Do I need a WAF if I have a VPN? - azure

Do I really need a layer 7 Firewall if I change the architecture to use a VPN? If our clients connect to our services via a VPN, surely that would save costs of a WAF? Or am I missing something?

A WAF protects your web services and services behind your web.
If you believe in zero trust then people logging into your vpn should not be trusted.
Many believe vpn is a dying tool since it's often configured with poor segmentation.
It's argued that a better alternative to vpn is to use cloud based apps that allow SAML or other methods of authentication/authorization along with 2 factor capabilities.
Hope this helps.

Related

Is there any need for a firewall for an Azure Web App?

I understand that Azure Web Apps as a PaaS offering are inherently more secure than if hosting on your own VM ... but does that mean a firewall solution is not required at all?
Azure offers a few solutions, but anything acting as a firewall seems expensive - so we are wondering if we can just do without one.
Not required as long as you are secured login for sensitive data and enabled CORN rules. For other protections you can definitely add to your subscription like firewall and DDoS protection.
It is not required; however, depending on the type of application you are building it is greatly encouraged, if not required by specific industries.
Depending on your architecture and/or approach and if cost is a concern I'd recommend Azure FrontDoor w/ Web Application Firewall (WAF) enabled. This will cover additional security for your application at a reasonable cost as well as potentially server as a Traffic/Manager Load balancer.

Azure App Gateway SSL Offloading to a Datacentre server?

So I am looking at using Azure App Gateway to overcome a set of legacy servers (Win2003) that will not support TLS 1.2 and therefore come March+ 2020 the client browsers will not be able to access the site.
So my question is can I use AZ App Gateway to terminate the SSL and route traffic onto a set of Windows Load Balanced servers in our datacentres?
Has anyone done this before?
You can certainly do this, but Azure Front Door would be a better option, I believe (if you trust IP restrictions, I think that would be the only way to secure endpoints). They would allow you to offload SSL and offer some other nice features. And you don't have to create site-to-site vpn and maintain it.

DDoS attack mitigation on Azure infrastructure

I have a Django based web application hosted on Azure provisioned virtual machines (Ubuntu OS). My application recently experienced a DDoS attack and we were helpless against it.
The problem is that once traffic hits the server - even if it's blocked at a firewall or throttled in my webserver - the traffic is already consuming my network bandwidth. I can do nothing about it. This needs to be blocked "upstream", in the routing gear servicing my server.
Is there any DDoS protection Azure can offer me? Or at the very least, make recommendations as to how I might deploy my application so that it's more resistant to these attacks? Please advise.
Current, Azure provides DDOS protection at the network level, but not at the application level. So, if you are receiving a bunch of ACK requests, for example, this should be blocked by the platform itself.
For app level DDOS protection, you need to consider an upstream provider such as Incapsula or Silverline. Integrating them is quite easy. See https://www.incapsula.com/blog/how-to-add-incapsula-to-your-microsoft-azure-instance.html for an example.
Essentially, you will setup Incapsula and configure it with the DNS label of the web app (something.azurewebsites.net). Your DNS (www.domain.com) will then point to the incapsula service and they will handle the rest.
Please note that separating the DDOS from the service still allows for an attack against the service itself (ie: if someone hits something.azurewebsites.net then Incapsula will not protect this traffic).
Hope that helps!
First: Azure allows for IP-whitelisting (or blacklisting), so you can add malicious IP addresses to your block-list on incoming traffic (port 80/443 for instance). And you can modify IP addresses / ranges programmatically. This should prevent traffic from hitting your web app. Note: This is specific to Azure Virtual Machines, which you're using.
Second: Azure provides the Azure Security Center, which is designed to detect such things as DoS attacks, intrusion attacks, etc. Not that it solves your problem, but it can be used for alerting you to issues.
Using incapsula will be the right answer for you , since incapsula hides your origin ip and mitigate the attack before it even reached Azure.
in addition it provides CDN and cache which helped us save on bandwidth costs on AWS and make our application work faster.

