Azure : Basic Network Hardening between a Webapp & the SQL Database

A quick tip on hardening your SQL database in combination with an Azure Webapp. Browse to the properties of your webapp. Copy the “outbound ip addresses” to your text editor.

2016-03-16 08_38_56-Properties - Microsoft Azure

Now browse to the “SQL Server” you have provisioned in Azure. Click on “Show firewall settings” and enter the IP addresses you just noted down.

2016-03-16 08_38_13-Firewall settings - Microsoft Azure

A small pointer ; You have to enter this an address at the time and save after each entry… Annoying as hell, though this is how the UI works.

Anyhow, let’s see how our webapp behaves…

2016-03-16 08_43_42-Welcome to CodeIgniter

As you probably do not believe my right off the bat. So let’s clear up the firewall rules…

2016-03-16 08_44_52-Firewall settings - Microsoft Azure

and test again! 2016-03-16 08_45_35-Database Error

Now we notice that the access to the database was denied. The address listed there is the one that was present in the outbound ip addresses listing from earlier on.

Have fun hardening!

Azure Networking : Do not forget the impact of Network Security Groups!

Introduction

In my last post I mentioned that the NSGs (Network Security Groups) had a serious impact on your deployment. So today I’ll be doing a quick demo a possible annoyance you might encounter.

The demo environment

About the same setup as the last time… One VNET, three subnets ; firewall in subnet 10.0.0.0/24, one server in 10.0.1.0/24 and another server in 10.0.2.0/24.

2016-03-14 20_08_17-Settings - Microsoft Azure

Continue reading “Azure Networking : Do not forget the impact of Network Security Groups!”

Azure Networking : Building a DMZ and adding Packet Inspection to all Traffic

Introduction

The last week I’ve been putting down a sweat on getting the following “basic” design working.

Azure-DMZ-kvaes-packet-inspection

What do we see here? A virtual network with three subnets. The subnet “SUBNET000” will act as our “External DMZ”. We’ll put the Firewall (and other security related appliances) in here. The other subnets can fulfil different roles, as you want… Let’s imagine that the “SUBNET001” is our “Internal DMZ” and the “SUBNET002” is our “Server Network”.

And what do I want to achieve today? I want all traffic to flow through the firewall. This so I can control / inspect all flows and act accordingly. As a basic test, I want to be able to ping from 10.0.1.4 (subnet001) to 10.0.2.4 (subnet002) and I want to be able to browse to “www.kvaes.be” (internet) from 10.0.1.4 (subnet001). Both tests need to be performed with the firewall als virtual network appliance routing all traffic. This is needed, as otherwise the whole test is useless from a security perspective. 🙂 If I can do those two things, then I can prove that the you can control / inspect all traffic from your Azure network.

Continue reading “Azure Networking : Building a DMZ and adding Packet Inspection to all Traffic”

Setting up a DMZ in Azure? Firewall or Network Security Groups?

A question that often pops up is ; “How can I configure secure network zones in Azure?”

There are two ways towards tackling that question ;

  • Traditional implementation with Firewall appliances
  • Azure’s “Network Security Groups”

Both deployment models have their advantages and disadvantages…

Traditional Firewall
A traditional firewall deployment will act as central gateway through which all traffic needs to flow. This implies that the firewall is directly connected to all network zones. In the drawing below, we can see that the firewall is connected to three network zones; “Internet”, “Web Servers” & “Database Servers”. So from a physical networking point-of-view, the firewall has a seperate network connection to each of the three network zones.
Cc700820.fire16_big(l=en-us)
When we would translate this model to Azure, then we would need to have a virtual machine with three network interfaces, where each network interface would provide a link to a seperate virtual network. In addition, the default gateway for each virtual network would need to be overriden to point to the firewall.

