Category: Security

Microsoft AZ-700: Deploy Azure DDoS Protection by Using the Azure Portal

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 3: Deploy Azure DDoS Protection by Using the Azure Portal

  • Distributed Denial of Service (DDoS)
    • DoS attack that has goal of preventing access to services/systems
    • Originates from one location
    • DDoS attack originates from multiple networks and systems
    • DDoS are largely available and security concern facing customers moving apps to the cloud
    • DDoS tries to drain API’s or app resources making it unavailable
    • DDoS can be targeted at endpoints that are publicly reachable via internet
  • DDoS Implementation
    • Azure DDoS Protection, combining with app design best practices aids in defense again DDoS attacks.
    • Multiple service tiers available
      • Network Protection
        • Provides mitigation capabilities over DDoS infra Protection
        • Tuned specifically to AZ VNet resources
        • Simple to enable and requires no app modification
        • Policies applied to public IP associated with resources in VNet
        • Real-time telemetry through Azure Monitor views during attach, and historically
        • Rich mitigation analytics via diagnostic settings
        • App layer protection available via Azure App Gateway WAF
        • Protection for IPv4 and IPv6 public addrs
      • IP Protection
        • DDoS IP Protection is pay-per protected IP
        • Contains same core features as DDoS Network Protection
        • Value-added services such as
          • DDoS rapid response support
          • Cost Protection
          • Discounts on WAF
    • Protects resources in VNets
    • Protection includes:
      • VM Public IP Addresses
      • Load Balancers
      • App Gateways
    • When coupled with App. Gateway WAF can provide full L3-7 mitigation capabilities
  • Types of DDoS Attacks
    • Can mitigate the following types of attacks
      • Volumetric attacks
        • Flood network layer with large amounts of what looks like legit traffic
        • Include UDP floods, amplification flood, and other spoofed-packet floods
      • Protocol Attacks
        • Attack renders target inaccessible exploiting L3 and L4 weaknesses
        • Includes SYN flood, reflection, and other protocol attacks
      • Resource (App) layer attacks
        • Target web application packets to disrupt transmission between hosts
        • Includes HTTP protocol violations, SQL injection, cross-site scripting, and other L7 attacks
  • Azure DDoS protection features
    • Examples include
      • Native platform integration
        • Native integration into Azure and configured via portal
      • Turnkey protection
        • Simplified config protecting all resource right away
      • Always-on traffic monitoring
        • App traffic patterns monitored 24/7
      • Adaptive tuning
        • Profiling and adjusting to service traffic
      • Attack analytics
        • Detailed reports every 5 mins during attack
        • Complete summary after attack ends
      • Attack Metricks and alerts
        • Summary metrics from each attack through. Azure Monitor
        • Alerts configured at start/stop of attack, and duration of attack
        • Uses built-in attack metrics
      • Multi-layered protection
        • When deployed with WAF, DDoS Protection protected network and app layer
  • More details about some of the above DDoS Protection Features
  • Always-on traffic monitoring
    • Monitors actual traffic utilization
    • Constantly compares against defined thresholds
    • When threshold exceeded, mitigation initiated automatically
    • When back below threshold, mitigation stopped
    • During mitigation, traffic towards protected resource redirected and checks performed
      • Ensure packets conform to inet specs and aren’t malformed
      • Interact with client to determine if traffic potentially spoofed (e.g. SYN Auth or SYN Cookie or dropping packet to force re-transmit)
      • Rate-limit packets if no other enforcement can be performed
    • DDoS protection drops attack traffic and forwards remaining traffic
    • Within a few minutes – notified using Azure Monitor metrics
    • Configuring logging on DDOS Protection telemetry logs for future analysis
    • Metric data is retained for 30 days.
  • Adaptive real-time tuning
    • DDoS Protection service aids to protect customers and prevent impacts to others
  • Attack metrics, alerts, logs
    • DDoS Protection exposes rich telemetry using Azure Monitor
    • Configure alerts for any metric DDoS Protection uses
    • Integrate logging with Splunk (Azure Event Hubs, Azure Monitor Logs, and Azure Storage for advanced analysis using Azure Monitor Diagnostics
    • Steps
      • In Portal
        • Monitor > Metrics
          • Select Resource group
          • Select resource type of Public IP Address
          • Select the Azure Public IP Address
        • DDoS metrics visible in the Available metrics pane
    • DDoS Protection applies 3 autotuned mitigation policies for each public IP of protected resource in VNet DDoS is enabled
      • SYN
      • TCP
      • UDP
    • View policy thresholds
      • Inbound [SYN/TCP/UDP] packets to trigger mitigation metrics
    • Policy thresholds autoconf via machine learning-based network traffic profiling
    • DDoS mitigation occurs for IP under attack only when threshold exceeded
    • If pub IP under attack, value for Under DDoS attack or not metric changes to 1 while mitigation being performed
  • Multi-layered Protection
    • Specific resource attacks at app layer – recommended a WAF be configured
    • WAF inspected inbound web traffic to block SQL Injection, Cross Site Scripting, DDoS, and other L3 attacks
    • Azure provides WAF as feature of App Gateway for centralized protection of web apps
    • Other WAF offerings from partners in Azure Marketplace
    • Even web app FW are susceptible to volumetric and state exhaustion
      • Enable DDoS protection on WAF VNet to aid in protection of these
  • Deploying DDoS Protection Plan
    • Key stages of deploying DDoS Protection:
      • Create Resource Group
      • Create DDoS Protection Plan
      • Enable DDoS Protection on new/existing VNet or IP addr
      • Configure DDoS telemetry
      • Configure DDoS diagnostic logs
      • Configure DDoS alerts
      • Run a test DDoS attack to verify results
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-deploy-azure-ddos-protection-by-using-the-azure-portal/

