associated with resources deployed in virtual networks. For example, a load balancer or an application gateway Since we’re talking about tiers of DDoS, let’s also talk about the pricing. The standard DDoS protection will have a monthly fee. It’s a fixed monthly charge. The fixed monthly charge includes protection for up to 100 resources. Protection for additional resources will be charged on a monthly basis per resource based. So Azure DDoS will be protecting your devices and applications by analysing traffic across your network and taking appropriate action on that suspicious traffic.
6. Azure Firewall
In Azure, you create resources of several kinds, and those resources may need virtual networks. Departments and business units have their own subscriptions, and every business unit may start creating its own resources over a period of time. What will happen is that you will have multiple virtual networks for you to control the traffic going in and out of the virtual networks, and some of them will transmit traffic to your on-premises network as well.
You need to have something called an Azure Firewall. Azure Firewall will be a defence mechanism for both your on-premises and your virtual networks in Azure, regardless of their subscription. You can deploy Azure Firewall on any of your virtual networks, but the best approach is to use it on a centralised virtual network. And when you do that, all of those virtual networks that you have in different subscriptions will connect to this centralised virtual network that is hosting your Azure Firewall. So this is more like a hub and spoke design. Not only can your virtual networks in Azure communicate with each other, but you can also communicate with your on-premises network. So all the virtual networks and on-premises networks will route the traffic through it. The advantage of this model is the ability to control the network traffic of all your virtual networks across different subscriptions.
So with Azure Firewall, you can scale up the usage to accommodate the changing network traffic flows. As a result, you do not need to budget for peak traffic. The network traffic is subjected to the configured firewall rules. When you route it to the firewall as a subnet default gateway, then all the devices will have a common entry and exit point. of.. of. of. of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of Azure Firewall has built-in high availability, so there is nothing to configure. Additionally, Azure Firewall can be set up to span multiple availability zones. For increased availability, there is network and application-level filtering. You can use IP addresses, port numbers, and protocols in order to support fully qualified domain name filtering for outbound HTTP traffic and network filtering controls. Furthermore, do you have backing for your Snat?
Yes. The translation of the private IP addresses of network resources to an Azure public IP address in order to identify and allow traffic originating from the virtual network to reach internet destinations is supported. Similarly, inbound network traffic to the firewalls has its public IP address translated, and that’s called DNAT, which stands for “destination network address translation.” And this will be filtered to private IP addresses of virtual network resources. You will have access to multiple public IP addresses. That means you can have up to 250 public IP addresses associated with your firewall. Furthermore, when it comes to security, Azure Firewall includes threat intelligence-based filtering, which can be configured to alert and deny traffic from known malicious IP addresses and domains. In order to monitor all the traffic, you can integrate that with Azure Monitor to enable collecting, analyzing, and acting on telemetry from your Azure Firewall logs. In short, Azure Firewall will help protect the Azure resources you have connected to Azure virtual networks. Let’s take a look at another phase of information security that we’ve been using for a very long time, which is a bastion host, and how we can incorporate it into Azure bastion host. Thanks for watching so far. I’ll see you in the next lesson.
7. Azure Bastion Host
in corporate environments. When you first start using Azure, you will have multiple virtual networks that use a combination of network security groups and firewalls to protect and filter access to assets and resources. like virtual machines. You are now protected from external threats, but you must still grant direct access to those virtual machines to your developers, data scientists, and other remote employees. Now, in a traditional model, what you will do is expose your Remote Desktop Protocol if it’s a Windows machine or SSH if it’s a Linux machine. And these ports are accessible via the Internet. And these protocols can then be used to gain remote access to your virtual machines. This process creates a significant surface threat that can be exploited by attackers.
Azure Bastion host provides secure and seamless RDP or SSS connectivity to your virtual machines directly from your Azure Portal using TLS, or Transport Layer Security. So when you connect via Azure Basin, your virtual machines do not need a public IP. It does not need any kind of agent or special client. Software Bash provides secure RDP and SSH access to all virtual machines in the virtual network where it is installed. So what will happen with the Azure Bastion host? Well, it is protecting your virtual machines from exposing their IP addresses, the RDP port, or the SSH port to the outside world. Then your employees, whoever, or the developer who needs access to the resource can still do so via RDP or SSH. Azure Bash and Host deployment is per network. It’s not per subscription, per account, or per virtual machine. So when you’re actually deploying it, you make the deployment on your network. S
o when you provision an Azure Bastion service in your virtual network, the RDP or SSH experience is available to your virtual machines in that same virtual network. And there are several benefits to using the Azure Bastion host. RDP and SSH, for example, are available directly from the Azure Portal. There’s no client needed, no agent required, and the remote session is over TLS, so you will have better protection. So you will be using an HTML-5-based client, probably Internet Explorer or Chrome browser. But then, regardless of the browser that you’re using, the traffic will still originate from your local device. So you’ll be getting those RDP and SSH benefits. There is no public IP that’srequired for the Virtual Machine. So, despite the fact that the virtual machine is on a private IP address, HTTP access is still available.