So far so good? Now be aware that the amount of network interfaces is limited by the size of your virtual machine. By default you will only get one network connection. The cheapest virtual machine to get two network connections is the “A3” (200€/month), four interfaces will need at lest the “A4” (400€/month), where for eight interfaces you will need to look towards the “D4” (811€/month) and for the maximum of sixteen you will need a “D14” (1,512€/month). So this isn’t cheap…

Now bear in mind, that you will only have paid for the machine itself… When we look towards the marketplace in the new portal, then we see appliances that can be purchased in a “pay-as-you-go”-manner. If we pick CheckPoint here, we can see that the list price here varies from ;

  • A3 : 1665,10€ => 2 NICs
  • A4 : 2892,45€ => 4 NICs
  • D4 : 3003,26€ => 8 NICs
  • D14 : 5489,08€ => 16 NICs

When looking towards such an outcome, most customers will say “Thank you very much, but no thank you!” in those sessions. And in all honesty, I fully comprehend the reaction, where I would say the same thing in their situation. Though, that does not solve their initial puzzle…

Network Security Groups
The alternative is setting up NSGs (Network Security Groups). Consider these a basic firewall implementation like the Windows Firewall or IPTables in *nix. How is it positioned by Azure?

A Network Security Group consists of a set of access control rules that describe traffic filters. These can be associated with a virtual machine or a subnet in the same region. The rules defined in the Network Security Group act as filters. On the ingress path they are applied before traffic enters the VM. On the egress path, they are applied after traffic leaves the VM. In short these rules are applied at the infrastructure level which can’t be altered by user processes or even the OS running in the VM. When the Network Security Group is associated with a subnet it applies to all the VMs in the subnet. Any change made on the Network Security Group is immediately is applied to all VMs in the subnet. Source

DMZ_thumb

So with NSGs, you are capable of configuring a DMZ alike situation… What are the limitations?

  • Maximum 100 NSGs per subscription. Maximum 200 rules per NSG.
  • It only covers VM in a virtual network. So when you select “West Europe” instead of “MyPrivateVirtualNetwork”, then you cannot apply them.
  • The configuration can only be done via PowerShell at the moment. But as we all know, the pace of Azure travels at Warp9, so a UI will come…)

So what Can I configure?
NSGRules_thumb
Some important aspects of the Network Security groups include:

  • The rules contain a 5 tuple (Source IP, Source port, Destination IP, Destination port, protocol).
  • The rules are stateful. This means if there is an inbound rule that allow traffic on a port (e.g. port 80), a matching rule on the outbound side is not required for the packets to flow on the same port.
  • Every Network Security Group contains default rules that allow connectivity within the Virtual Network and Outbound access to Internet . These default rules can be overridden by the user rules.
  • The rules are processed based on priority. Rules with small (meaning higher priority) values are processed before rules with larger (meaning lower priority) values.
  • Azure provides defaults tags such as INTERNET and VIRTUAL_NETWORK that refers to the Public IP Address space outside the Virtual Network and customer’s entire network address space respectively. The tags can be used as part of an access control rule.

Comparing both
So when do I choose one over the other? It basically comes down to this…

  • When you only need basic features, want to restrict your budget and you are not afraid of powershell… Go for Network Security Groups.
  • When you need a lot of Enterprise features (deep packet inspection, central management, …) or pass beyond the basic featurs towards the things a “Next Generation Firewall” offers, then you need to go for a full blown firewall implementation.

Microsoft Azure : How to create a virtual machine with multiple network interfaces

When you are designing a network, the ability to have a secure gateway between subnets is vital. Therefor we’ll be looking into the possibility to create a virtual machine with multiple network interfaces.

What is possible?

Be aware that the size of your virtual machine will influence the amount of NICs you can create / configure ;

2015-02-02 09_52_25-Create a VM with Multiple NICs

It was also a surprise for me that it is (currently) not possible to add/remove NICs after the creation of the virtual machine. Trust me, I’ve tried and a nice warning tells me that this is not supported.

2015-02-02 09_52_36-Create a VM with Multiple NICsMore details can be found on the Azure documentation page “Create a VM with Multiple NICs“.

 Let’s try this one out!

