SEP 26, 2023 | Ask-Me-Anything | Azure Firewall, Azure WAF and Azure DDoS
UPDATED, post-AMA: Here is the AMA recording in case you missed the live session. ************************************************************* Please join us in this Ask Me Anything session with the Azure Network Security CxE PM team. During this session, the Azure Network Security SME (Subject Matter Experts), will answer your questions on Azure Firewall, Azure Firewall Manager, Azure Web Application Firewall and Azure DDoS. This will be a great forum for our Public Community members to learn, interact and have their feedback listened to by the Azure Network Security team. Feel free to post your questions about Azure Network Security solution areas anytime in the comments before the event starts. The team will be answering questions during the live session, with priority given to the pre-submitted questions from the comments below. If you are new to Microsoft Tech-Community, please follow the sign-in instructions. To register for the upcoming live AMA Sep 26, 2023, visit aka.ms/SecurityCommunity. Mohit_Kumar andrewmathu SaleemBseeu davidfrazee ShabazShaik tobiotolorin gusmodena
New Blog Post | Role Based Access Control for Azure Firewall
Role Based Access Control for Azure Firewall - Microsoft Tech Community In this article, we discuss the actions that may be used to create security conscious roles and templates that you can use to create and assign roles for Azure Firewall. Once you understand the boundaries for the role you are trying to create, you can use the template below or modify it by carefully selecting the actions required and assigning it to the user. There are various levels of administrative roles you might be looking to assign, and this may be done at a management group level, subscription level, resource group level or resource level. Azure RBAC focuses on managing user actions at these different scopes.Azure WAF Security Protection and Detection Lab now Available
Azure Web Application Firewall Security Protection and Detection Lab is now available. The intent of this lab is to allow customers to easily test and validate the security capabilities of Azure WAF against common web application vulnerabilities/attacks. A significant amount of work has been put into developing the lab environment and the playbooks for our customers, and we are incredibly proud of the teamwork, collaboration, and support throughout the various stages of the process. The lab is now available on Azure Tech Community blog space and is organized in 5 sections. The step by step instructions in the lab allows anyone to rapidly deploy the lab environment and test Azure WAF’s protection capabilities against common web application attacks such as Reconnaissance, Cross-Site Scripting, and SQL Injection with no or minimal know-how of offensive security testing methodology. The lab also demonstrates how to use Azure WAF Workbook to understand how WAF handles malicious traffic and payloads. Click here for a Tutorial Overview an introduction to the testing framework used in the lab, and the four-part instructions one the lab setup.
New Blog | Intrusion Detection and Prevention System (IDPS) Based on Signatures
An Intrusion Detection and Prevention System (IDPS) is a vital component of modern cybersecurity strategy, designed to safeguard networks by actively monitoring and responding to potential security threats. Among the types of IDPS currently available such as signature-based and anomaly-based, signature based IDPS stands out as a reliable and efficient method for identifying known security risks. This blog delves into signature-based IDPS, with a specific focus on the Azure Firewall Premium IDPS. Read the full blog post here: Intrusion Detection and Prevention System (IDPS) Based on Signatures - Microsoft Community HubNew Blog Post | Text4Shell RCE vulnerability: Protecting against and detecting CVE-2022-42889
Text4Shell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-42889 - Microsoft Community Hub Similar to the Spring4Shell and Log4Shell vulnerabilities, a new critical vulnerability CVE-2022-42889 aka Text4Shell was discovered on October 13, 2022. Text4Shell is a vulnerability in the Java library Apache Commons Text. This vulnerability, in specific conditions, allows an attacker to execute arbitrary code on the victim's machine (Remote Code Execution or "RCE"). Customers can detect and protect their resources against Text4Shell vulnerability using Azure native network security services, Azure Firewall Premium and Azure Web Application Firewall (WAF). You can utilize one of these services or both for multi-layered defense. Customers using Azure Firewall Premium, and Azure WAF have enhanced protection for this RCE vulnerability from the get-go. Customers can protect their assets by upgrading their Apache Commons Text version to the patched version 1.10. However, there are situations when upgrading software is not an option or may take a long period of time. In such case, they can use products like Azure Firewall Premium and Azure WAF for protection. Original Post: New Blog Post | Text4Shell RCE vulnerability: Protecting against and detecting CVE-2022-42889 - Microsoft Community HubNew Blog | Taking Azure Firewall IDPS on a Test Drive
