Security Control v3: Network security

  • Article

Network Security covers controls to secure and protect Azure networks, including securing virtual networks, establishing private connections, preventing, and mitigating external attacks, and securing DNS.

NS-1: Establish network segmentation boundaries

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
3.12, 13.4, 4.4 AC-4, SC-2, SC-7 1.1, 1.2, 1.3

Security Principle: Ensure that your virtual network deployment aligns to your enterprise segmentation strategy defined in the GS-2 security control. Any workload that could incur higher risk for the organization should be in isolated virtual networks. Examples of high-risk workload include:

  • An application storing or processing highly sensitive data.
  • An external network-facing application accessible by the public or users outside of your organization.
  • An application using insecure architecture or containing vulnerabilities that cannot be easily remediated.

To enhance your enterprise segmentation strategy, restrict or monitor traffic between internal resources using network controls. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach by restricting the ports, protocols, source, and destination IPs of the network traffic. If you have many applications and endpoints interacting with each other, blocking traffic may not scale well, and you may only be able to monitor traffic.

Azure Guidance: Create a virtual network (VNet) as a fundamental segmentation approach in your Azure network, so resources such as VMs can be deployed into the VNet within a network boundary. To further segment the network, you can create subnets inside VNet for smaller sub-networks.

Use network security groups (NSG) as a network layer control to restrict or monitor traffic by port, protocol, source IP address, or destination IP address.

You can also use application security groups (ASGs) to simplify complex configuration. Instead of defining policy based on explicit IP addresses in network security groups, ASGs enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-2: Secure cloud services with network controls

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
3.12, 4.4 AC-4, SC-2, SC-7 1.1, 1.2, 1.3

Security Principle: Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible.

Azure Guidance: Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. You should also disable or restrict public network access to services where feasible.

For certain services, you also have the option to deploy VNet integration for the service where you can restrict the VNET to establish a private access point for the service.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-3: Deploy firewall at the edge of enterprise network

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.4, 4.8, 13.10 AC-4, SC-7, CM-7 1.1, 1.2, 1.3

Security Principle: Deploy a firewall to perform advanced filtering on network traffic to and from external networks. You can also use firewalls between internal segments to support a segmentation strategy. If required, use custom routes for your subnet to override the system route when you need to force the network traffic to go through a network appliance for security control purpose.

At a minimum, block known bad IP addresses and high-risk protocols, such as remote management (for example, RDP and SSH) and intranet protocols (for example, SMB and Kerberos).

Azure Guidance: Use Azure Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology).

If you have a complex network topology, such as a hub/spoke setup, you may need to create user-defined routes (UDR) to ensure the traffic goes through the desired route. For example, you have option to use an UDR to redirect egress internet traffic through a specific Azure Firewall or a network virtual appliance.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-4: Deploy intrusion detection/intrusion prevention systems (IDS/IPS)

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
13.2, 13.3, 13.7, 13.8 SC-7, SI-4 11.4

Security Principle: Use network intrusion detection and intrusion prevention systems (IDS/IPS) to inspect the network and payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alerts to your SIEM solution.

For more in-depth host level detection and prevention capability, use host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution in conjunction with the network IDS/IPS.

Azure Guidance: Use Azure Firewall’s IDPS capability on your network to alert on and/or block traffic to and from known malicious IP addresses and domains.

For more in-depth host level detection and prevention capability, deploy host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution, such as Microsoft Defender for Endpoint, at the VM level in conjunction with the network IDS/IPS.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-5: Deploy DDOS protection

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
13.10 SC-5, SC-7 1.1, 1.2, 1.3, 6.6

Security Principle: Deploy distributed denial of service (DDoS) protection to protect your network and applications from attacks.

Azure Guidance: Enable DDoS standard protection plan on your VNet to protect resources that are exposed to the public networks.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-6: Deploy web application firewall

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
13.10 SC-7 1.1, 1.2, 1.3

Security Principle: Deploy a web application firewall (WAF) and configure the appropriate rules to protect your web applications and APIs from application-specific attacks.

