SEP 26, 2023 | Ask-Me-Anything | Azure Firewall, Azure WAF and Azure DDoS
UPDATED, post-AMA: Here is the AMA recording in case you missed the live session. ************************************************************* Please join us in this Ask Me Anything session with the Azure Network Security CxE PM team. During this session, the Azure Network Security SME (Subject Matter Experts), will answer your questions on Azure Firewall, Azure Firewall Manager, Azure Web Application Firewall and Azure DDoS. This will be a great forum for our Public Community members to learn, interact and have their feedback listened to by the Azure Network Security team. Feel free to post your questions about Azure Network Security solution areas anytime in the comments before the event starts. The team will be answering questions during the live session, with priority given to the pre-submitted questions from the comments below. If you are new to Microsoft Tech-Community, please follow the sign-in instructions. To register for the upcoming live AMA Sep 26, 2023, visit aka.ms/SecurityCommunity. Mohit_Kumar andrewmathu SaleemBseeu davidfrazee ShabazShaik tobiotolorin gusmodena
New Blog Post | Role Based Access Control for Azure Firewall
Role Based Access Control for Azure Firewall - Microsoft Tech Community In this article, we discuss the actions that may be used to create security conscious roles and templates that you can use to create and assign roles for Azure Firewall. Once you understand the boundaries for the role you are trying to create, you can use the template below or modify it by carefully selecting the actions required and assigning it to the user. There are various levels of administrative roles you might be looking to assign, and this may be done at a management group level, subscription level, resource group level or resource level. Azure RBAC focuses on managing user actions at these different scopes.
New Blog | Validating FTP traffic scenarios with Azure Firewall
Written by Gopikrishna Kannan (Head of Products: Azure Firewall and Firewall Manager) The Azure Firewall is a cloud-native and intelligent network firewall security service that can be integrated into many different use cases. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability that provides both east-west and north-south traffic inspection. This blog will discuss FTP scenario with Azure Firewall. FTP or File Transfer Protocol is the most common use case for enterprise customers. FTP may be configured to run in active or passive mode, which determines how the data connection is established. Azure Firewall supports both Active and Passive FTP scenarios. Passive FTP mode requires FTP client to initiate connection to the server on a specified port range. Passive FTP is the recommended approach for East - West (E-W) scenarios. In Active FTP mode, the server initiates connection to the client. This approach is typically deployed to support internet clients connecting to the FTP server running behind Azure Firewall and requires more than 250 DNAT ports (Azure Firewall DNAT rule limits) to be opened hitting load balancer limits. By default, Passive FTP is enabled, and Active FTP support is disabled to protect against FTP bounce attacks using the FTP PORT command. Read the blog: Validating FTP traffic scenarios with Azure Firewall - Microsoft Community Hub
I don't understand the two WAF Mode
I have read the documentation on the two types of Waf (Detection and Prevention). Detection mode: Monitor and log all threat alerts. Enable logging diagnostics for Application Gateway in the Diagnostics section. You must also ensure that WAF logging is selected and enabled. The Web Application Firewall does not block incoming requests when operating in Detect mode. Prevention mode: Blocks intrusions and attacks that are detected by the rules. The attacker receives a "403 unauthorized access" exception and the connection is closed. Prevention mode logs these attacks in the WAF logs. But then in Owasp Rules we have the ability to assign WAF actions that Allow, Block, Log, Anomaly Score. I don't understand, because if I create a WAF police in prevention mode, I think it is not necessary to change the WAF actions, right? How do you see when an anomaly score is detected and where do you see this internal score, is this seen in the logs? This for me is very confusing, and I need help. Thanks!New Azure Network Security and Azure Sentinel Blog Posts | Integrating Azure Sentinel/Azure Firewall
We’re excited to announce a seamless integration between Azure Firewall and Azure Sentinel. Now, you can get both detection, prevention and response automation in the form of an easy-to-deploy Azure Firewall solution for Azure Sentinel. Combining these capabilities allow you to ensure that you both prevent sophisticated threats when you can, while also maintaining an “assume breach mentality” to detect and quickly/automatically respond to cyberattacks. The Azure Firewall Solution for Azure Sentinel is now available. Please see the security community blog to learn about the new threat detections, hunting queries and automation for Azure Firewall that are included in this new solution <Optimize security with Azure Firewall solution for Azure Sentinel - Microsoft Security>. The automation capability for Azure Firewall with Azure Sentinel is provided with the new Logic App Connector and Playbook Templates. With this integration, you can automate response to Azure Sentinel incidents which contains IP addresses (IP entity), in Azure Firewall. The new Connector and Playbook templates allow security teams to get threat