Microsoft AZ-700: Get Network Security Recommendations with Microsoft Defender for Cloud

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 2: Get Network Security Recommendations with Microsoft Defender for Cloud

Network security is various tech, devices, processes and provides rules and configs to protect the CIA of networks/data. Every org though have some sort of network security

  • NS-1: Establish network segmentation boundaries
    • Security Principle to ensure that VNet deployment aligns with segmentation strategy
    • Any workload that incurs high risk should be isolated in VNets
  • NS-2: Secure cloud services with network controls
    • Security Principle to secure cloud services establishing private access point to resource(s)
    • Should also disable/restrict public access if you can
  • NS-3: Deploy firewall at edge of enterprise network
    • Security Principle to perform advanced filtering on net traffic to/from external networks
    • Can also use firewalls between internal segments
    • If needed, custom routes for subnet used to override system route
    • This forces net traffic to go through network appliance for security
  • NS-4: Deploy IDS/IPS
    • Security Principle to inspect network and payload to/from workloads
    • Ensure IDS/IPS always tuned for high-quality alerts
  • NS-5: Deploy DDOS Protection
    • Security Principle to protect network/apps from attacks
  • NS-6: Deploy web app firewall
    • Security Principle to deploy WAF and configure rules to protect web apps/API’s from app specific attacks
  • NS-7: Simplify net security config
    • Security Principle to use tools to simplify, centralize, enhance network security management
  • NS-8: Detect & Disable insecure services/protocols
    • Security Principle to protect from insecure services/protocols at OS/App/Software package
    • Deploy controls if disabling isn’t possible
  • NS-9: Connect on-prem or cloud privately
    • Security Principle to use private connection between networks
  • NS-10: Ensure DNS security
    • Security Principle to ensure DNS security config against known risks
  • Using Microsoft Defender for Cloud for Regulatory Compliance
    • Defender for Cloud aids in streamlining meeting regulatory compliance requirements using the “Regulatory Compliance Dashboard”
    • This shows status of all assessments within environment you have chosen standards and regulations for
    • As you act and reduce risk posture improves
  • Regulatory Compliance Dashboard
    • Shows overview of status with set of supported compliance regulations
    • View overall score, number of pass/fail assessments within each standard
  • Compliance Controls
    • Contains
      • Subscriptions the standard is applied on
      • List of all controls for said standard
      • View details of passing/failing assessment associated with control
      • Number of affected resources
      • Severity of the alert
    • Some are grayed out as they don’t have Any MS Defender for Cloud assessments associated
    • Check their requirement and assess them
    • Some controls may be process-related not technical
  • Exploring details of compliance with a specific standard
    • To generate PDF report with a summary of status choose Download Report
    • Provides high-level summary of compliance status for standard based on MS Defender for Cloud assessment data
    • Organized according to controls of said standard
    • Can be share with stakeholders and aid in providing evidence to internal/external auditors
  • Alerts in MS Defender for Cloud
    • Automatically collects/analyzes/integrates log data from Azure resources
    • List of prioritized security alerts shown along with. Info needed to investigate and remediation steps
  • Manage security alerts
    • Defender for Cloud overview page shows Security Alerts tile at top and a link in the left panel
    • Security alerts page shows active alerts
    • Sort by Severity, Title, Affected Resource, Activity Start Time
    • MITRE. ATTACK tactics and status
    • To filter select any of the relevant filters
  • Respond to security alerts
    • From Security alerts list click an alert
    • Another panel opens with description of alert and affected resources
    • View full details to display more info
    • Left pane shows high-level info regarding alert
      • Title
      • Severity
      • Status
      • Activity time
      • Description
      • Affected Resource
    • Right Pane includes
      • Alert details tab with more details
        • IP address
        • Files
        • Processes
        • Etc
      • Take Action Tab with Actions like
        • Mitigate the threat
          • Provides manual remediation steps
        • Prevent Future Attacks
          • Provides sec recommendations to aid in reducing attack server, increase security posture
        • Trigger Automated Response
          • Provides option to trigger logic app as response
        • Suppress similar alerts
          • Provides option to suppress further alerts with similar characteristics
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-get-network-security-recommendations-with-microsoft-defender-for-cloud/

