Loading...

Taking Azure Firewall Premium IDPS Functionality

Taking Azure Firewall Premium IDPS Functionality

Written by Gopikrishna Kannan (Head of Products: Azure Firewall and Firewall Manager)

 

Intrusion detection and prevention (IDPS) is an advanced threat prevention mechanism supported by the Azure Firewall Premium SKU. Unlike simple network filtering, IDPS matches traffic patterns to a set of known malicious signatures. Azure Firewall supports more than 60,000 malicious signatures which are updated in real time. These signatures apply when malicious patterns are detected under the right conditions.  The conditions include traffic direction (inbound or outbound) and network scope (private network or public network). Below are examples to validate IDPS configuration in your environment.

 

Test Setup

 

Client VM is running in AppSubnet and will connect to the Internet via Azure Firewall. TLS inspection is enabled to deeply inspect HTTPS traffic. IDPS is configured to Alert and Deny suspicious traffic.

 

gusmodena_0-1689185809830.png

 

For the demonstration, I have configured two rules to allow encrypted traffic to example.com and another rule to TLS inspect traffic to showmyip.com.

 

gusmodena_1-1689185904726.png

 

Validating HTTP Traffic

 

We will validate IDPS by injecting malicious User-Agent HaxerMen in the outbound curl request. Below is the output showing the connection is blocked.


Running the below command in AppSubnet shows no result.

 

 

curl -A "HaxerMen" http://example.com -v

 

 

gusmodena_2-1689186342703.png

 

Reviewing the IDPS logs shows traffic is blocked by Signature ID 2032081.

 

gusmodena_3-1689186416105.png

 

Notice that the source IP is Firewall IP and not the actual client IP. This is a known gap with IDPS logging HTTP traffic.

 

 Signature ID 2032081

 

A closer look at signature ID 2032081shows this signature applies to http traffic in ANY (both inbound & outbound) direction. It’s also configured as “Alert and Deny” by policy.

 

gusmodena_4-1689186745766.png

 

Validating HTTPs traffic


Next, we will test HTTPS connectivity to example.com while injecting user agent HaxerMen. Interestingly, the traffic was allowed and not blocked by IDPS. This is because the agent was undetected as the traffic was encrypted traffic.

 

gusmodena_5-1689186797194.png

 

So, let’s now run the https connection to showmyip.com which has been configured to be TLS inspected.

 

Now, let’s browse to www.showmyip.com website by injecting a new agent “HaxerMen”. Notice the traffic is blocked as expected thanks to TLS inspection and IDPS in action.

 

gusmodena_6-1689186930004.png

 

Inspecting the logs shows the matching malicious signature is 2032081. Note the SourceIp logged is the original client. Unlike the HTTP traffic scenario, IDPS logs the correct source IP.

 

gusmodena_7-1689186964803.png

 

Conclusion

 

That’s it! You just finished validating IDPS in a lab. To recap, it’s best practice to enable IDS/IPS with TLS inspection. Depending on your corporate security needs, you can configure IDS/IPS in either Alert mode or Alert & Deny mode. The IDS/IPS signatures are based on emerging threats and automatically pushed to the Firewall at regular intervals (multiple times/hour). It’s the best approach to keep your Azure environments secure. Happy validation!!

 

If you want to learn more about adopting Zero Trust with Azure Network Security ensuring that organizations’ digital assets are secured from attacks and there is visibility into the network traffic, check out this blog post.

Published on:

Learn more
Azure Network Security Blog articles
Azure Network Security Blog articles

Azure Network Security Blog articles

Share post:

Related posts

Final Days for the MSOnline and AzureAD PowerShell Modules

After many twists and turns since August 2021, the MSOnline module retirement will happen in April 2025. The AzureAD module will then retire i...

8 hours ago

Join the Conversation: Call for Proposals for Azure Cosmos DB Conf 2025!

Are you passionate about Azure Cosmos DB? Do you have insights, experiences, or innovations that the developer community would love to hear? N...

1 day ago

High Performance Computing in Azure - with Mark Russinovich

See the latest innovations in silicon design from AMD with new system-on-a-chip high bandwidth memory breakthroughs with up to 7 terabytes of ...

1 day ago

Power Pages | Azure AD B2C | Confirm Email message on Profile

If you are unfamiliar with configuring Azure AD B2C as a Power Pages Identity Provider, refer to this post: Power Pages : Set up Azure AD B2C ...

5 days ago

Building a RAG-Based Smart Memory Application with Azure SQL Database

Project Mission The way people work and manage information is changing rapidly in our digital age. More and more people are struggling to keep...

6 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy