Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.
Azure Firewall Premium offers advanced security features that build upon the standard Azure Firewall capabilities, providing enhanced protection, particularly for highly sensitive and regulated environments. Here are the key features of Azure Firewall Premium along with examples to illustrate each feature:
1. TLS Inspection
- TLS
inspection, also known as SSL inspection, is a process where encrypted
traffic is decrypted, inspected for threats or compliance, and then
re-encrypted as it moves to its destination. This is crucial because,
without TLS inspection, encrypted traffic would be a blind spot for
security devices, allowing potentially malicious content to pass through
unnoticed. This allows Azure
Firewall to inspect encrypted web traffic to prevent malware transmission
and exfiltration.
EXAMPLE: Consider a scenario where an employee attempts to
download a file from a seemingly reputable website while connected to the
corporate network. Unknown to the employee, the file is infected with malware.
With TLS inspection enabled on Azure Firewall, the encrypted traffic between
the employee’s computer and the website is decrypted by the firewall. The
firewall inspects the content, identifies the malware, blocks the file
download, and alerts the security team. Without TLS inspection, the encrypted download
would proceed unchecked, potentially compromising the network.
2. IDPS (Intrusion Detection and Prevention System)
- Feature:
IDPS combines two major
functionalities: intrusion detection, which monitors network and system
activities for malicious actions or policy violations, and intrusion
prevention, which actively blocks or prevents those detected threats from
carrying out their intended actions. Essentially, IDPS acts as a watchdog and a
gatekeeper, ensuring that only safe traffic is allowed through while keeping
threats at bay.
In simple terms, Monitors network
and system activities for malicious activities or policy violations. It can log
information, attempt to block the intrusion, and report it.
- Example:
Suppose there's an attempt to exploit a known vulnerability in a web
application hosted in Azure. The IDPS feature of Azure Firewall Premium
can detect this attempt using known signatures or anomalies and take
action to block the traffic, preventing the exploit from reaching the
application.
3. Web Categories
- Feature:
Web Categories in Azure Firewall utilize a continuously updated database that classifies websites into categories based on their content. Administrators can create rules that allow or block access to these categories. This approach streamlines web access management and ensures that policies remain effective even as new websites emerge or existing sites change their content.
In simple terms, Allows administrators to allow or deny user access to website
categories (such as social media, gambling, etc.), simplifying the management
of web filtering rules.
- Example:
A school can configure Azure Firewall Premium to block access to gaming
and adult content websites during school hours, ensuring students can only
access educational content.
4. URL Filtering
- URL
Filtering in Azure Firewall involves specifying allow or deny rules for
accessing specific URLs. Unlike Web Categories, which group websites into
broad categories, URL Filtering targets individual web pages or domains.
This allows for precise control over web access, ensuring that users can
reach only the content that's deemed safe and relevant to their work.
- In simple terms , it Offers the ability
to allow or deny access to specific URLs, not just entire domains,
providing more granular control over web access.
- Example:
A company can allow access to "github.com" but restrict access
to "github.com/malicious_repo", ensuring developers can access
GitHub for legitimate work while blocking access to specific known
malicious repositories.
5. FQDN Tags in Network Rules
- Feature:
- FQDN
Tags are predefined identifiers in Azure Firewall rules that represent a
group of domain names for specific Azure services, such as Azure Storage,
Azure SQL, and Windows Update. When a network rule is created with an FQDN
Tag, Azure Firewall automatically allows or denies traffic based on the
domains associated with that tag, facilitating the configuration process
and ensuring traffic to these services is correctly filtered without the
need to specify each domain manually.
- In
simple terms , It Enables the use of fully qualified domain names (FQDNs)
in network rule definitions, simplifying the creation of rules for
well-known Azure services.
- Example:
An organization can easily create a network rule that allows Azure Backup
without needing to know all the IP addresses associated with the Azure
Backup service, by using the FQDN tag for Azure Backup.
6. Custom DNS
- Feature:
- Custom
DNS in Azure Firewall enables the specification of one or more DNS servers
that the firewall uses for resolving DNS queries instead of using the
default DNS settings. This feature is particularly useful for integrating
with on-premises DNS servers or third-party DNS services, allowing for
seamless domain name resolution across cloud and on-premises environments
or for enforcing specific DNS policies.
