Azure security baseline for Azure Firewall
This security baseline applies guidance from the Azure Security Benchmark version 1.0 to Azure Firewall. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Firewall.
You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance section of the Microsoft Defender for Cloud dashboard.
When a section has relevant Azure Policy Definitions, they are listed in this baseline to help you measure compliance to the Azure Security Benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.
Note
Controls not applicable to Azure Firewall, or for which the responsibility is Microsoft's, have been excluded. To see how Azure Firewall completely maps to the Azure Security Benchmark, see the full Azure Firewall security baseline mapping file.
Network Security
For more information, see the Azure Security Benchmark: Network Security.
1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and network interfaces
Guidance: Azure Firewall is integrated with Azure Monitor for logging of traffic processed by the firewall.
Additionally, use Microsoft Defender for Cloud and follow network protection recommendations to help secure your network resources related to Azure Firewall.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require a Microsoft Defender plan for the related services.
Azure Policy built-in definitions - Microsoft.Network:
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
1.4: Deny communications with known-malicious IP addresses
Guidance: Enable Threat intelligence-based filtering to alert and deny traffic from/to known malicious IP addresses and domains. Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to-known malicious IP addresses and domains.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require a Microsoft Defender plan for the related services.
Azure Policy built-in definitions - Microsoft.Network:
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| All Internet traffic should be routed via your deployed Azure Firewall | Microsoft Defender for Cloud has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | AuditIfNotExists, Disabled | 3.0.0-preview |
| Azure DDoS Protection Standard should be enabled | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | AuditIfNotExists, Disabled | 3.0.0 |
1.8: Minimize complexity and administrative overhead of network security rules
Guidance: In an Azure Firewall, a service tag represents a group of IP address prefixes to help minimize complexity for security rule creation.
Azure Firewall service tags can be used in the network rules destination field and define network access controls on Azure Firewall. You can use service tags in place of specific IP addresses when creating security rules.
Additionally, customer-defined tags such as IP groups are also supported and can be used in a network rule or an application rule. FQDN tags in application rules are supported to allow the required outbound network traffic through your firewall.
Note that you cannot create your own service tag, nor specify which IP addresses are included within a tag. Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change.
Responsibility: Customer
1.9: Maintain standard security configurations for network devices
Guidance: Azure policy is not yet fully supported for Azure Firewall. Azure Firewall Manager can be used to achieve standardization of security configurations.
You may also use Azure Blueprints to simplify large-scale Azure deployments by packaging key environment artifacts, such as Azure Resources Manager templates, Azure RBAC controls, and policies, in a single blueprint definition. You can apply the blueprint to new subscriptions, and fine-tune control and management through versioning.
Responsibility: Customer
1.11: Use automated tools to monitor network resource configurations and detect changes
Guidance: Use Azure Activity Log to monitor resource configurations and detect changes to your Azure Firewall resources. Create alerts within Azure Monitor that will trigger when changes to critical resources take place.
Responsibility: Customer
Logging and Monitoring
For more information, see the Azure Security Benchmark: Logging and Monitoring.
2.1: Use approved time synchronization sources
Guidance: Microsoft maintains time sources for Azure resources for Azure Firewall. Customers need to create a network rule to allow this access, or for a time server that you use in their environment.
Responsibility: Shared
2.2: Configure central security log management
Guidance: You can enable and on-board log data to Microsoft Sentinel or a third-party SIEM for central security log management of various logs.
Activity logs can be used to audit operations on Azure Firewall to and monitor actions on resources. The activity log contains all write operations (PUT, POST, DELETE) for your resources except read operations (GET). Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource.
Azure Firewall also provides the following diagnostic logs to provide information on customer applications and network rules.
Application rule log: Each new connection that matches one of your configured application rules results in a log for the accepted/denied connection.
Network rule log: Each new connection that matches one of your configured network rules results in a log for the accepted/denied connection
Note: Both logs can be saved to a storage account, streamed to Event hubs and/or sent to Azure Monitor logs only if enabled for each Azure Firewall in an environment.
List of resource actions in activity logs: Azure Resource Manager Resource Provider operations
Responsibility: Customer
2.3: Enable audit logging for Azure resources
Guidance: Activity logs can be used to audit operations on Azure Firewall and monitor actions on resources. The activity log contains all write operations (PUT, POST, DELETE) for Azure resources except read operations (GET). Azure Firewall also provides the following diagnostic logs to provide information on customer applications and network rules.
