Tuesday, May 2, 2017

Feeling Firewall Friendly? Azure Virtual Machine Protection With NSGs Explained

Let's talk cloud security best practices for Azure - Microsoft's cloud. 

Do you like keeping the bad guys out? So do I...

That's why we'll take a look at Microsoft's Azure Cloud services. Most people are concerned that moving data and/or services to the cloud will create greater risk, from a security perspective.
But for a number of reasons, that is a misconception. A myth...

Done right, the cloud is usually much more secure than on-premise datacenters!

One of the reasons for this, at least as it relates to Azure, is that Azure has a firewall-like construct called a Network Security Group, or NSG, for short. An NSG is a set of inbound and outbound rules that allows (or denies) traffic into and out of a resource based on source IP/port or destination IP/port. They cannot limit ICMP traffic, but they can be set for either TCP, UDP, or both.

A resource that can "accept" an NSG being attached to it (and therefore defended by it) can be a virtual network card (NIC), a virtual machine (only to a classic VM), or a network construct like a subnet (and by extension all VM's that live within that subnet). See attachment points below.

Diagram of Azure NSG attachment points
With appropriate rules that deny all traffic EXCEPT the specific protocols on specific ports that you need for functionality or backplane management, your resources will be protected.

So because NSGs can be applied at several levels, you can quickly and easily build a mult-layered defensive shield to protect your computing resources. And perhaps best of all, creating and applying NSG's is totally free!

You can create one NSG and attach it at multiple points, or you can have a separate NSG for each attachment point. The fewer you create, the easier they are to manage, but then you have less granularity for applying specific rules to specific resources based on the function of that resource. The idea is to find the "management sweet spot".

In addition to NSG protection outside the VM, best practices definitely dictate we should be running a firewall within the O/S of the virtual machine itself. So if you do the math, with a "Classic" VM you can have 4 firewalls protecting a virtual machine.

On a Resource Manager VM (which is the newer type) they did away with applying NSGs at the VM level, and you apply it to either NICs attached to a VM, or to the entire subnet (which in turn applies that NSG to all VMs within the subnet).

So, if create multiple NSGs and attach them to all of the available attachment points, and turn on the O/S firewall, you'll have three layers of defense, and that doesn't count any other security appliances or NIPS, HIPS, or UTM systems that you likely will have in place.

Add some built-in DDOS protection that most major cloud service providers offer within their DNS services, and you'll have pretty good defenses, which is why I say that done right, cloud computing is MORE SECURE than on-premises computing.

And when you consider how easy it is to create, manage, and review NSGs compared to the good old days of TELNETing into a router to look at the ACL configuration, cloud security is much faster and easier.

One nice thing about working with NSGs is that the Azure management portal becomes your "single pane of glass" to manage your basic defenses.

However, you may have to use RDP or other tools to  manage the O/S based firewall.

NSGs are just one on many tools provided by Azure to make cloud computing more secure. This is a big topic, but in this blog post I'm just focusing on the simplicity of implementing NSG's.

Here's a link to learn more about Azure's NSGs and how to implement them following best practices.

The image below is to give you an idea of what a simple NSG might look like - just a few simple rules that are processed in order from the top down. You can create something like this without being a cloud security expert, so I encourage you to learn more at the link above.




1 comment:

Vumetric said...

Superbly written article, if only all bloggers offered the same content as you, the internet would be a far better place.. cloud cybersecurity

Feeling Firewall Friendly? Azure Virtual Machine Protection With NSGs Explained

Let's talk cloud security best practices for Azure - Microsoft's cloud.  Do you like keeping the bad guys out? So do I... That&#...