Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to episode number 19 and welcome to 2021. This week, we have Mark, and Gladys, and myself. We also have a special guest, Siren Gemiana, who will talk to us this week about Azure Firewall. But before we get to Siren, let's talk to Mark about what's new in the news this week.
For those in the InfoSec world, this won't be news that it exists, but the SolarWinds Attack, as Microsoft calls it, Solarugate is definitely something that is top of mind for a lot of security teams at the company.
Microsoft has put out a Solarugate Resource Center with all sorts of threat hunting guidance, links to blogs on the geopolitical nation-state aspects of the concerns that we have with the attacks on the supply chain of so many governments and organizations, and commercial enterprises. Pretty much everything Microsoft has on that particular topic is there. So highly recommend you check that out. We'll put the URL on the notes, it's just akms.solarugate.
So quite a bit going on there, definitely taking up a lot of attention and a lot of oxygen, the room with regards to information security right now. The other one that we're still monitoring very closely, that we don't expect to go away even though we might be distracted from it for a little bit with the Solarugate piece, is the human operator ransomware threat. We are continuing to see the economic indicators on this show, no sign of the growth of this particular tax stopping.
So that is definitely an area that we're keeping in our sites and something that we're concerned about. We will have some further information coming out on that very shortly, targeting mid-month hoping it stays on track. The one thing that a lot of these attacks of significant impact do have in common is that they are going after privileged access. So accounts, credentials, keys, in case of the SAML stuff, the signing key within a SAML authority. So that's definitely very top of mind for us.
We actually just released some updated evidence on privileged access, but the approach of taking zero trust to defend against these is definitely covered in there. That is heavily part of the ransomware piece. So that will be coming quite shortly. That's been what I've been monitoring top of mind. Hi everyone. Actually, I wanted to comment a little bit about the Soloric Regate. I cannot pronounce it. I was really surprised of the speed and the actions that were done in a quick manner.
It actually brought into perspective some compromise because it's a matter of how fast we respond to the problem. The speed and scope of the actions that were taken in basically a week, two weeks can be seen under that aka.ms.slash.soloricate article, where we are discussing all the actions that we have done, including updating our services, legal taking control of the DNS domain, use for the malware. There was a lot of things done.
So what I wanted to bring up is that purchasing all these cloud services is more than just gaining a technology capability. It's a partnership with Microsoft and all the capabilities and the power of Microsoft resources available. So I was really, really surprised about all this. Now for my news, I took a nice break for the holidays a couple of weeks. So I haven't been keeping up as much as I would otherwise have.
However, I got really excited about the continuous exports of regulation compliance. Addition that was done to Azure Security Center. The reason that I was really excited about this is because I have been working with several customers that wanted to have all the compliance handled by different groups other than security. Usually compliance is done by information assurance.
So now we have the capability of exporting that data into a SIEM or other third party tools and provide more information to the customer. And it's a real time. So I was really excited about that. In another news, I wanted to mention the upcoming webinars that the Microsoft Security Community will be publishing in the next two months. Basically in January 7th, there's some Azure Security Center. It basically talking about the service ledger protection on the 12th.
In the 19th, there will be some about Azure Sentinel. And on the 20th, it's Azure Defender for IoT, which was formerly known as CyberX, it's a company that we purchase. So there's a lot of awesome and free webinars that are coming up. You can see more information by going to aka.ms.com slash security webinars. So I have a few things that sort of piqued my interest the last couple of weeks. The first one is Power BI has now added support for service principles and new admin APIs.
Essentially what this lets you do is create applications that can be, say, a read-only scanner against the administration interfaces into Power BI. This is something that customers often do. They often build their own little admin tools. In this case, it's a read-only API. And again, using service principles means you don't have to embed, use principles for that particular application in code or any kind of configuration information. Don't go embedding in code, whatever you do.
