Home

Security questions

Mehdi Triki
Occasional Visitor

Dears,

 

we have a potential client who is going to use a solution that will be installed on MS Azure servers. The solution include very senstive data, thus he is asking some questions about security and network hardening. It will be great to answer (Azure is Compliant/Azure is not compliant) the below question, or might help us to indicate to who this need to be sent:

 

1- All data traffic coming from the Internet or other untrusted networks shall terminate in a reverse proxy which may validate and pass the request on to application servers. This reverse proxy physically separates trusted and untrusted interfaces.

 

2- Ports allowed for a particular service use shall not be reused for other purposes without explicitly being detailed in the design documentation.

 

3- Networks (including wireless networks) shall be securely managed from a separate LAN. Management shall be performed over a dedicated secure channel or out-of-band.

 

4- Security devices (e.g. intrusion detection or intrusion prevention systems) shall be deployed to monitor traffic between networks based on Vodafone's security zoning model.

 

5- Critical web services shall be protected with web application firewalls.

6- The service shall be integrated into an existing business continuity plan.

7- The service shall be integrated into a disaster recovery process which shall be documented and tested prior to launch.

8- In order to mitigate DNS rebind attacks, DNS pinning shall be activated.

1 Reply
For most of the needs you mentioned here is not something Azure would be compliant, it would be the architecture that would be compliant to these requirements.

I would probably suggest using a next generation firewall appliance (Azure VM) in a DMZ subnet that manages all internet traffic and even possible Site to Site VPN's to and from your azure network. Microsoft Azure Security center will recommend this as well.

have a look at this link https://docs.microsoft.com/en-us/azure/security-center/security-center-add-next-generation-firewall
have a look at the other recommendations stated under the security-center.

Azure's web application gateways have WAF features, so i would look at those as well.

look here for disaster recovery of Azure VM's, the ability to protect Azure VM's is in public preview. https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-disaster-recovery-guidance