Webhook listener/receiver security - security

We are looking at using webhooks from various vendors outside our network. They would publish the event to us. We would be the webhook listener/receiver, not pushing the events. We have done proof of concept of creating an Azure Function to receive the event. From the research we have done most have the security of passing a sha1/sha256/sha512 hash for us to verify they are who we want to receive the events. This all worked as expected with the POC Azure Function.
From a enterprise network security standpoint is there anything else available? The process above puts the security in the function. I'm sure our Network Security group would not want us to have 10 functions, one for each vendor to worry about the security. I've read about whitelisting of IP's that would be sending the events but most of our vendors are Cloud based so I'm not sure how readily that would be available. Maybe one function to validate all events that come in then let pass through? Would that be an acceptable solution? Azure API Gateway or API Management able to address somehow? Any other network type of product that handles webhook security specifically?
Any insight or link to information most appreciated.
Thanks.

Wow, that's really really so open conversation.
You can use Azure Front Door with the Web Application Firewall attached to it. So any SQL injection, DDoS or similar attacks can be prevented by AFD and WAF.
However, I would say the securest way is to put IP restriction as well. So you need to force your vendor to get their IP address. That can be multiple maybe hundreds. But that doesn't matter. You can implement CIDR IP address format so you can cover all network. And you can easily set these IP address restriction during the CI/CD pipeline with Azure PowerShell script.
You can also useAPI Management in front of Azure Functions and you can create access restriction policies. You can either restrict IP based or JWT based. APIM might be a little bit pricey tho.
https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies
You can also create advanced policies with APIM
https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies
Apart from that, the AFD & WAF and IP restriction are on the network layer. But you can also implement token-based authentication on your code side.
https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
You can either you Azure Active Directory, IdentityServer or JWT for this.
Good luck!

Related

How to implement service discovery in nodejs?

Can somebody please explain how to implement service discovery with nodejs without any frameworks. only with nodejs and express.
All I can found it how to implement this with frameworks like sprint boot (which i don't want to use) on youtube.
What Steps I need to do to implement this. it very will help if example of the implementation.
A service discovery service is a service that provides endpoints to manage URLs or IPs of other services in the same environment. It's good practice because it allows to decouple services from each other. Reason is that with a service discovery system, services do not need to store each other's URLs or IPs. These values can simple be fetched from the discovery service. URLs or IPs can then also be updated at runtime (still with a grace period of course).
A very basic service discovery service would provide endpoints to
register a service instance,
to unregister a service instance, and
to lookup registered instances.
Translated to HTTP verbs:
POST /service/:name
DELETE /service/:name/:id
GET /service/:name
This of course does not take into account,
authentication and authorization to prevent unwanted manipulation
health checks to make sure that all registered services are actually alive and healthy
and how to set up storage so that the service is fast and scalable.
Though, it should give an idea on where to start. Generally i'd advise to use a proven solution like i.e. https://www.consul.io/

Azure App Service access restrictions with service tag not working

I want to limit the access to one of my app services to Azure API Mangement. In order to be independent from a single IP I created the following setting using service-tag-based restriction:
However if I test my API using the Developer Portal I still receive 403 messages.
If I now add a restriction-rule to allow the IP address of the API Management it will work.
The documentation claims that service tags are adding the IP ranges for the provided Azure services to the restrictions. This is exactly what I want to achieve but it does not seem to work.
After I contacted the MS support I know can tell an answer to this.
On central message in the answer was
Unfortunately, there is no tag for all of the API Management outbound IP addresses.
The support highlighted that the documentation for service tags points out that
This enables customers to perform management operations on the APIs, Operations, Policies, NamedValues configured on the API Management service.
What this means is that the service tag is only for backend operations. Problem with this is that it doesn't help you at all. I already noticed that after I switched on the service tag rule I could not update an API using the direct OpenAPI endpoint via the portal which is the documented way. This is because the explorative request against the OpenAPI would be performed using the local browser as a XHR-request. This means I would have to add my local IP to the restriction list every time.
The supports suggests to put everything inside a VNET and configure the access using this technique. I had this solution in place and then considered it as too clumpsy. I guess I have to do it now.