FCA – FortiGate 7.4 Operator Self-Paced: Notes

Reading Time: 6 minutes

I didn’t take the greatest of notes for this free self-paced course (FCA – FortiGate 7.4 Operator Self-Paced) and free exam but I’ll share the shorthand notes that I did take down below:

  • Overview
    • NGFW
  • Antivirus
  • Web Filter
  • IPS
  • FortiOS
  • Security Processing Units (SPUs)
  • Models:
  • Fortigate VM
    • Entry Level – FG-80F, FWF-80F
    • Mid-range – FG-100F, FG-1000F, FG-4200F
    • High-end – FG-4800F, FG-7081F, FG-7121F, FG-5114C
  • Features:
    • Firewall Auth, local and remote
    • VPN
    • Security Scanning: antivirus, web filtering, app control
    • Monitoring and logging
    • Fortinet Security Fabric
    • FortiGuard Labs – threat intelligence and security research
    • Trusted machine learning and AI
    • Realtime thread intelligence
    • Threat hunting and outbreak alerts
  • Configuring Interfaces and Routing
    • Alias – name for ref
    • IP Address
    • Administrative Access (HTTPS, PING, SSH, ETC)
    • DHCP Servers
  • DHCP Server
    • Address Range
    • Mask
    • Default. Gateway
    • DNS Server (by default same as used by fortigate
  • Static Routing:
    • Default route to gateway for internet
    • Destination – Used to match incoming traffic to the correct route
    • Gateway – IP address Fortigate forwards traffic to
    • Interfaces – Interface FortiGate uses to forward traffic towards destination
    • Distance, Priority
    • Default Route – when no exact destination
  • Monitoring Static Routes:
    • Network > Static Route
  • Reasons may prevent route from being added to table:
  • Misconfigured route
  • Port associated with route is down or disabled
  • Better route to use for destination
  • To check routing tabled:
    • Dashboard > Network > Static and dynamic routing
  • Firewall Policies
    • Sets of rules to control whether traffic is accepted by FortiGate and how it processes it
  • Match based on:
    • Incoming and outgoing. Interfaces
    • Source: IP or User
    • Destination: IP or Internet Service
    • Service: Destination port
    • Schedule
  • Action:
    • Accept
    • Deny
  • IP Subnet:
    • Create a firewall address that corresponds to the IP subnet address
    • Can also create firewall address for a specific device
  • Source/Destination:
    • Default “ALL” option available for both source/dest to match all possible IP addresses
  • Internet Service:
    • Select from ISDB (Internet service database)
  • Policy Table:
    • Contains all rules. Top down
    • If no match default deny
    • Place most specific policy rules at top as it’s first match
  • Accepted Traffic:
    • Next is other features such as antivirus, web filtering
    • Applies NAT and logs based on policy settings
  • Inspection modes:
    • Flow based – examines file as passes through without buffering
    • Proxy based – buffers and examines as a whole – more thorough but slower due to buffering
  • Authenticating Network Users
    • Require users to authenticate to access network resources
  • Add source user or user group to policy
  • Methods:
    • Local password (individuals and groups)
      • Guest groups expire after time including auto generated accounts
    • Remote password authentication
    • Local Authentication Steps:
      • Create user account
      • Create user group
      • Add user group as source to policy
      • Verify and monitor
  • Remote Authentication Steps:
    • Connect FortiGate to remote server
    • Create user group and map remote auth users to group
    • Add group as source to policy
    • Verify and monitor
  • Inspect SSL Traffic
    • Certification Inspection:
      • Inspects the SSL/TLS Handshake
      • Verifies identity of web server
      • Used only with web filtering
      • Only used security feature is web filtering
      • Causes certificate warning only when fortigate displays an encrypted replacement message
  • Deep Inspection:
    • Like man-in-the-middle also causes certificate errors in browser
      • Decrypts incoming traffic to inspect
      • Re-encrypts to send if safe
      • Used with all types of security scanning
      • Can be used with things such as SMTPS, POP3s, IMAPS, FTPS
  • Preloaded SSL Inspection Profiles:
    • Certificate-inspection – read only profile
    • Deep-inspection – read only profile
    • No-inspection – read only profile
    • Deep-inspection
  • Edit custom-deep-inspection or Clone or Create your own profile
  • Certificate Warnings
    • Certificate warnings occur when fortigate encrypts traffic using self-signed certificate
  • Fortigate uses it’s own CA certificate to re-encrypt
  • To avoid
    • Download fortinet CA certificate and install into clients
    • Use CA certificate and install into browsers
