Zero Trust for Network & Infrastructure – Essentials Series – Episode 4

QUICK LINKS:

00:42 — Network: Verify explicitly

02:21 — Network: Least privileged access and assume breach

04:20 — Infrastructure: Verify explicitly

05:56 — Infrastructure: Least privileged access and assume breach

08:48 — Wrap up

Link References:

Check out our other shows on Zero Trust Essentials at https://aka.ms/zerotrustmechanics

Use Azure resource manager templates to deploy hands-on experiences in your Azure subscription at https://aka.ms/AZNetSec

Learn more at https://aka.ms/zerotrust

Unfamiliar with Microsoft Mechanics?

We are Microsoft’s official video series for IT. You can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

• Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries?sub_confirmation=1
• Join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog
• Watch or listen via podcast here: https://microsoftmechanics.libsyn.com/website

Keep getting this insider knowledge, join us on social:

• Follow us on Twitter: https://twitter.com/MSFTMechanics
• Follow us on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
• Follow us on Facebook: https://facebook.com/microsoftmechanics/

Video Transcript:

-Welcome back to our series on Zero Trust on Microsoft Mechanics. In our Essentials episode, we gave you a high-level overview of the principles of the Zero Trust security model, spanning identity, endpoints, applications, networks, infrastructure, and data. In this episode, we’ll take a look at how you can apply Zero Trust principles and policies to your network and also your infrastructure. Now we’ll walk you through how to think about the core Zero Trust tenets of verify explicitly, apply least privileged access, and assume breach for each of these layers, along with your options. By the way, if you’ve missed our previous shows on Zero Trust Essentials, identity, endpoints, and devices, you can check those out at aka.ms/zerotrustmechanics.

-So let’s start with your network. So your network and its underlying configuration provides secure access to your resources. So beginning with the concept of verifying explicitly each interaction with resources on your network, whether that’s on-premises or on the cloud, should be verified. Now here, context-driven access controls can help you assess connections to the network and take action to grant or deny access. With Azure Front Door, our Layer 7 entry point to Microsoft cloud services, along with Application Gateway, our web traffic load balancer, and web application firewall, you can use policies to control unwanted traffic. Now here in the Azure portal, we’ve set up manage rules using an OWASP 3.1 standards along with custom rules. Now the first one you see here is an automated integration with Azure Sentinel, which uses information from attack logs to block suspicious IPs.

-There’s another one here to block inbound traffic based on geolocation, and a third to block traffic from IE 11. Now, switching to the experience that a hacker might attempt, I’m going to show you an example SQL injection attack in this case, which is looking for the first user in the database, often the admin account. So I’ll enter a password, it could be anything. And then this logs me in as the admin at full privilege, and I own the site. Now I’m going to show you the same experience, but using Azure Front Door with our WAF Application Gateway policies enabled. And I’ll enter the same SQL injection string and a password. And you’ll see that I get a 403 error that forbids access based on our policies. So with these controls, we’ve verified the user’s identity and we’ve prevented a SQL injection attacks.

-So now let’s switch gears though, to the principles of least privilege access and assume breach, and how those apply to networking controls as well. And this is where our network segmentation should be used to prevent lateral movement in case of breach, or if an account has been compromised. So here, I’m looking at Azure firewall. In this case, you can see that we’ve set network rules. And as you can see here, these are like any firewall rules using source and destination IP ranges, ports and protocols. And with application roles, you can apply intelligence from the service, allowing certain web categories and also inspecting the TLS traffic through your firewall. Now here, you can see that the client can hit news and search engine sites. And there’s a list of curated and managed trusted sites here, as well as services that we’ve defined here, like Windows Update. Now, if I click into edit, you can see the types web categories with the things that you might allow or deny, such as categories that can lead to productivity loss, sites that are associated with liabilities or high bandwidth. Equally, for services like Windows Update or Azure Virtual Desktop, you can allow traffic based on fully qualified domain names, or FQDN, tags.

-Now this means that you don’t need to continually update your firewalls manually when IP ranges or addresses change to access these services. On top of that, the Azure Firewall Intrusion Detection and Prevention system, or IDPS, and threat intelligence detects and protects communication that passes through the firewall. And you can protect all of your public IPs from DDoS attacks using the Azure DDoS standard service. Of course, as part of the Zero Trust implementation, you’ll want to secure your networking protocols, deprecate outdated protocols, and use end-to-end encryption for data at rest and in transit for all of your internal, inbound and outbound traffic. And by the way, you can try most of this out by going to aka.ms/AZNetSec, and using the Azure Resource Manager templates to deploy hands-on experiences in your Azure subscription.