Next one is Google has deprecated the WebView sign-in support, which means that if you're using Azure Active Directory, you may have an issue here with B2B collaboration with Google accounts. There's going to be a link in the show notes that gives you some ideas about how you can essentially work around this or change your application so that it continues to work correctly for your customers. We've also added support for managed identities in Azure Stream Analytics.
That is now in public preview. This is actually pretty cool. Again, I think, you know, I've mentioned this a few times, sort of some waves of technologies that are coming to multiple platform as a service offerings across Azure. Things like Private Link, Private Endpoint, which we've talked to at length. The other one is customer managed keys for persistent data. Well, another one that we're seeing a lot of traction of is the use of managed identities for PAS offerings as well.
The nice thing about this is that it allows you to execute that particular application or that offering under a specific identity, and then you can provide access control to that specific identity. Again, this is nice to see another PAS offering supporting managed identities. If you're confused about managed identities, a managed identity is essentially a service principle, but it's managed by Azure. The lifetime is managed by Azure.
The last one I want to bring up really quickly, we've made some announcements around the border gateway protocol in Azure and how it's used. Basically, Microsoft back in 2019 joined a group called the Mutually Agreed Norms for Routing Security. And this is essentially a group of people trying to solve this problem of improving routing security. There's a lot to go through. There is a blog post on this.
If you're interested in BGP and its impact on cloud security and networking security in general, then take a look. That happens to be a somewhat beautiful segue into talking about networking with our guest this week, most notably Azure Firewall. This week our special guest is Suren Jamiyanna. She's going to talk to us this week about Azure Firewall. First of all, Suren, thank you so much for joining us this week.
Would you care to give us a quick background and how long have you been at Microsoft and what you do? Yes, thanks, Michael, for having me on the podcast. Hi, everyone, listening to the podcast. My name is Suren Jamiyanna and I am a program manager on the Azure Firewall team. And before the Azure Firewall team, I also intern at the Azure Stack team. So that's also a neat product that can help extend your Azure services to the environment of your choice.
So first question and possibly the most obvious question is what is Azure Firewall, essentially what are the moving parts, what are its benefits, why would people use this? Yes, so great question. So Azure Firewall is a cloud native fully managed firewall as a service. And so at the core of Azure Firewall is that it is built on Azure, meaning that you can take advantage of the cloud technology of the fact that you can autoscale Azure Firewall based on CPU and throughput.
And it is fully and highly available so that at any case if Azure Firewall goes down in an region, there will always be a backup with zero downtime. Now with Azure Firewall, the core function of it is to really help you protect your virtual networks with the ability to govern the traffic that is going in and out of your network. So we support layer three to layer seven traffic filtering. In other words, we support filtering on the network, NAT and application layers.
So for example, on the network layer, you can add and manage rules using IP addresses. And another example for the application layer, you can allow traffic that is going outbound using based on the protocols of HTTP, HTTPS and MSSQL traffic. And ultimately, Azure Firewall could be used as a central place to provide complete virtual network protection that is going in and out of your network to the internet, between Azure and between your on-premises traffic. Nice. So I have a question for you.
So if you look at most cloud environments, you really have one of three possible common architectures or designs. So you have platform as a service, you have infrastructure as a service and software as a service. Actually, they really should be the other way around. Infrastructure as a service, platform as a service and software as a service.
One of the beauties of IaaS where you're running essentially a virtual machine of VM is you can have your own IP addresses, you can determine how traffic goes to that particular IP address, both in and out. PaaS services have historically not done that, right? Because it's a shared resource, they normally have public endpoints. We over time in Azure have been adding support for things like private link, private endpoints to specific PaaS offerings.
So with Azure Firewall, does that mean that I can put like a real bonafide packet filtering stateful firewall in front of say Azure SQL and storage accounts? Yes, absolutely. In fact, we see that as a common scenario and benefit. So we see customers as we see a growing trend toward moving your applications or standing up Azure SQL server in the cloud. We really see Azure Firewall as a great tool to lock down and protect your PaaS services in the cloud.
