Table of Contents
What are Azure Firewalls
Microsoft Azure is a public cloud service platform that supports a broad selection of operating systems, programming languages, frameworks, tools, databases, and devices. Like other cloud deployments, Azure uses a shared security model which can be best explained in Microsoft's Shared Responsibilities for Cloud Computing white paper. In short, Microsoft is responsible for the security of the infrastructure that maintains the cloud, while customers are responsible for their own data and applications that use the infrastructure. Being responsible for their own digital property means that customers are required to take additional steps in order to protect their data, applications and networks.
To protect against growing cyber threats, Azure customers are recommended to install some type of firewall. While different types of Azure Firewalls perform different functions within the Microsoft cloud, they predominantly act as monitors for interactions between a given section of the public cloud and the rest of the internet. By filtering packets and requests, these firewalls can block malicious software from getting access to applications, data, or the even the network itself. The Microsoft Azure Marketplace sells firewalls that generally fall into two categories: Web Application Firewalls and Network Firewalls.
Azure Web Application Firewalls
Installing a web application firewall is an important measure to take -- for any company or even individual -- in order to protect applications on Azure. Cloud WAFs are placed in front of a web application and monitor all interactions with the internet. As packets come from users, or even other applications, they are filtered so that no malicious software can reach the application itself. Currently, Microsoft Azure has their own native firewall, but most companies look toward third party web application firewalls which offer features better tailored to their needs.
A powerful and robust web application firewall should have the following capabilities:
- Traffic Filtering: Traffic filtering is one of the most practical and important operations performed by a web application firewall. By filtering traffic based on a factors such as HTTP headers, keywords, IP addresses, and even URI strings, the web application firewall can prevent harmful interactions before they reach an application.
- Script Protection: As more applications are being moved to the public cloud, cybercriminals are finding easier ways to automate their attacks against a wider range of targets. By generating tools or scripts that can continuously probe and attack vulnerable applications, they can cast a wider net among the thousands of applications running on the Azure public cloud. While attacks like SQL injection or cross-site scripting can become personalized once vulnerabilities are found, often they are randomly sent across the internet looking for unprotected applications. At the very least, a web application firewall should easily protect against these non-personalized attack scripts.
- API Protection and Security: Cloud-based applications are the default nowadays – this means APIs are necessary for almost any application in order to facilitate interactions. A capable WAF should be able to protect your Azure application API’s against both against all types of API based attacks, such as API farming or scraping.
- Secure Delivery: Modern WAF solutions can ensure that your application is delivered securely over HTTPS. It’s mandatory to provide an HTTPS application for most modern services – no one wants their data exposed if it can be avoided.
- Customized Rule Sets: WAFs start out using what’s called a CRS or Core Rule Set. While a CRS (and there are several versions) will protect against most OWASP Top-10 attacks and other threats, many companies find they need (or have already developed) specific customized rules on top of the CRS, generally tailored to specific applications and user groups. To deploy these applications in the cloud, these companies are going to want to replicate their custom rule sets, something which WAFs that only offer the CRS can’t accommodate.
Azure Network Firewalls
Network firewalls on Azure are the network-centric equivalent for the application awareness and protection which web application firewalls provide. Companies leveraging Azure for mission-critical applications, or to provide secure remote access to these applications for their users, will deploy a network Firewall. A true Azure network firewall should leverage all built-in Azure features, and provide a licensing model that works with any organization so you are not overcharged for protection you do not need. In addition, they should integrate with the full suite of management, monitoring, and automation capabilities that are built into the Azure public cloud infrastructures.
A standard Azure Network firewall should have the following capabilities:
- Identity and Access Management: As with any cloud security system, strong authentication and access management is vital to restrict access to the network. Without identity management, cyber criminals could impersonate valid users and gain access to sensitive data or applications.
- Entry Point Protection: Using the public cloud means that there are often many access points for users to interact with the network. Because of this, it is important to have a secure network perimeter that monitors the traffic attempting to enter the network. Without adequate protection, these entry points can be breached, many times without you even knowing.
- Modular Economic Model: Like most modern SaaS products, it’s important that there are several available licensing options that allow flexibility for different organizations with different needs. Scaling based on network traffic allows you to only pay for the traffic you use – this level of payment granularity means small businesses can rely on the same features as large enterprises.
- High Availability: The firewall you pick should be able to deploy large numbers of server instances, across multiple regions, while still maintaining a high standard of performance. One of the benefits of using a cloud service like Azure is that you have access to data centers all over the world. But, if network security is comprised or overloaded, that geographic advantage is no longer relevant.
- VPN Support: One of the benefits of cloud platforms is that employees can access data from a number of devices, both on-premises, but more importantly, when working remotely. An effective Azure network firewall should be capable of integrating directly with VPNs and offer optimized and secure access to cloud resources for users using any type of device.
- SD-WAN Capabilities: SD-WAN has become a must-have among organizations due to its massive cost-savings when used properly instead of traditional MPLS infrastructure. Many modern network firewalls offer built-in SD-WAN capabilities so you can have the network security of traditional network firewalls with the ability to economically route traffic across an extended network.
- Virtual WAN Support: Microsoft Azure has data centers in many locations across the globe, and offer a compelling capability to leverage these data centers as a virtual WAN. This becomes an extended network, much like SW-WAN, but also needs similar network firewall protection. An effective Azure network firewall should be Virtual WAN-aware and have a streamlined integration.