So there is no hassle with managing network security groups. There is no need to open the 3389 or 22 ports for RDP or SSS connectivity. So you don’t need to apply any network security groups to the Azure Bastion subnet. Moreover, from a security perspective, you’re not exposing your virtual machines to the internet. video.. video.. video.. video………………….. And that also means that you’re protecting against zero-day exploits. Now, this is a fully managed platform. It exists as a service within your virtual network’s perimeter. You don’t need to worry about hardening each virtual machine in the virtual network. Rather, the Azure Platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date. So you will be using Azure Bastion to establish a secure RDP or SSH connection right to your virtual machines in Azure.
8. Web Application Firewall
Web servers are the favourite entry points for attackers. Malicious attacks that exploit widely known vulnerabilities are increasingly targeting web servers and web applications. Think about SQL injection or cross-site scripting. They all happen on the web server. Preventing such attacks in the application code is really challenging. It can require rigorous maintenance, patching, and monitoring as well. The Web Application Firewall provides centralised protection of your web applications from these common exploits and vulnerabilities. A centralised approach will make security management simpler. It improves the response time to a security threat and allows for patching a known vulnerability in place. Instead of securing each web application, aWAF also gives application administrators better assurance of protection against threats and intrusions.
So we spoke about Network Security Group a few minutes ago. You also understood what firewalls are. But the web application firewall can go beyond that. It can protect you against the top ten OAS risks. And the ones that I explained a few minutes ago were about protecting from SQL injections and cross-site scripting. And these are the known vulnerabilities that are most commonly exploited. WAF can be used independently, but it can also be used in conjunction with an Azure application gateway, Azure FrontDoor, and content delivery networks. And these are Microsoft’s services. So WAFF has features that are customised for each of these specific services. And you use Azure RAF to achieve centralised protection for your web applications from common exploits and vulnerabilities.
9. Azure Encryption
A well-rounded approach to security is very important. Encryption for data addressed and data in transit is so critical. In spite of having all kinds of firewalls, bastions, hosts, and security groups in place, companies today deal with a lot of data theft and data exfiltration, which are both real threats to a company. The loss of sensitive data can be really crippling and will have legal implications for that organization. Data is the most valuable asset for any organization.
And as part of your multiple layers of defence approach or layered security strategy, you need to use security services, specifically encryption services, which are the last line of defence and the strongest line of defence in Azure. You’ve got multiple ways to encrypt your data. Azure provides different ways to secure your data depending on what kind of service you’re using and its usage. So, think about storage. You will have different kinds of storage in Azure. For example, Azure manages discs, Azure BlobStorage, Azure Files, or Azure Queue Storage. So Azure Storage Service encryption will help to protect data at rest by automatically encrypting the data before it persistently stores itself in one of these storage lines, and before it gets out, it decrypts the data before you retrieve it. Azure disc encryption will help you encrypt Windows and Linux virtual machine disks.
Azure Disk Encryption is used by the industry-standard BitLocker feature of Windows. And for Linux, you use the dmcrypt feature to provide volume encryption for the operating system and the data disks. Data is also stored in databases and data warehouses in Azure. And for that, you’ll be using transparent data encryption, which is TDE. And this will assist you in combating the threat of malicious activities. TDE is performing real-time encryption and decryption of the database and related backups, as well as encryption of the transaction logs, without requiring changes to the application. So, there’s a lot that goes behind the encryption, and what you need to know is that encryption options, which encrypt the data at rest, are an option that Azure provides. And as discussed earlier, this is the last line of defence and still the strongest line of defence in the entire layered security model.
10. Azure Key Vault
in the entire process of encryption. To encrypt your data, address, and data in transit, you’ll need keys and certificates. You need to encrypt your applications, and for that as well, you need API keys, secrets, passwords, and certificates. These are all valuable components of an application, and you should keep them safe. Azure Key Vault is a service provided by Microsoft. Azure Key Vault is a centralised cloud service for storing your application secrets. So Key Vault helps you control your application secrets by keeping them in a single, central location and by providing secure permissions, access, and logging capabilities as well. It is useful in different kinds of scenarios, so you can use it for secret management, key management, certificate management, and also to store secrets that are backed by hardware security modules, also called HSMs. In the case of secrets management, you can store your information safely and securely, and that information could be in the form of tokens, passwords, certificates, API keys, and different secrets that the application needs.
Key management is used to create and control the encryption keys used to encrypt your data. Certificate management will be used to store your SSL or TLS certificates for Azure and also use them internally to access the resources. And finally, the secrets for the HSM module—that is, the secrets and the keys—can be protected either by software or by Phipps 142, level two validated HSMs. You can use either of these mechanisms to store your secrets, but this is just to let you know that you do not have to use any external key vault solutions to protect and store your data. You can use Azure Key Vault to store the keys and then encrypt your data using the keys stored in the Key Vault.
- < SC-900 Microsoft Security, Compliance, and Identity Fundamentals Topic: Module 2 Describe the concepts & capabilities of Microsoft identity and access
- SC-900 Microsoft Security, Compliance, and Identity Fundamentals Topic: Module 3 : Describe the capabilities of Microsoft security solutions Part 2 >