 

Our Test Environment

We’ll have a virtual network with three subnet and we’ll create a machine that is linked to two of them.

kvaes-azure-multiple-nics-topology

Possible use cases?

  • Firewall
  • Load Balancer
  • Back-Up System
  • Management System

 

Step One ; Configure your Azure PowerShell to use your Azure Account

  • Open an Azure PowerShell.
  • To download your publishsettingsfile, enter:
    Get-AzurePublishSettingsFile
  • The download pop-up of your browser opens. Save the file.
  • Import the publishsettingsfile by entering:
    Import-AzurePublishSettingsFile PATH_TO_FILE

 

Step Two ; Setup the basics

  • Via the portal, create a virtual network “MULTIPLENICS” with three subnets ;
    2015-02-02 11_28_36-Networks - Windows Azure
  • Configure a storage account “multiplenicskvaes” ;2015-02-02 11_30_11-Storage - Windows Azure
  • Link the storage account to your subscription in Azure Powershell ;

    PS C:\> Get-AzureStorageAccount "multiplenicskvaes"2015-02-02 11_36_58-Microsoft Azure PowerShell
    PS C:\> Set-AzureSubscription -SubscriptionName "Gratis proefversie" -CurrentStorageAccount multiplenicskvaes
    PS C:\> Get-AzureSubscription

    2015-02-02 11_37_15-Microsoft Azure PowerShell

  • Get the image we want to use for our deployment. In this example, we’ll take the most recent Windows image ;

    PS C:\> $image = Get-AzureVMImage | where { $_.ImageFamily -Match "Windows*"} | sort PublishedDate -Descending | select -ExpandProperty ImageName -First 1

    2015-02-02 11_40_15-Microsoft Azure PowerShell

 

Step 3 ; Let’s create some VMs!

  • Create a basic configuration (plus account to login)
    PS C:\> $vm01 = New-AzureVMConfig -Name "KVAES01" -InstanceSize ExtraLarge -Image $image -AvailabilitySetName "KVAESNICSCLUSTER"
    PS C:\> Add-AzureProvisioningConfig -Windows -AdminUsername "demouser" -Password "Demo1234?" -VM $vm01

2015-02-02 11_53_15-Microsoft Azure PowerShell

  • Let’s add the machine to a given subnet

    PS C:\> Set-AzureSubnet -SubnetName "TIER000" -VM $vm01

    2015-02-02 11_53_24-Microsoft Azure PowerShell

  • Now let’s add an additional NIC from another subnet

    PS C:\> Add-AzureNetworkInterfaceConfig -Name "NIC1" -SubnetName "TIER001" -StaticVNetIPAddress "192.168.1.100" -VM $vm01

    2015-02-02 11_54_19-Microsoft Azure PowerShell

  • And finally, let’s press “create” 🙂

    PS C:\> New-AzureVM -ServiceName "KVAES01" -VM $vm01 -Location "West Europe" -VNetName "MULTIPLENICS"

    2015-02-02 11_58_36-Microsoft Azure PowerShell
    2015-02-02 12_00_50-Virtual machines - Windows Azure

Step 4 ; Verify that everything went according to plan!

  • Wait for the machine to leave the “Provisioning” state
    (good time to get some coffee/tea/… whatever)
  • Let’s note down the public ip & port which we’ll need to use for the “Remote Desktop Connection” .
    2015-02-02 12_12_06-Virtual machines - Windows Azure 2015-02-02 12_12_22-Virtual machines - Windows Azure
  • And let’s connect to it…
    2015-02-02 12_13_29-Remote Desktop Connection
  • Startup the console and type “ipconfig” to see what network interfaces are available
    2015-02-02 12_15_21-104.40.221.90_64205 - Remote Desktop Connection

Import things to remember

  • (Currently) you can only add/remove network interfaces upon creation.
  • Despite that the feature is not visible via the GUI, you are able to use multiple NICs in different subnets.
  • The limitation in regards to the number of NICs is related to the machine type.