Application rule log: Each new connection that matches one of your configured application rules results in a log for the accepted/denied connection.
Network rule log: Each new connection that matches one of your configured network rules results in a log for the accepted/denied connection
Note that both logs can be saved to a storage account, streamed to Event hubs and/or sent to Azure Monitor logs but only if enabled for each Azure Firewall in an environment.
Responsibility: Customer
2.5: Configure security log storage retention
Guidance: Log Analytics Workspace retention period can be set according to an organization's compliance regulations within Azure Monitor. Data retention can be configured from 30 to 730 days (2 years) for all workspaces depending upon the chosen pricing tier.
There are 3 options for storing log storage retention:
Storage accounts are best used for logs when logs are stored for a longer duration and reviewed when needed.
Event hubs are a great option for integrating with other security information and event management (SEIM) tools to get alerts on your resources.
Azure Monitor logs is best used for general real-time monitoring of your application or looking at trends.
For more information, see the reference links below.
Responsibility: Customer
2.6: Monitor and review logs
Guidance: Azure Firewall is integrated with Azure Monitor for viewing and analyzing firewall logs. Logs can be sent to Log Analytics, Azure Storage, or Event Hubs. They can be analyzed in Log Analytics or by different tools such as Excel and Power BI. There are a few different types of Azure Firewall logs.
Activity logs can be used to audit operations on Azure Firewall to and monitor actions on resources. The activity log contains all write operations (PUT, POST, DELETE) for resources except read operations (GET). Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource.
Azure Firewall also provides diagnostic logs to provide information on customer applications and network rules.
Application rule logs are created when each new connection that matches one of your configured application rules results in a log for the accepted/denied connection.
Network rule logs are created when each new connection that matches one of your configured network rules results in a log for the accepted/denied connection
Note that both logs can be saved to a storage account, streamed to Event hubs and/or sent to Azure Monitor logs but only if enabled it for each Azure Firewall in an environment.
Azure Monitor logs can be used for general real-time monitoring of your application or looking at trends.
Responsibility: Customer
2.7: Enable alerts for anomalous activities
Guidance: Use Microsoft Defender for Cloud with Log Analytics Workspace for monitoring and alerting on anomalous activity found in security logs and events.
Alternatively, you may enable and on-board data to Microsoft Sentinel.
Responsibility: Customer
Identity and Access Control
For more information, see the Azure Security Benchmark: Identity and Access Control.
3.1: Maintain an inventory of administrative accounts
Guidance: Azure Active Directory (Azure AD) has built-in roles that must be explicitly assigned and are queryable. Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.
Responsibility: Customer
3.3: Use dedicated administrative accounts
Guidance: Create standard operating procedures around the use of dedicated administrative accounts. Use Microsoft Defender for Cloud Identity and Access Management to monitor the number of administrative accounts.
You can also enable a Just-In-Time / Just-Enough-Access by using Azure Active Directory (Azure AD) Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager.
Responsibility: Customer
3.4: Use Azure Active Directory single sign-on (SSO)
Guidance: Wherever possible, use Azure Active Directory (Azure AD) SSO instead of configuring individual stand-alone credentials per-service. Use Microsoft Defender for Cloud Identity and Access Management recommendations.
Responsibility: Customer
3.5: Use multi-factor authentication for all Azure Active Directory-based access
Guidance: Enable Azure Active Directory (Azure AD) multifactor authentication and follow Microsoft Defender for Cloud Identity and Access Management recommendations.
Responsibility: Customer
3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks
Guidance: Use PAWs (privileged access workstations) with multifactor authentication configured to log into and configure Azure Firewall and related resources.
Responsibility: Customer
3.7: Log and alert on suspicious activities from administrative accounts
Guidance: Use Azure Active Directory (Azure AD) security reports for generation of logs and alerts when suspicious or unsafe activity occurs in the environment. Use Microsoft Defender for Cloud to monitor identity and access activity.
Responsibility: Customer
3.8: Manage Azure resources from only approved locations
Guidance: Use Conditional Access Named Locations to allow access from only specific logical groupings of IP address ranges or countries/regions.
Responsibility: Customer
3.9: Use Azure Active Directory
Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system. Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD also salts, hashes, and securely stores user credentials.
Responsibility: Customer
3.10: Regularly review and reconcile user access
Guidance: Azure Active Directory (Azure AD) provides logs to help discover stale accounts. In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right Users have continued access.