And so you can place your PaaS services in a virtual network and you can filter traffic that is going to that virtual network using Azure Firewall. So we see that as a common scenario. Does that include egress as well, so ingress and egress? Yes, that's right. Nice. So all channel, my favorite customer questions. What's new? What are you all working on that recently released or is stuff that's getting ready to go in preview and preview? What kind of stuff is the team focusing on now?
With our most recent set of new features back in November, I want to say, we recently released custom DNS and DNS proxy. So what this allows you to do with Azure Firewall is Azure Firewall historically uses Azure DNS to resolve domain names. But now with custom DNS, you can use any DNS server that you want to use for your DNS resolution and have Azure Firewall resolve to that instead of using the default provided Azure DNS, if that is your security need.
And then DNS proxy with this essentially allows you to lock down is Azure Firewall can now serve as a DNS proxy between your client all the way to your specified DNS server. So Azure Firewall can also perform and call to that DNS server that you need. And what DNS proxy actually also allows you to open up to do with Azure Firewall is now on the network layer, we have a new feature or a new traffic filtering capability using FQDNs on the network layer. So what does that mean?
Instead of typing individual IP addresses on only on the network layer, you can now specify FQDNs there based on DNS resolution. So let's say you might have a server that you want to allow access to on the network layer, if that server has a domain name, and it can resolve to a DNS or excuse me, that server has a domain name, and it has a resolvable IP address, you can now place Azure Firewall to perform that DNS resolution and allow that traffic if needed.
In addition, Azure Firewall also added a capability where we can protect your Windows Virtual Desktop deployments using our new FQDN tag. So this is also really helpful for your work from home scenarios. So not only can you use Azure Firewall as a way to protect your servers, you can also use it to protect your end users on the network. So that's really helpful, especially if you find that as a greater need in your organization.
What are the common architectures that you have seen these apply to? Yes, so we see two common architectures using Azure Firewall. So the first one I want to say is Azure Firewall, you can utilize and place an Azure Firewall for protecting your virtual networks, either a single virtual network or a hub and spoke model that we see customers tend to use.
So that means you can have Firewall be placed in a hub, a central hub, and that can be used to protect multiple spokes or in other words, multiple virtual networks that might represent a different part of your organization. Maybe for example, your IT department is one spoke, your marketing department is another spoke and your sales department is another spoke. So that's a very common architecture that we see.
And then also a second architecture that we're noticing an increase is deploying an Azure Firewall within a virtual wide area network. So this is also helpful if you see your organization really growing and you have more departments, you have more and an expanded network, Azure Firewall can be deployed in a VWAN or virtual wide area network. And that can be done automatically through our new service called Azure Firewall Manager.
And to also kind of share more on the direction of Azure Firewall Manager, we see a lot of benefits and kind of the future direction of Azure Firewall is this new concept that we recently released called the Firewall Policy. So now let's say that your organization is growing even more and you want to maybe add additional firewalls so that you can provide better protection in different regions.
And instead of manually going and updating all the same rules and configurations in each individual firewall, well, you can now create a firewall policy one time and simply attach it to each of those firewalls. So that really simplifies your firewall configuration. And let's say that one region maybe in New York, your firewall is a little different than your firewall in LA. So we also have the support for a parent policy and a child policy for additional granularity.
One of the issues that I have seen with customers is the ability to integrate with security tools. Is Azure Firewall has capability to integrate with Azure Sentinel? Yes. So Azure Sentinel has a connector that can now ingest Azure Firewall logs. So this enables you to view log data in the Azure Sentinel workbooks. You can now create custom alerts and incorporate it to improve your investigation.
So you can see new logs and trends with Azure Firewall, including your throughput utilization, your network and application hit count, your snap port utilization, and even specific or top allowed denied FQDNs by count and much more. So that's a recent integration that we have with the Azure Sentinel team on top of our existing Azure monitoring and logging tools with Azure Firewall. So from a customer perspective, what does the cost look like of Azure Firewall? Are customers seeing cost savings?