-Next, infrastructure, whether on-premises servers, other hardware devices, local, or cloud-hosted VMs, containers, storage, PaaS databases, and other services, these all represent a critical threat vector. Now here, you’re going to need to you ensure that there are adequate protections from the silicon all the way to the firmware and operating system platforms and their connectivity.

-Going back towards Zero Trust principles, let’s start with verify explicitly and how that relates to infrastructure. Now, this requires going beyond simple checks, for example, of computer name and IP address, both of which can be easily spoofed. In this case, access should be gated to unique immutable identifiers for your infrastructure resources, and these should be aligned to role-based access controls or RBAC. Also on your attribute-based access control, which is an extension of RBAC, allows you to authorize access at a more granular attribute level. Once you’ve defined a name or a tag on a resource, you can grant a user or a security principle access to resources based on their role and the attribute.

-Next, related to RBAC, is the practice of using just enough access, or JEA. And this can be used to limit what people can do when using a resource. For example, here, I’m managing a virtual machine running in Azure. In the Access Control tab, it will allow me to grant viewer deny access to the resource. If I click into add role assignment, I can reduce the number of administrators with owner or contributor roles who can perform privileged actions on behalf of regular users. Now if I view the details of a role, say for example, here, like dev test labs user, you can see that I can limit what users can do with that virtual machine running. Next, continuing on the themes of least privilege access and assume breach, the Azure Security Center provides a centralized monitoring and control of resources on-prem, in the Azure cloud, or across cloud providers.

-Now Azure Security Center is a unified infrastructure security management system that continually assesses and strengthens the security posture of your environment. By enabling Azure Defender, it then provides advanced threat protection across your hybrid workloads in the cloud, whether they’re an Azure or not. Brute force attacks of remote virtual machine connections are common. And using Azure Security Center, you can use just-in-time access controls to avoid extended RDP or SSH connection periods. Let me show you how this works. So here, I’m in a virtual machine in Azure. In the Configuration tab, I’ll enable just-in-time, also known as JIT. And with that set, all inbound connection requests over RDP port 3389 for Windows, or port 22 for Linux, will be rejected. Now in the Connect tab, I’ll click on Request Access. And by default, this will open up the connection for me for three hours. So I’ll connect over standard RDP and I’m in my VM.

-Now, once I’ve ended my session and three hours of time have elapsed, just-in-time will close port 3389 and block all other access requests. And for resources that can’t use JIT, you can use adaptive network hardening as part of Azure Defender. Now here, as you can see, it analyzes internet traffic communication patterns of your virtual machines, and will determine whether the existing rules in the network security groups that are associated with them are too permissive, so that you can proactively minimize your attack surface. This can occur when an IP address doesn’t communicate regularly with a resource, or if the IP has been flagged as malicious by the Security Center’s threat intelligence. Also adaptive application controls help you deal with malicious and unauthorized software by allowing only specific applications to run. Here, the security center will analyze data from applications to find machines with a consistent set of running applications to create a list of known, safe software.

-Then if an application runs that’s not on the known safe list, it will trigger an alert. Resolving identified vulnerabilities can also improve the security posture of your containerized environments and protect them from future attacks. Container image vulnerability assessment helps you by scanning your registry for security vulnerabilities and exposes detailed findings for each image. For example, if I click into a finding, I can see a detailed description along with remediation steps. And Azure Sentinel, Microsoft’s cloud native SIM gives you a bird’s-eye view across all of your infrastructure, apps and services used. You can collect data at cloud scale, use intelligence to detect uncovered threats, investigate and hunt down suspicious activities, all assisted by AI, and respond to incidents rapidly with built-in orchestration and automation.

-So that was a tour of the highlights for how the Zero Trust security model applies to protecting your network and infrastructure. Next in our series, we’ll be covering data, the core of what you’ll want to protect with the Zero Trust security model. And if you’ve missed any of our previous shows on the series, be sure to check out aka.ms/ZeroTrustMechanics, and you can also learn more at aka.ms/zerotrust. Thanks for watching.