What is the best practice for ddos protection on Windows Azure virtual machine?

What is the best practice for ddos protection on Windows Azure virtual machine?
I have multiple domains connected to my vm
and a static ip
Azure provides DDOS protection on all their services, but they do this in a selfish manner. IE: They are protecting their service, not necessarily yours.
I think when trying to enable DDOS protection you have the following options
Use VMs from the Azure Marketplace. There are leading security
solutions for sale, and you can put those in-line with your VMs
Use an upstream service such as Incapsula, cloudflare, or
Silverline
There really is no one single best practice solution, you need to balance cost vs risk to determine the best solution for you or your client.
Azure officially partners with Imperva Incapsula to provide WAF and DDoS Mitigation:
https://azure.microsoft.com/en-us/blog/azure-security-center-adds-new-partners-detections-and-more/
https://www.incapsula.com/ddos-protection-for-microsoft-azure.html
If you want a hint, look at who protects Microsoft's own blog...
http://blogs.microsoft.com/blog/2016/02/25/enterprise-security-for-our-mobile-first-cloud-first-world-2/
Using incapsula is the correct way to go, it will mitigate all of the ddos attack, provide CDN and Cache for your app which will speed it up.
Today we use incapsula to mitigate both attacks and as a CDN + cache and it actually saved us on AWS traffic and speed up the application.
There is a lot happening around making Azure more secure. Most of that is described in the Azure Trust Center. You can request the penetration testing as well if you want.
And, if you want some additional features, there is partners offerings marketplace called Azure Marketplace where you can find a lot of manageable solutions.

Windows Azure VPN and IP restriction

We integrate with a third-party service where we can run queries which is right now secured using HTTPS encryption and username/password. We send our queries from a service running on the Windows Azure cloud.
The third-party provider wants to migrate towards better security and they have asked us to either
Setup a VPN - which is problematic because for we'd need to use Azure Connect and they'd have to install the client endpoint service on their part.
Provide some IP address where the queries will come from so they can filter out anyone else at the firewall level - which is problematic because AFAIK you cannot fix the IP addresses of the Windows Azure Compute nodes.
Suggest another secure alternative - the only thing I could think of is to set up the VPN with them on a non-Azure server and then tunnel the requests through using Azure Connect - which is obviously extra work for us and also defeats the point of hosting the service on a cloud if it depends on a non-cloud service.
Any ideas?
Can they install the Azure Connect endpoint on another server on their DMZ network? i.e. not the actual server which hosts their service?
Can we somehow provide them with static IPs for incoming queries?
Any other solution that is scalable?
Thanks
If I understand the scenario correctly, your Azure service is a client to a 3rd party service. This scenario may be solved through the use of the Windows Azure AppFabric Service Bus. You would need to install a proxy app in the 3rd party's datacenter that would be responsible for establishing the connection to the service bus. The connection comes from inside the 3rd party's datacenter, so no new incoming holes in the firewall. The connection can handle WCF connections with all its security strengths, and users can be authenticated with ACS.
Here is a starting point: http://msdn.microsoft.com/en-us/library/ee732537.aspx
There is a hands on lab in the Windows Azure Platform Training Kit that explains most of the details that you'll need.
IMHO, HTTPS is already very good; and I don't exactly see how a VPN would make the system any more secure. In particular, VPN is no silver bullet, if your VM is compromised then the VPN connection is compromised too (same for HTTPS). On the other hand, the IP restriction would indeed reduce the attack surface.
Then, using a server outside the cloud is a poor idea indeed. Not only it defeats most of the benefits of the cloud (been there, done that and suffered a lot), but also it also makes the whole thing less secure with more complexity and more attack surface.
Windows Azure does not provide anything that look like a static IP at this point. In our experience, IP addresses for a given service change once in a while even if the service is only upgraded (and never deleted). Static IP addresses have been an important feature request for a long time, Microsoft will probably provide it at some point, but it might still take many months.

Resources