Responsibility: Customer
3.11: Monitor attempts to access deactivated credentials
Guidance: You have access to Azure Active Directory (Azure AD) Sign-in Activity, Audit and Risk Event log sources, which allow you to integrate with any SIEM/Monitoring tool.
You can streamline this process by creating Diagnostic Settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics workspace. You can configure desired Alerts within Log Analytics workspace.
Responsibility: Customer
3.12: Alert on account sign-in behavior deviation
Guidance: Use Azure Active Directory (Azure AD) Risk and Identity Protection features to configure automated responses to detected suspicious actions related to user identities. You can also ingest data into Microsoft Sentinel for further investigation.
Responsibility: Customer
Data Protection
For more information, see the Azure Security Benchmark: Data Protection.
4.1: Maintain an inventory of sensitive Information
Guidance: Use tags to assist in tracking Azure Firewall and related resources that store or process sensitive information.
Responsibility: Customer
4.2: Isolate systems storing or processing sensitive information
Guidance: Implement isolation using separate subscriptions and management groups for individual security domains such as environment type and data sensitivity level. You can restrict the level of access to your Azure Firewall resources that your applications and enterprise environments demand. You can control access to Azure resources via Azure role-based access control.
Responsibility: Customer
4.3: Monitor and block unauthorized transfer of sensitive information
Guidance: Leverage a third-party solution from Azure Marketplace on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.
For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.
Responsibility: Shared
4.4: Encrypt all sensitive information in transit
Guidance: Encrypt all sensitive information in transit. Ensure that any clients connecting to your Azure Firewall and related resources are able to negotiate TLS 1.2 or greater.
Follow Microsoft Defender for Cloud recommendations for encryption at rest and encryption in transit, where applicable.
Responsibility: Shared
4.5: Use an active discovery tool to identify sensitive data
Guidance: Use a third-party active discovery tool to identify all sensitive information stored in Azure resource using Azure Firewall and related resources and update the organization's sensitive information inventory.
Responsibility: Shared
4.6: Use Azure RBAC to control access to resources
Guidance: Use Azure role-based access control (Azure RBAC) to control access to Azure Firewall and related resources.
Responsibility: Customer
4.8: Encrypt sensitive information at rest
Guidance: Use encryption at rest on all Azure resources using Azure Firewall and related resources. Microsoft recommends allowing Azure to manage your encryption keys, however there is the option for you to manage your own keys in some instances.
Responsibility: Customer
4.9: Log and alert on changes to critical Azure resources
Guidance: Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place in Azure Firewall.
Responsibility: Customer
Inventory and Asset Management
For more information, see the Azure Security Benchmark: Inventory and Asset Management.
6.2: Maintain asset metadata
Guidance: Apply tags to Azure Firewall and related resources giving metadata to logically organize them into a taxonomy.
Responsibility: Customer
6.3: Delete unauthorized Azure resources
Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure Firewall and related resources. Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.
Responsibility: Customer
6.4: Define and maintain inventory of approved Azure resources
Guidance: Create an inventory of approved Azure Firewall resources including configuration as per your organizational needs.
Responsibility: Customer
6.5: Monitor for unapproved Azure resources
Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscription(s).
Use Azure Resource Graph to query/discover Azure Firewall resources within their subscription(s). Ensure that all Azure Firewall and related resources present in the environment are approved.
Responsibility: Customer
6.7: Remove unapproved Azure resources and software applications
Guidance: Implement your own process for removing unauthorized Azure Firewall and related resources. You can also use a third-party solution to identify unapproved Azure Firewall and related resources
Responsibility: Customer
6.9: Use only approved Azure services
Guidance: Use Azure Policy to restrict which services you can provision in your environment.
Responsibility: Customer
6.11: Limit users' ability to interact with Azure Resource Manager
Guidance: Use Azure Conditional Access to limit users' ability to interact with Azure Resources Manager by configuring "Block access" for the "Microsoft Azure Management" App.
Responsibility: Customer
6.13: Physically or logically segregate high risk applications
Guidance: Applications which may be required for business operations, or environments with differing risk profiles for the organization, should be isolated and separated with separate Azure Firewall instances.
Responsibility: Customer
Secure Configuration
For more information, see the Azure Security Benchmark: Secure Configuration.
7.1: Establish secure configurations for all Azure resources
Guidance: Azure Resource Manager has the ability to export the template in JavaScript Object Notation (JSON), which should be reviewed to ensure that the configurations meet / exceed the security requirements for your organization.
