We’ll continue the conversation about what else to make sure you have on your radar after you moved resources to Azure. In part 1, we talked about AD Sites & Services and Backup & DR planning. In this part, we’ll touch on protecting resources in Azure.
If you deploy a virtual machine in Azure using the defaults the provisioning wizard sets up, you’ll have RDP access to your machine from anywhere in the world. And so will everyone else! Most administrators would never knowingly allow something like that to happen to an on-premises resource.
A few strategies can be implemented. Commons ones we’ve worked with are:
- Not allowing any access from the outside (rely on VPN tunnel to get to the resources)
- Restricting access to only the on-premises public IPs of your corporate office using network security groups
- Leveraging a 3rd party firewall (such as Barracuda’s NextGen Firewall) to protect all the resources
There are factors to consider in each approach such as cost, logging, management, redundancy capabilities, VPN capabilities, consistency & familiarity with a similar on-premises solution, etc.
Web Application Firewalls (WAF)
When you expose a web server to the Internet, it is going to get scanned and attacked. The ‘bad guys’ are constantly scanning and trying to break into systems that are exposed on the Internet. A basic firewall only sees traffic as ports, such as TCP 80 or TCP 443. It doesn’t understand that an HTTP request may have malicious code embedded in the request. A basic firewall does little to protect a web server from these sorts of attacks.
A web application firewall helps defend your server. Microsoft now has an offering available in Azure. However, similar to the network firewall, your requirements or familiarity with other solutions may lead you to looking at other options, such as Citrix Netscaler or Barracuda WAF to meet your security and administrative goals.
Hopefully you’re doing this periodically already for your on-premises resources. But don’t forget that you should be checking your Azure resources for any exposures you have that need to be secured, by either closing holes or implementing some of the options mentioned above. Things change over time. You may have left something open that should have been closed down when a service or offering you had in your environment either changed or was removed. Or just the nature of security – something that was secure may now have a weakness discovered (such as a vulnerable cipher) that should be remediated.
Again, hopefully you’re doing this periodically already for your on-premises resources. Microsoft is responsible for patching the hosts in an IaaS world, but you’re responsible for your own guests. That’s the same as your on-premises world. So leveraging WSUS or SCCM or just manually doing updates, you need to stay in the good practice and habit of patching your servers regularly. Many of the security breaches mentioned in the news are preventable with just basic patch management.
Hopefully this will help raise some awareness of gaps you may have, or things that you need to consider or explore. If you have any questions on improving your security posture, email firstname.lastname@example.org. We are happy to help.