Posts

Deploy Palo Alto in Azure

Image
There are many ways to deploy Palo Alto Firewall in Azure. Out of those options today I will discuss how Palo Alto can be configured to protect your Azure workload. This setup is suitable for Proof of Concept only. Planning-Includes Minimum Requirement - Without HA Logical Diagram:  Create Virtual Network Name: PAN-VNet Address Space: 10.0.0.0/16 Subnet Name: Management Subnet Address Space: 10.0.1.0/24 Subnet Name: Untrust Subnet Address Space: 10.0.2.0/24 Subnet Name: Trust Subnet Address Space: 10.0.3.0/24 Resource Group: PA-VNet    Subnet Spin Web Server Virtual Machine  Name: SecureWebServices Image: Windows Server 2016 Resource Group: Services Network: PAN-VNet Subnet: Trust Role: Web Server (IIS) Installed Change NSG rules of Web Server to accept request on port 80, if you wish to test the web request. However, later on, this behaviour will be controlled through firewall. Spin Palo Alto Firewall Virtual Machine Na...

Identity and Access Management in Azure

"Identity revolves around who am I ? and how can I prove that I am the one who is claiming to be."  Proving absolute need of access to the right people is key to success for every organization. Due to the growth of modern workspace and social life, identity management has become more challenging. Every day we deal with multiple identities within a corporate setting and forgetting identities of least recently used has become common. Thanks to "Forget Passport" - Self Service Password Reset features.   To deal with this situation Microsoft usages its most powerful tools Active Directory - Single Source of Authority for on-premises domain user's and applications, known as On-Premises Identity , Azure Active Directory - Cloud Identity for all cloud-based application and resources and Hybrid Identities - which extends on-premises identities to the Azure Active Directory so that existing users can access cloud-based application using their identities. It enables...

Securing Azure VM - Checklist

Organization lean towards cloud is growing. Many enterprises are planning to fully deploy their infrastructure to the cloud. As an initial step they are embracing Software as a Service and extending their workload to the cloud, making it as a secondary site for compute and storage resources. Creating resources in Azure is simple, will finishes within few clicks, however if we missed few steps or rule of thumbs on provisioning resources, it might leave a loop hole which could be easily exploited. Below is the checklist for consideration to ensure that you have securely deployed your resources (VM) to Azure Cloud. Network Setup Is your network Isolated and breakdown into different zones?  Do you need to stop different zones/subnets communicating with each other?  Is Network Security Group applied?  Can you justify the need of PublicIP? How you are planning to RDP VM?  Did you have list of endpoints of Azure VM to be provisioned? Do you need all those en...

Network Security Group (NSG)

Image
Network Security Group (NSG) helps to filter inbound and outbound traffic from Azure Virtual Machine and PAAS(Web and Worker Role - Classic Model). These rules can be applied on the Network Interface Card(NIC), Subnet, and in the Network Configuration Schema. It function as a mini firewall. Rules are evaluated based on the weight assigned to them. Lower weight will be evaluated first. By default, it contain at least 3 inbound (AllowVNetInBound, AllowAzureLoadBalancerInBound, DenyAllInBound) and 3 outbound rules(AllowVnetOutBound, AllowInternetBound, DenyAllOutBound). NSG can be applied using portal, PowerShell, CLI and using Template and easy way is via portal. NSG FAQ 1. How can I check if my rules are applied or not? Ans: Using the built in tool Network Watcher you can verify is rules is being applied and working or not. Remember, Network Watcher needs to be enabled before performing check. 2. How to know which rules will be evaluated first? / How priority is defined...

Network Security in Azure

Image
Microsoft Azure has one of the world largest Software Define Network (SDN) fabrics stretches around the globe. It has its point of presence in 36 regions and expanding rapidly. It usages its own infrastructure in order to make sure data will never leave Microsoft backbone network and encryption is put in place either in REST or in transit. Network Security Network and storage are the basic foundation block of any virtual environment. Azure provides complete isolated environment from tenant level, further isolated into subscription(Management prospective) and into virtual network, Subnet (Network Prospective). And, In terms of access, all its resources are tightly coupled with Azure Active Directory and different Role Based Access Control (RBAC) can be assigned to individual user's to meet/restrict access to the resources. Azure Protection Circle Azure Network Security Best Practices Any network enabled device/application which requires IP address are kept...

Securing Azure Resources

Moving towards cloud is inevitable, however security concern and transparency issues will always push behind the implementation of the cloud in the enterprise level. Small medium business and start-up's are way forwards on exploring the opportunities provided by the cloud. Microsoft have heavily invested on securing Azure and gaining the trust of customers. In-fact, it had implemented multi-layer protection mechanism to meet the compliance requirements with national, regional, and industry specific requirement governing the collection and usages of personal data. Those layers are as follow where every layered security measured has been implemented. Network Security Database Security Storage Security  Compute Security  Operational Security  Security Management and Monitoring  Service Fabrics Security  Identity Management IoT Security  Azure Encryption