- In
simple terms, it Allows specifying custom DNS servers for domain name
resolution, enabling Azure Firewall to use your own DNS.
- Example:
A company can configure Azure Firewall Premium to use their internal DNS
servers for name resolution, ensuring that access to internal applications
via their domain names is resolved correctly within their network.
7. DNS Proxy
- Feature:
- DNS
Proxy in Azure Firewall serves as a DNS forwarder, intercepting DNS
queries from virtual machines or other resources within Azure Virtual
Networks (VNets) and forwarding them to the specified DNS server(s). This
setup is particularly beneficial when using Custom DNS settings in Azure
Firewall, as it ensures all DNS requests adhere to the organization's
specified DNS resolution policies.
- In
simple terms, it Acts as a DNS server, forwarding DNS requests to the
specified DNS server and caching the responses for efficiency.
- Example:
By acting as a DNS proxy, Azure Firewall Premium can efficiently manage
DNS requests for a large enterprise, reducing latency and improving
response time for DNS queries.
8. Transport Layer Security (TLS) 1.3 Support
- Feature:
TLS 1.3 support in Azure Firewall
ensures that the firewall can inspect, allow, and secure traffic encrypted
using the latest TLS standard. With TLS 1.3, Azure Firewall can participate in
the secure communication process by facilitating encrypted sessions between
clients and servers. This is crucial for scenarios where deep packet inspection
and filtering of encrypted traffic are required for security and compliance
purposes.
- In simple terms, Supports the latest TLS
1.3 protocol for secure communication, providing improved security and
performance.
- Example:
When an organization's services communicate with external APIs over HTTPS,
Azure Firewall Premium ensures that these connections can leverage TLS
1.3, offering stronger encryption and faster handshake times.
- Built-in High Availability: It comes with built-in high availability with no additional cost, eliminating the need for a complex HA setup and ensuring that your network security is always up and running.
- Scalability: Azure Firewall can scale automatically with your network traffic, ensuring that your security measures scale with your Azure deployments.
Concept
Threat intelligence in Azure Firewall is powered by
Microsoft Threat Intelligence, a comprehensive database compiled from various
sources, including Microsoft products and services, law enforcement agencies,
and security partners.
This database includes information on IP addresses and
domains associated with malware, phishing, botnets, and other cyber threats. By
integrating this intelligence, Azure Firewall can proactively prevent
communication with these known malicious entities, thereby adding an additional
layer of security to protect Azure resources.
Example Scenario Consider a scenario where an
employee accidentally clicks on a phishing link in an email that attempts to
connect to a known malicious server. Azure Firewall, with its threat
intelligence feature enabled, would inspect this outbound connection attempt. Recognizing
the server's IP address in the Microsoft Threat Intelligence database, Azure
Firewall would block the connection attempt, preventing the employee's device
from communicating with the attacker's server. This action would be logged, and
security administrators could review the attempt, further reinforcing the
importance of ongoing security awareness training.
Conclusion
Azure Firewall's threat intelligence feature is a powerful
tool for automatically identifying and blocking traffic to and from known
malicious entities. By leveraging Microsoft's extensive threat intelligence
data, Azure Firewall helps secure Azure environments against a wide range of
cyber threats, reducing the risk of security breaches and enhancing overall
network security.
Benefits of Using Azure Firewall
- Enhanced Security: Protects your Azure resources from unauthorized access and attacks.
- Simplified Management: Simplifies network security management through centralized policies and rules.
- Compliance and Data Protection: Helps meet regulatory compliance requirements by providing advanced threat protection and data encryption capabilities.
- Reduced Complexity: Eliminates the need to manage traditional hardware-based firewalls or deal with complex HA configurations.
- Cost Efficiency: Offers a cost-effective solution with its pay-as-you-go pricing model, allowing you to pay only for what you use.
In summary, Azure Firewall plays a crucial role in securing
Azure environments by providing robust network security, centralized
management, and seamless integration with Azure services. Its absence would
significantly increase the risk to your network, making it more susceptible to
attacks and compliance issues.