Azure as a proxy for application

We need to develop integration between ERP (Dynamics Nav) and cloud-based telephony provider.
The provider needs to have an endpoint published and accessible from internet but for security reasons it is not possible for us to allow inbound connections to our network. I think it should be possible to solve this by hosting small application in Azure which will serve as endpoint for telephony provider and to which ERP will connect as outbound persistent connection. The app will just forward requests to ERP.
Since I'm new to Azure the question is what of azure capabilities I could use to solve the task aside from hosting actual VM with application there?
I've just implemented the same using Azure Service Bus.
The VOIP system is putting a small JSON with call details after the end of the call and I'll get the messages from the Service Bus Queue from NAV.
The code is not complicated at all the whole solution is simple and cheap!
Let me know if you want to know more (= you need the code).
Cheers!
Azure AD has the concept of an "application proxy" that will open internal applications up using a connector that runs on prem. This doesn't require inbound ports and is protected by Azure AD authentication.
It's intended more as a user-facing way to get access to Legacy applications, although I don't see why it couldn't be used for integration as well.
https://learn.microsoft.com/en-us/azure/active-directory/application-proxy-publish-azure-portal
Otherwise, you could link an Azure Site to Site VPN up and use a service like API gateway to manage connections though this is more complicated.

Transactional Email Service on Azure

Does azure not have a native transactional email service which we can make use of? Currently all aspects of my platform are hosted within azure. Just feels silly going off to a 3rd party for such a simple task.
The problem with the email software in the cloud that it there can be the sitation when the Azure security perimeter will block the traffic or mark it as a spam or many other situations. Especially when you do not have the dedicated IP address (in Azure, btw, you can).
I know about three options - i tested first two, and it works:
1) SendGrid partner offering has 25 000 free emails/month. Tutorial. Simplest way.
2) Less simple is to use external SMTP provider and something like System.Net.Mail. It works, but again, should be tested. It is not guaranteed that your server will not be blocked.
3) Set up the mail server and set up the reverse DNS.
I heard that some folks set up the IIS SMTP service. Did not do it by myself, but i expect that it will involve some extra infrastructure efforts.
I would highly recommend you to not place SMTP server inside of the cloud, but instead of that use some external one. But it can be set up and should work.

Mobile Application Revese Gateway recomendation

I have a mobile application that communicates with a REST based web-service. The web-service lives behind the firewall and talks to other systems. Currently this web-service requires a firewall port to be opened and a SSL cert generated for each installation. Mobile apps sends login credentials so web-services can login to custom back-end systems.
Recently a customer approached us asking how could we deploy this to 50 offices. As we don't want to say modify every firewall in every office, we're looking for options.. This is a list of possible solutions and my thoughts on each one:
Open firewall port and expose https webservice - This is our current
solution but we dont want to have to contact 50 network admins and explain why we need to do this.
VPN - Too heavy weight, complex and expensive, we only need access
to one server. Does not solve problem as firewall needs to be
modified.
Microsoft Azure Hybrid Connection Manager - This provides a managed
service where the Azure cloud will expose an end point. Azure will
also expect connections from a easy to install application that
lives behind the firewall. When a REST call is made to the cloud
end-point, the request is forward down socket that was initiated by
the software behind the firewall. This does what we want but as its
a Microsoft Solution there might impose other requirements that our
customers might not want. Currently the simple Hybrid Connection Manager is free. But for how long?
Jscape MFT Gateway - Similar to Azure but you can host their server anywhere. Not that expensive but is not opensource.
Netty - A async java library/toolkit where this type of application could easily be build. Client and server apps would need to be build and deployed. Dont know what we dont know about Netty.
MDM, AirWatch, BlackBerry BES - A MDM based solution would work expect that MDM's are centrally managed and are not often in every office where the backend services are located. Airwatch has an AppTunnle but im not sure about the specifics.
At this point the Microsoft and Jscape systems are possible solutions.
But most likely these solutions will require us to modify the mobile software to work around issues such as:
How does the user know which server to login to? A locator service
needs to be built such that, an email address is used to lookup their
office, or they need to select their office location from a list.
While the connection is SSL many company might want some additional protection since network login information will be send down the pipe.
How is load balancing and fail-over managed?
So, at this point i'm looking for more options. The best option would be a commercial product that offers some level of customization. Second, would like a well used open-source product that could be installed in Aws and customized.
Thanks
The best approach we found was to use the PUTTY API and setup a reverse proxy.

Resources