Adaptive Network Hardening in Azure Security Center
Learn how to configure Adaptive Network Hardening in Azure Security Center.
What is Adaptive Network Hardening?
Applying network security groups (NSG) to filter traffic to and from resources, improves your network security posture. However, there can still be some cases in which the actual traffic flowing through the NSG is a subset of the NSG rules defined. In these cases, further improving the security posture can be achieved by hardening the NSG rules, based on the actual traffic patterns.
Adaptive Network Hardening provides recommendations to further harden the NSG rules. It uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to allow traffic only from specific IP/port tuples.
For example, let’s say the existing NSG rule is to allow traffic from 22.214.171.124/24 on port 22. The Adaptive Network Hardening’s recommendation, based on the analysis, would be to narrow the range and allow traffic from 126.96.36.199/29 – which is a narrower IP range, and deny all other traffic to that port.
Adaptive Network Hardening recommendations are supported on the following ports: 22, 3389, 21, 23, 445, 4333, 3306, 1433, 1434, 53, 20, 5985, 5986, 5432, 139, 66, 1128
View Adaptive Network Hardening alerts and rules
In Security Center, select Networking -> Adaptive Network Hardening. The network VMs are listed under three separate tabs:
Unhealthy resources: VMs that currently have recommendations and alerts that were triggered by running the Adaptive Network Hardening algorithm.
Healthy resources: VMs without alerts and recommendations.
Unscanned resources: VMs that the Adaptive Network Hardening algorithm cannot be run on because of one of the following reasons:
- VMs are Classic VMs: Only Azure Resource Manager VMs are supported.
- Not enough data is available: In order to generate accurate traffic hardening recommendations, Security Center requires at least 30 days of traffic data.
- VM is not protected by ASC standard: Only VMs that are set to Security Center’s Standard pricing tier are eligible for this feature.
From the Unhealthy resources tab, select a VM to view its alerts and the recommended hardening rules to apply.
Review and apply Adaptive Network Hardening recommended rules
From the Unhealthy resources tab, select a VM. The alerts and recommended hardening rules are listed.
The Rules tab lists the rules that Adaptive Network Hardening recommends you add. The Alerts tab lists the alerts that were generated due to traffic, flowing to the resource, which is not within the IP range allowed in the recommended rules.
If you want to change some of the parameters of a rule, you can modify it, as explained in Modify a rule.
Select the rules that you want to apply on the NSG, and click Enforce.
The enforced rules are added to the NSG(s) protecting the VM. (A VM could be protected by an NSG that is associated to its NIC, or the subnet in which the VM resides, or both)
You may want to modify the parameters of a rule that has been recommended. For example, you may want to change the recommended IP ranges.
Some important guidelines for modifying an Adaptive Network Hardening rule:
You can modify the parameters of “allow” rules only.
You cannot change “allow” rules to become “deny” rules.
Creating and modifying “deny” rules is done directly on the NSG. For more information, see Create, change, or delete a network security group.
A Deny all traffic rule is the only type of “deny” rule that would be listed here, and it cannot be modified. You can, however, delete it (see Delete a rule).
A Deny all traffic rule is recommended when, as a result of running the algorithm, Security Center does not identify traffic that should be allowed, based on the existing NSG configuration. Therefore, the recommended rule is to deny all traffic to the specified port. The name of this type of rule is displayed as “System Generated”. After enforcing this rule, its actual name in the NSG will be a string comprised of the protocol, traffic direction, “DENY”, and a random number.
To modify an Adaptive Network Hardening rule:
To modify some of the parameters of a rule, in the Rules tab, click on the three dots (...) at the end of the rule’s row, and click Edit.
In the Edit rule window, update the details that you want to change, and click Save.
After clicking Save, you have successfully changed the rule. However, you have not applied it to the NSG. To apply it, you must select the rule in the list, and click Enforce (as explained in the next step).
To apply the updated rule, from the list, select the updated rule and click Enforce.
You can add an “allow” rule that was not recommended by Security Center.
Only “allow” rules can be added here. If you want to add “deny” rules, you can do so directly on the NSG. For more information, see Create, change, or delete a network security group.
To add an Adaptive Network Hardening rule:
Click Add rule (located in the top-left corner).
In the New rule window, enter the details and click Add.
After clicking Add, you have successfully added the rule, and it is listed with the other recommended rules. However, you have not applied it on the NSG. To activate it, you must select the rule in the list, and click Enforce (as explained in the next step).
To apply the new rule, from the list, select the new rule and click Enforce.
When necessary, you can delete a recommended rule for the current session. For example, you may determine that applying a suggested rule could block legitimate traffic.
To delete an Adaptive Network Hardening rule for your current session:
In the Rules tab, click on the three dots (...) at the end of the rule’s row, and click Delete.