Are they using this in place of existing next gen firewalls? Where are you seeing customers approaching this from a cost perspective? Yeah. From a cost perspective, with Azure Firewall, we have a fixed cost when you deploy a firewall, and we also have a variable cost. So that's based on your traffic patterns of processing by the firewall. And typically we see the variable cost is kind of negligible for our larger customers.
And so with the upfront costs, it might be a bigger number than people might expect, but I also want to encourage listeners when they're looking at deploying an Azure Firewall in the cloud. Most customers what we see tend to save about 30 to 50% in terms of cost savings compared to NBAs.
And the benefit and kind of why that is is actually instead of having to traditionally stand up your own VMs, invest in licensing, standing up standard load balancers and maintaining it, the Azure Firewall service does that for you. So it really abstracts away from it. And I also want to highlight that the fact that it is, once again, based on the cloud. So we support a great throughput limit of 30 GBBS.
And you can also reliably account on our high availability so that you don't have to worry about scaling the virtual machine instances on your own. We do that for you based on your traffic patterns and your throughput. So something just dawned on me about this hub and spoke model and cost. Is this the prime or one of the prime reasons why people go for the hub and spoke model? Because now I can have one hub with an Azure Firewall and that can take all the traffic in and all the traffic out.
And I can scale it essentially infinitely, right? Because you know, cloud scale. And then all the individual spokes don't have to worry about having to deploy their own private version of Azure Firewall. Everything's essentially amortized by having this one firewall in the hub. Is that a fair comment? And then obviously the cost savings that come with that. Yeah, that's a totally fair comment. Azure Firewall, we see customers use that hub and spoke model for that reason.
It really makes things easier by having a central place to manage and secure your traffic patterns going into individual virtual networks or individual spokes. So and it's also an additional added layer of security. So let's say that you do have a network security group and NSG in each spoke that can be more granular traffic management that is going between subnets or maybe in your local databases.
You might have a local firewall or excuse me, in your local virtual machines, you might have a local firewall. But with Azure Firewall, as you pointed out and noticed, Michael, yeah, you can really put that outside of that virtual network and protect multiple virtual networks with only a single firewall. So it really makes things much more simple and easier to manage. Yeah, that sounds kind of silly, but it just kind of dawned on me just as you guys are talking about it.
Anyway, I think again, I'm an application security guy, so don't go really cool on me. Anyway, with that, one thing we'd like to ask our guests is, do you have a final thought, something you'd like to leave our listeners with? Yeah, so some final takeaways that I would love to share to our listeners are that, so Azure Firewall, I want to go back and kind of go back to the beauty of Azure Firewall, which is the fact that it is a cloud native, fully managed firewall as a service.
So it has really deep functionalities and filtering traffic, really neat features to help you lock down your traffic patterns. And that really helps you take less focus on the manual upkeep and setting up your own infrastructure with network security, and we do that for you in a kind of a fully managed sense, and so that you can ultimately focus on what's most important, which is securing your applications, securing your workloads and your network.
And Azure Firewall, we have a lot of new features and announcements coming up, so it's an awesome high technology that I encourage you to stay tuned and check out. Well, thank you so much for joining us this week, Sirene. I really appreciate it, and I learned a few things. Azure Firewall has been one of those features I've been meaning to sort of kick the tires on for some time now, so you've certainly filled in some of the gaps. Thank you to everyone out there for listening.
We really appreciate you taking the time. If you haven't done it already, please feel free to go ahead and subscribe to this podcast in all the usual places. And with that, everyone out there, stay safe, and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website, azsecuritypodcast.net. If you have any questions, please find us on Twitter at azuresetpod.
Music is from ccmixter.com, and licensed under the Creative Commons license.