Year: 2020

Azure Bastian – Jump Box As a Service

devstime Uncategorized

Traditional management of Jump severs in cloud is painful and it involves lots of tasks to setup and for on-going management.

To avoid potential attacks from external threats, Jump servers need to be completely locked-down and hard, like enabling aggressive block-list of apps and IPs, implement 2FA, zero admin mode, auditing and if possible re-build jump server every alternative days using automation tools to make it more secure in cloud.

I know a lot of you out there rely on “jump servers.” and not much serious about Jump server day to day operation management tasks. Many SMB segment companies were attacked because of exploits through poorly managed jump servers and in order to overcome those problems and make security more controlled, Microsoft introduced Bastian host last year  as a replacement for traditional jump server architecture.

Azure bastion is a fully managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the azure portal over SSL. This eliminates the need to expose the Virtual Machines RDP and SSH ports to the internet.  After the initial release, the solution is being adopted by various azure customers and received great feedback.

Moreover, bastion hosts are very easy to setup with few clicks and the service will be ready within few minutes after deployment. Bastian type services are also available in other clouds with different feature sets.

Azure Bastian key characteristics and what it can offer to azure customers:

  • No public required for VMs in Azure.
  • Remote Session over TLS and firewall traversal for RDP/SSH.
  • Agent-less and no additional software’s required on VMs.
  • Internally it’s a VM scale set and it can expand based on connections requirement.
  • Centrally hardened and protects against port scanning, zero-day exploits and malware.
  • Additional security layer can be leveraged using NSG on top of bastion host
  • Access to Windows Server VMs by Azure Bastion does not require an RDS CAL when used solely for administrative purposes.
  • As the name implies “Bastian” , it will act as true source of strength to enter into azure VM world.

High-level architecture:

This figure shows the architecture of an Azure Bastion deployment aligning to above  listed characteristics.

Bastian

Whats planned next – feature updates (not sure when but its under the pipeline):

  • Bastian host required to deployed under each vNet and currently doesn’t support vNet peering options. However, in upcoming product updates it should soon start supporting the peering options.
  • Azure AD SSO integration
  • Currently Bastian can only accessed through azure portal (via HTM5 browser) and its expected to start support of native RDP/SSH clients soon.
  • RDP full session recording for auditing usage.

 

Sources:

Bastian Overview – https://docs.microsoft.com/en-us/azure/bastion/bastion-overview

Bastian Pricing – https://azure.microsoft.com/en-us/pricing/details/azure-bastion/

Create an Bastian Host – https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal

 

Azure Sentinel – The Mutant hunter

devstime Security

Being a big fan of x-men series and security products, I couldn’t resist researching on the new SecOps offering from Microsoft called ” Azure Sentinel’. Those who are not familiar with x-men comics, Sentinel are mutant hunting robots which can monitor, detect and kill mutants 😛

Azure Sentinel service is a great SIEM and SOAR offering from Microsoft with the proper equation of SecOps + AI in a cloud native solution.

sentinel

The great advantage and differentiator of this offering from other SIEM solution is, its backed by Microsoft which is turning into a biggest security company in the world with huge loads of investment going into security research.  It’s clearly going to disrupt the SOC as a cloud security solution.

Since it’s a cloud native solution, no worries about capacity planning and other on-prem bottle necks.

Alright, upon doing some research and Lab on the Azure Sentinel, below are the list of high-level characteristics and feature set about this service offering.

Azure Sentinel SecOps flow:

Enable Azure Sentinel to easily aggregate security data generated by end point devices, network infrastructure, and other security systems, then leverage it to detect and respond to threats in your environment. ​

Collect / Visibility

Collect security data at cloud scale from mostly any source (On Premises, Cloud (Including Other Clouds like AWS) and SaaS Apps.

Data collection options: On-prem and Cloud:

  •  Agent based collection for Linux and windows devices (OS events, OS firewall, DNS, DHCP etc)
  •  Syslog based collection using syslog connector/CEF – either can be deployed in on-premises or cloud over TLS
  • Supports REST API based collection for F5, Barracuda and Symantec and other similar products.
  • Custom connectors using Azure functions for log storage like S3.
  • Azure log analytic data will also support sentinel analysis.
  •  Visualise:

    Workbooks – Interactive dasboarding with the analysis. There are good number of built-in workbook templates available from Azure sentinel like, Azure Activity, Azure AD audit-logs, Azure AD Sign-in logs and variety of other product supports (AWS Network activities, AWS user activities).  Based on the need custom workbook can be created

Detect – Analytics / Hunting

  • There are good number of built-in analytics available in Azure sentinel to choose for detecting threats.
  • Option available to create custom KQL based queries for analytics.
  • Trigger automated playbooks to tackle threats.
  • Leverage Machine learning to increase your catch rate without increasing the noise.

Investigate – Incidents

  • Track investigation from sentinel security incident, raised based on priority.
  • Bring you own ITSM framework by integrating with ticketing tool for the incident track and resolution.
  • Visualize the entire threat attack to determine the scope and impact, by navigating the relationships between alerts.

Respond – Automation

  • Automate and orchestrate the scopes using integrated Azure logic Apps. Logic Apps will help in building automated and scalable playbooks that integrate across tools. Able to setup the complete workflow from alert trigger to resolution.
  • Again like other sections, there are good number of sample library available to configure and test the playbooks.

Learn more?

Complete Docs about Sentinel –  https://docs.microsoft.com/en-us/azure/sentinel/

Free Trail – Azure Sentinel can be enabled at no additional cost on an Azure Monitor Log Analytics workspace for the first 31-days. Usage beyond the first 31-days will be charged per pricing listed above. Charges related to Azure Monitor Log Analytics for data ingestion and additional capabilities for automation. And bring your “own machine learning” are still applicable during the free trial.