Monday, 17 June 2024

Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall


Written in collaboration between @andrewmathu and @gusmodena

 

Introduction

 

In today's ever-evolving realm of the present IT infrastructure, where virtualization and cloud computing have become standard practices, the orchestration of firewall rules has evolved into a delicate balancing act between security and adaptability. Traditionally, firewall rules have relied heavily on the use of IP addresses to control access, which, while effective, often proves to be a complex and labor-intensive approach. The moment has arrived to adopt a more streamlined and effective approach that not only bolsters security but also streamlines the management procedure. This entails employing predefined tags that are assigned to virtual machines, aligning with the applications they run or the specific environment they are a part of, including Development (Dev), Production (Prod), and Quality Assurance (QA).

 

This is the 1st of a 2-part blog series where we will explore the complexities associated with managing firewall rules using IP addresses and explore the advantages of transitioning to a tag-based approach. We'll discover how this shift can not only make your infrastructure more secure but also significantly reduce the burden on your IT teams, allowing them to focus on what truly matters: safeguarding your digital assets in an ever-evolving threat landscape.

 

Illumio for Microsoft Azure Firewall

 

In collaboration with Illumio, the leader in Zero Trust Segmentation, Microsoft has built Illumio for Microsoft Azure Firewall - an integrated solution that extends the advantages of Zero Trust Segmentation into the Azure environment.

 

Illumio's integration with Microsoft Azure Firewall was released in General Availability in August 2023, empowering Azure users to implement Zero Trust Segmentation, extending their capabilities beyond traditional network and application filtering. This collaboration equips firewall operations teams with enhanced insights into rule management by providing comprehensive context about the resources under protection. This enriched context allows administrators to effortlessly identify the resources covered by each rule, ascertain ownership, and execute rule lifecycle management tasks with increased confidence and efficiency.

 

Leveraging the Azure platform, this solution protects your assets within Azure Virtual Networks and at the Azure perimeter. It empowers organizations to comprehensively analyze application traffic and dependencies, enforcing consistent protection throughout the environment. As a result, this approach minimizes vulnerabilities, mitigates breaches, and enhances operational efficiency.

 

Key benefits of using Illumio for Microsoft Azure Firewall include:

  • Reduce security risks with a single view of your east-west and north-south traffic based on Azure Firewall flow data within your Azure subscriptions.
  • Provides a full view of your application traffic with real-time visibility of interactions and dependencies across your environment.
  • Easily deploy and configure Azure application-based policies within the Illumio platform.
  • Deploy Azure Firewall policies confidently with policies that automatically scale along with your applications.
  • Avoid application downtime by understanding the impact of Azure Firewall policies before they are enforced.
  • It works with all 3 SKUs of Azure Firewall – Basic, Standard, and Premium - to meet the needs of any organization.

 

Connecting Illumio for Microsoft Azure Firewall to Azure subscription

 

First, we need to have access to Illumio for Microsoft Azure Firewall which is available by registering directly with Illumio or by deploying the solution from Azure’s Marketplace. In this blog, we are using a Tenant which has been registered directly with Illumio. To login into Illumio’s portal we are using the URL https://lumos1.illum.io/login.

 

Next, we have to add a new cloud credential, which will connect Illumio for Microsoft Azure Firewall to our Azure Subscription.

 

thumbnail image 1 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

The easiest way to add a new credential is by downloading and running an Illumio-created script, which automates the process of creating an App Registration on Azure, assigning the required roles for the newly created credential at subscription level. The roles assigned are Reader, Storage Blob Data Reader and a custom role called Illumio Firewall Administrator-“SubId”. The PowerShell script can be found here or can be downloaded from the Illumio portal. Click on “Cloud Credentials” then “Create” and follow the wizard.

 

thumbnail image 2 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

We are running the script via Azure Cloud Shell, so before running the command below, we need to upload the script to our account.

 

thumbnail image 3 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

To run the script, we are using the following command line:

Once the script is completed, we will see the following output with the Client ID, Tenant ID, Subscription ID, and Client Secret, that will be used on the Illumio for Microsoft Azure Firewall portal.