You can also use recommendations from Microsoft Defender for Cloud as a secure configuration baseline for your Azure resources.
Azure policy is not fully supported for Azure Firewall at this time.
Responsibility: Customer
7.3: Maintain secure Azure resource configurations
Guidance: Use Azure policy [deny] and [deploy if not exist] to enforce secure settings across your Azure Firewall and related resources. In addition, you may use Azure Resource Manager templates to maintain the security configuration of your Azure Firewall and related resources required by your organization.
Responsibility: Customer
7.5: Securely store configuration of Azure resources
Guidance: Use Azure DevOps to securely store and manage your code like custom Azure policies and Azure Resource Manager templates. To access the resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps, or Active Directory if integrated with TFS.
Responsibility: Customer
7.7: Deploy configuration management tools for Azure resources
Guidance: Define and implement standard security configurations for Azure Firewall and related resources using Azure Policy. Use Azure Policy aliases to create custom policies to audit or enforce the network configuration of your Azure Firewall resources. You may also make use of built-in policy definitions related to your specific resources.
Responsibility: Customer
7.12: Manage identities securely and automatically
Guidance: Use Managed Identities to provide Azure services with an automatically managed identity in Azure Active Directory (Azure AD). Managed Identities allows you to authenticate to any service that supports Azure AD authentication to Azure Resource Manager and can be used with API/Azure Portal/CLI/PowerShell.
Responsibility: Customer
7.13: Eliminate unintended credential exposure
Guidance: Implement Credential Scanner to identify credentials within code. Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.
Responsibility: Customer
Data Recovery
For more information, see the Azure Security Benchmark: Data Recovery.
9.1: Ensure regular automated back-ups
Guidance: Use Azure Resource Manager to export the Azure Firewall and related resources in a JavaScript Object Notation (JSON) template which can be used as backup for Azure Firewall and related configurations. You can also export Azure Firewall configuration using Export template feature of Azure Firewall from Azure portal. Use Azure Automation to run the backup scripts automatically.
Responsibility: Customer
9.2: Perform complete system backups and backup any customer-managed keys
Guidance: Use Azure Resource Manager to export the Azure Firewall and related resources in a JavaScript Object Notation (JSON) template which can be used as backup for Azure Firewall and related configurations. You can also export Azure Firewall configuration using Export template feature of Azure Firewall from Azure portal.
Responsibility: Customer
9.3: Validate all backups including customer-managed keys
Guidance: Ensure ability to periodically perform restoration using Azure Resource Manager template backed files.
Responsibility: Customer
9.4: Ensure protection of backups and customer-managed keys
Guidance: Use Azure DevOps to securely store and manage your code like custom Azure policies, Azure Resource Manager templates. To protect resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps, or Active Directory if integrated with TFS.
Responsibility: Customer
Incident Response
For more information, see the Azure Security Benchmark: Incident Response.
10.1: Create an incident response guide
Guidance: Build out an incident response guide for your organization. Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.
Responsibility: Customer
10.2: Create an incident scoring and prioritization procedure
Guidance: Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.
Additionally, clearly mark subscriptions (for ex. production, non-prod) using tags and create a naming system to clearly identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.
Responsibility: Customer
10.3: Test security response procedures
Guidance: Conduct exercises to test your systems’ incident response capabilities on a regular cadence to help protect your Azure resources. Identify weak points and gaps and revise plan as needed.
Responsibility: Customer
10.4: Provide security incident contact details and configure alert notifications for security incidents
Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. Review incidents after the fact to ensure that issues are resolved.
Responsibility: Customer
10.5: Incorporate security alerts into your incident response system
Guidance: Export your Microsoft Defender for Cloud alerts and recommendations using the Continuous Export feature to help identify risks to Azure resources.
Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Microsoft Defender for Cloud data connector to stream the alerts to Microsoft Sentinel.
Responsibility: Customer
10.6: Automate the response to security alerts
Guidance: Use the Workflow Automation feature in Microsoft Defender for Cloud to automatically trigger responses via "Logic Apps" on security alerts and recommendations to protect your Azure resources.
Responsibility: Customer
Penetration Tests and Red Team Exercises
For more information, see the Azure Security Benchmark: Penetration Tests and Red Team Exercises.
11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings
Guidance: Follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Microsoft policies. Use Microsoft’s strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.
Responsibility: Shared
Next steps
- See the Azure Security Benchmark V2 overview
- Learn more about Azure security baselines
Feedback
Submit and view feedback for