Azure Guidance: Use web application firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services and APIs against application layer attacks at the edge of your network. Set your WAF in "detection" or "prevention mode", depending on your needs and threat landscape. Choose a built-in ruleset, such as OWASP Top 10 vulnerabilities, and tune it to your application.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-7: Simplify network security configuration

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.4, 4.8 AC-4, SC-2, SC-7 1.1, 1.2, 1.3

Security Principle: When managing a complex network environment, use tools to simplify, centralize and enhance the network security management.

Azure Guidance: Use the following features to simplify the implementation and management of the NSG and Azure Firewall rules:

  • Use Microsoft Defender for Cloud Adaptive Network Hardening to recommend NSG hardening rules that further limit ports, protocols and source IPs based on threat intelligence and traffic analysis result.
  • Use Azure Firewall Manager to centralize the firewall policy and route management of the virtual network. To simplify the firewall rules and network security groups implementation, you can also use the Azure Firewall Manager ARM (Azure Resource Manager) template.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-8: Detect and disable insecure services and protocols

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.4, 4.8 CM-2, CM-6, CM-7 4.1, A2.1, A2.2, A2.3

Security Principle: Detect and disable insecure services and protocols at the OS, application, or software package layer. Deploy compensating controls if disabling insecure services and protocols are not possible.

Azure Guidance: Use Azure Sentinel’s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols such as SSL/TLSv1, SSHv1, SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos. Disable insecure services and protocols that do not meet the appropriate security standard.

Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through network security group, Azure Firewall, or Azure Web Application Firewall to reduce the attack surface.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-9: Connect on-premises or cloud network privately

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
12.7 CA-3, AC-17, AC-4 N/A

Security Principle: Use private connections for secure communication between different networks, such as cloud service provider datacenters and on-premises infrastructure in a colocation environment.

Azure Guidance: Use private connections for secure communication between different networks, such as cloud service provider datacenters and on-premises infrastructure in a colocation environment.

For lightweight connectivity between site-to-site or point-to-site, use Azure virtual private network (VPN) to create a secure connection between your on-premises site or end-user device to the Azure virtual network.

For enterprise-level high performance connection, use Azure ExpressRoute (or Virtual WAN) to connect Azure datacenters and on-premises infrastructure in a co-location environment.

When connecting two or more Azure virtual networks together, use virtual network peering. Network traffic between peered virtual networks is private and is kept on the Azure backbone network.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-10: Ensure Domain Name System (DNS) security

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.9, 9.2 SC-20, SC-21 N/A

Security Principle: Ensure that Domain Name System (DNS) security configuration protects against known risks:

  • Use trusted authoritative and recursive DNS services across your cloud environment to ensure the client (such as operating systems and applications) receive the correct resolution result.
  • Separate the public and private DNS resolution so the DNS resolution process for the private network can be isolated from the public network.
  • Ensure your DNS security strategy also includes mitigations against common attacks, such as dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, and so on.

Azure Guidance: Use Azure recursive DNS or a trusted external DNS server in your workload recursive DNS setup, such as in VM's operating system or in the application.

Use Azure Private DNS for private DNS zone setup where the DNS resolution process does not leave the virtual network. Use a custom DNS to restrict the DNS resolution which only allows the trusted resolution to your client.

Use Azure Defender for DNS for the advanced protection against the following security threats to your workload or your DNS service:

  • Data exfiltration from your Azure resources using DNS tunneling
  • Malware communicating with command-and-control server
  • Communication with malicious domains as phishing and crypto mining
  • DNS attacks in communication with malicious DNS resolvers

You can also use Azure Defender for App Service to detect dangling DNS records if you decommission an App Service website without removing its custom domain from your DNS registrar.

Implementation and additional context:

Customer Security Stakeholders (Learn more):