 

thumbnail image 4 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

This output data will be added to the form below as part of adding a new credential.

 

thumbnail image 5 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

Creating Label Mappings

 

Once we have the credentials added, we can navigate through the Firewalls and Firewall Policies tab to find the resources identified by Illumio for Microsoft Azure Firewall and then start creating the label mappings and choosing the policies that we want to manage.

 

In the image below, we are seeing multiple Firewall Policies, but for this blog we are only going to enable the management by Illumio for Microsoft Azure Firewall for the policy “azfw-pol-prem-1”.

 

thumbnail image 6 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

After enabling the management option, the mode will be automatically changed from “Visibility Only” to "Simulation". There are two modes for policy enforcement: Simulation and Enforcement. The Simulation mode allows security teams to test and validate the outcome and impact of their security policies before fully enforcing them. This mode helps protect applications and workloads by containing cyber-attacks and reducing risk.

 

In contrast, the "Enforcement" mode is used to enforce the security policies on managed workloads. The Illumio policy model follows an allowlist model, meaning all communication between workloads is denied unless explicitly allowed by Illumio security policy. Users create segmentation rules to allow traffic between their workloads.

 

Now that we have enabled the management of the Firewall Policy, we will create label mappings. To create label mappings, we can use specific Cloud Metadata or Cloud Tags. If you use Cloud Tags, ensure that you have a definition for your Tags. In this blog we are using a tag called “environment” with the values “clients” and “webservers”.

 

thumbnail image 7 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

To create the mappings, click on “Label Mapping” located on the left side and then click on “Add Rule”.

 

thumbnail image 8 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

When creating a label mapping, we must define the “match criteria” and the “assign a label”. For the “match criteria” we can have multiple criteria using the operators “AND” or “OR”. This is how our label mapping looks like:

 

thumbnail image 9 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

For Label Type we have 4 options:

  • Application
  • Environment
  • Location
  • Role

 

And for the “Value of “, we can use:

  • Custom Value
  • Cloud Metadata
  • Cloud Tag

 

After creating the Label Mapping, we must wait for Illumio for Microsoft Azure Firewall to scan our Azure Subscription to find resources matching what we just defined. Once the scan is done, we can find the resources under “Labeled Objects”.

 

thumbnail image 10 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

Creating Rule Writings

 

Now it’s time to create Rule Writings which will be provisioned and deployed into our Firewall Policy. Click on “Rule Writing” on the left side and then on “Add”. We can create 3 types of rules:

  • Add Override Deny Rule
  • Add Allow Rule
  • Add Deny Rule

 

thumbnail image 11 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

For this demonstration we are creating 1 “Allow” rule, allowing traffic from “Clients” to “Webservers” on ports 443 (HTTPS), 445 (SMB), 80 (HTTP), 21 and 22 (FTP).  The Destination Services are predefined, but we can also create new services or even use Port/Port Ranges.

 

thumbnail image 12 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

thumbnail image 13 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

Now that the rule is created, we must wait for the provisioning of the rule. This is an automatic process that runs periodically. In the case the provisioning takes too long it’s recommended to check the Event Logs to ensure that there is no unexpected error occurring, like for example, “AuthorizationFailed”.

 

Moving to Azure Portal, we will check our Firewall Policy “azfw-pol-prem-1” to see the details of the new rule created, and this is what the Azure Policy looks like.

 

thumbnail image 14 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

 

We can see that Illumio for Microsoft Azure Firewall has created a Resource Collection Group called “ICSNRCG1” with priority 101 and a Rule Collection called “ICSRC1-allow”. The Rule Collection contains 6 rules, one corresponding to each unique combination of Source IP, Destination IP, Port and Protocol, as it is defined in our Rule Writing previously. Within the source and destination fields, two distinct IP groups are used, “ICSIPG1-48608dac*” for the Cloud Tag value clients and “ICSIPG1-f1b8b8d4*” for the Cloud Tag value webservers.

No comments:

Post a Comment