detection alerts directly in a Microsoft Teams Channel when one of the Playbooks attached to an Automation Rule triggers based on a Sentinel detection rule. Security incident response teams can then triage, perform one click response and remediation in Azure Firewall to block or allow IP address sources and destinations based on these alerts. To learn more about deploying, configuring and using the automation for Azure Firewall with the new Custom Logic App connector and Playbooks, please review the instructions in the blog here <Automated Detection and Response for Azure Firewall with the New Logic App Connector and Playbooks (microsoft.com)>. Original Post: New Azure Network Security and Azure Sentinel Blog Posts | Integrating Azure Sentinel/Azure Firewall - Microsoft Tech CommunityNew Blog Post | New Detections for Azure Firewall in Azure Sentinel
New Detections for Azure Firewall in Azure Sentinel (microsoft.com) Readers of this post will hopefully be familiar with both Azure Firewall which provides protection against network-based threats, and Azure Sentinel which provides SEIM and SOAR (security orchestration, automation, and response) capabilities. In this blog, we will discuss the new detections for Azure Firewall in Azure Sentinel. These new detections allow security teams to get Sentinel alerts if machines on the internal network attempt to query/connect to domain names or IP addresses on the internet that are associated with known IOCs, as defined in the detection rule query. True positive detections should be considered as Indicator of Compromise (IOC). Security incident response teams can then perform response and appropriate remediation actions based on these detection signals.New Blog Post | Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy
Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy - Microsoft Tech Community In this blog, we will see how Azure Firewall can help our customers overcome this challenge and provide visibility not only to Azure DNS logging but also to control the traffic flows both east-west and to the internet for their Azure resources. Azure Firewall recently added Custom DNS and DNS proxy capabilities which was a big ask from all of our customers and, these are the features which we will explore in this blog and how it can help you.New Blog | Taking Azure Firewall IDPS on a Test Drive
Written by Gopikrishna Kannan (Head of Products: Azure Firewall and Firewall Manager) Intrusion detection and prevention (IDPS) is an advanced threat prevention mechanism supported by the Azure Firewall Premium SKU. Unlike simple network filtering, IDPS matches traffic patterns to a set of known malicious signatures. Azure Firewall supports more than 60,000 malicious signatures which are updated in real time. These signatures apply when malicious patterns are detected under the right conditions. The conditions include traffic direction (inbound or outbound) and network scope (private network or public network). Below are examples to validate IDPS configuration in your environment. Read the full blog here: Taking Azure Firewall IDPS on a Test Drive - Microsoft Community HubNew Blog Post | Azure Web Application Firewall: WAF config versus WAF policy
Azure Web Application Firewall: WAF config versus WAF policy - Microsoft Tech Community What is Web Application Firewall (WAF) config? WAF config is the built-in method to configure WAF on Azure Application Gateway, and it is local to each individual Azure Application Gateway resource. When you create an Azure Application Gateway with either the WAF or the WAF_v2 SKU, you will see a new item on the menu blade called "Web application firewall" that displays WAF configuration options. The biggest drawback of using WAF config is that not all WAF settings are displayed in the portal UI. For example, you cannot configure or manage custom rules in the portal: you must use PowerShell or Azure CLI for that. Additionally, WAF config is a setting within an Azure Application Gateway resource. For this reason, each WAF config must be managed individually, and its configuration applies globally for everything within that specific Azure Application Gateway resource. WAF config does not exist on Azure Front Door.New Blog Post | Exploring Azure Firewall's Threat Protection
This blog post discusses the various threat protection capabilities that customers are leveraging to safeguard their workload deployments in Azure using Azure Firewall. Azure Firewall is a cloud-native firewall-as-a-service solution that empowers customers to centrally govern and log all their traffic flows using a DevOps approach. This service offers both application and network-level filtering rules, and it seamlessly integrates with the Microsoft Threat Intelligence feed to filter known malicious IP addresses and domains. Moreover, Azure Firewall boasts high availability and comes equipped with built-in auto scaling. While it may appear straightforward, the first line of defense can be effectively achieved through access restriction. Customers are adopting two simple approaches to bolster their security posture: Egress Traffic Blocking: This method involves blocking all egress traffic to the internet and only allowing access to specific domains that are deemed safe and necessary. Suspicious Site Blocking: Alternatively, customers can choose to allow all egress traffic to the internet while implementing measures to block access to suspicious sites. This approach mitigates potential risks associated with accessing untrustworthy destinations. Exploring Azure Firewall's Threat Protection - Microsoft Community Hub