Written by Gopikrishna Kannan (Head of Products: Azure Firewall and Firewall Manager) Intrusion detection and prevention (IDPS) is an advanced threat prevention mechanism supported by the Azure Firewall Premium SKU. Unlike simple network filtering, IDPS matches traffic patterns to a set of known malicious signatures. Azure Firewall supports more than 60,000 malicious signatures which are updated in real time. These signatures apply when malicious patterns are detected under the right conditions. The conditions include traffic direction (inbound or outbound) and network scope (private network or public network). Below are examples to validate IDPS configuration in your environment. Read the full blog here: Taking Azure Firewall IDPS on a Test Drive - Microsoft Community HubNew Blog | Validating FTP traffic scenarios with Azure Firewall
Written by Gopikrishna Kannan (Head of Products: Azure Firewall and Firewall Manager) The Azure Firewall is a cloud-native and intelligent network firewall security service that can be integrated into many different use cases. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability that provides both east-west and north-south traffic inspection. This blog will discuss FTP scenario with Azure Firewall. FTP or File Transfer Protocol is the most common use case for enterprise customers. FTP may be configured to run in active or passive mode, which determines how the data connection is established. Azure Firewall supports both Active and Passive FTP scenarios. Passive FTP mode requires FTP client to initiate connection to the server on a specified port range. Passive FTP is the recommended approach for East - West (E-W) scenarios. In Active FTP mode, the server initiates connection to the client. This approach is typically deployed to support internet clients connecting to the FTP server running behind Azure Firewall and requires more than 250 DNAT ports (Azure Firewall DNAT rule limits) to be opened hitting load balancer limits. By default, Passive FTP is enabled, and Active FTP support is disabled to protect against FTP bounce attacks using the FTP PORT command. Read the blog: Validating FTP traffic scenarios with Azure Firewall - Microsoft Community Hub
not able to see Diagnostic Setting option under monitoring for Load balancer to collect log data
hi all , i am not seeing that option to collect and ingest data in to log analytic workspace. please help Diagnostic settings option is not there , how to ingest data in that case like i was bale to see that option in Application gateway , but not in load balancerI don't understand the two WAF Mode
I have read the documentation on the two types of Waf (Detection and Prevention). Detection mode: Monitor and log all threat alerts. Enable logging diagnostics for Application Gateway in the Diagnostics section. You must also ensure that WAF logging is selected and enabled. The Web Application Firewall does not block incoming requests when operating in Detect mode. Prevention mode: Blocks intrusions and attacks that are detected by the rules. The attacker receives a "403 unauthorized access" exception and the connection is closed. Prevention mode logs these attacks in the WAF logs. But then in Owasp Rules we have the ability to assign WAF actions that Allow, Block, Log, Anomaly Score. I don't understand, because if I create a WAF police in prevention mode, I think it is not necessary to change the WAF actions, right? How do you see when an anomaly score is detected and where do you see this internal score, is this seen in the logs? This for me is very confusing, and I need help. Thanks!New Azure Network Security and Azure Sentinel Blog Posts | Integrating Azure Sentinel/Azure Firewall
We’re excited to announce a seamless integration between Azure Firewall and Azure Sentinel. Now, you can get both detection, prevention and response automation in the form of an easy-to-deploy Azure Firewall solution for Azure Sentinel. Combining these capabilities allow you to ensure that you both prevent sophisticated threats when you can, while also maintaining an “assume breach mentality” to detect and quickly/automatically respond to cyberattacks. The Azure Firewall Solution for Azure Sentinel is now available. Please see the security community blog to learn about the new threat detections, hunting queries and automation for Azure Firewall that are included in this new solution <Optimize security with Azure Firewall solution for Azure Sentinel - Microsoft Security>. The automation capability for Azure Firewall with Azure Sentinel is provided with the new Logic App Connector and Playbook Templates. With this integration, you can automate response to Azure Sentinel incidents which contains IP addresses (IP entity), in Azure Firewall. The new Connector and Playbook templates allow security teams to get threat detection alerts directly in a Microsoft Teams Channel when one of the Playbooks attached to an Automation Rule triggers based on a Sentinel detection rule. Security incident response teams can then triage, perform one click response and remediation in Azure Firewall to block or allow IP address sources and destinations based on these alerts. To learn more about deploying, configuring and using the automation for Azure Firewall with the new Custom Logic App connector and Playbooks, please review the instructions in the blog here <Automated Detection and Response for Azure Firewall with the New Logic App Connector and Playbooks (microsoft.com)>. Original Post: New Azure Network Security and Azure Sentinel Blog Posts | Integrating Azure Sentinel/Azure Firewall - Microsoft Tech Community