  • Blocking Malware
    • FortiGuard Labs provides database of signatures
      • Schedules for updates
    • Antivirus Scan
      • Detects known malware – first fastest simplest – exact match in database
    • Grayware Scan
      • Detects unsolicited programs installed with user knowing or consent – uses fortiguard grayware signature
    • Machine Learning/AI Scan
      • Used to detect zero day attacks for new/unknown signatures
      • Logs by default but doesn’t block by default
  • Configure as part of Antivirus Profile
    • Block or monitor
    • Flow or proxy based
    • Configure in firewall policy after creating
  • Antivirus profile:
    • How windows exe are handled
    • Destination: fortisandbox, file quarantine, discard
    • Use FortiGuard Outbreak Prevention. Database
    • Use External Malware Block List
  • Configure Antivirus Protection
    • Create Antivirus Profile (or use default)
    • Enable Antivirus profile on FW policy
    • Verify configuration
    • Monitor via logs
  • Web Filtering
    • Limit access
    • Prevent Network Congestion
    • Limit exposure to harmful website
    • Limit liability
    • No inappropriate material
    • Fortiguard Categories
      • URL Categories Database
        • Enterprises
        • Schools
        • Personal
        • General Interest Personal Category
        • Bandwidth Consuming Category
  • Can be further devided
    • IE General Interest Personal can be broke down into
      • Social Networking
      • News
  • Allow
  • Block
  • Monitor
    • Allows but logs data (URL,DST,IP)
  • Warning
    • Informs users it’s block but gives option to continue or go back. Interval between warnings
  • Authenticate
    • Permits access if can authenticate
    • Customize interval of time to allow access (once authenticated covers entire category)
  • Configure:
    • Insure valid FortiGuard subscription license
    • Identify how FortiGuard categorizes website
    • Configure web filter security profile
    • Apply web silte profile to security profile
    • Test
  • IPS
    • Detect and block malicious activity by analyzing and blocking potential threats
  • IPS Enginer and Sensor
    • Sensor
      • Signature and Filters
      • Block malicious URLS
  • Engine
    • Protocol Decoders
      • Identify traffic that does not conform to. Protocol standards
    • Signatures
      • Entries in database that contains info about known threats
  • Daily updates
  • ^Log or block
  • Configuring:
    • Select IPS Sensor
    • Review or Edit filters for the sensor
    • Apply Sensor to FW Policy
  • Actions:
    • Default – use as received from FortiGuard updates
    • Allow
    • Monitor – allow but log
    • Block
    • Reset – reset session when signature triggered
    • Quarantine – Block, enable logging, quarantine attacker
  • Monitoring
    • Logs and Reports > Security. Events > Intrusion Prevention
  • Logs tab has full details
  • Best Practices
    • Verify IPS DB up to date
    • Consider using provided as template for custom
    • Consider using IPS inbound and outbound
    • Ensure SSL inspection is in place to check all traffic
    • Evaluate whether to tune IPS sensors
  • Protocol Decoders
    • Detect malformed packets
  • Controlling Application Access
    • Improve security and meet compliance standards in traffic flow of applications
  • Identify network traffic generated by specific applications
    • Monitor
    • Block
    • Traffic Shape
  • Fortiguard labs provides database
  • IPS engine used for flow-based inspection
  • Signatures
    • Monitor
    • Allow
    • Block
    • Quarantine
  • Application and Filter Overrides
    • Override allows a child signature to override it’s parent setting
      • E.g. Facebook = block, facebook chat = allow
  • Configuring:
    • Create Application Control Profile
    • Modify Action or configure app override
    • Add app control profile to FW policy
    • Verify
    • Monitor via logs
  • IPSEC VPN
    • Remote offices and Mobile workers
  • Features:
    • Data Authentication
    • Data Integrity
    • Data Confidentiality
    • Anti-Replay Protection
  • Remote Access VPN:
    • Client device to remote network – teleworkers
    • Client always initiates
    • Passwords and MFA (FortiClient and other vendors)
  • Site-to-Site VPN:
    • Branch to HQ
    • Branch to Branch
    • Either site can establish
    • Hub and spoke
    • Partial mesh
    • Full mesh
    • (Azure, AWS, etc)
  • IKE Protocol
    • Used to create dynamically
    • V1 and v2
    • V1:
      • Phase 1 and Phase 2 (still widely used)
        • Phase 1:
          • IKE Mode (main or aggressive
          • Auth
          • Encryption Alg
          • Hash  Alg
          • Diffie Helment Group
        • Phase 2:
          • Encryption Alg
          • Hash Alg
          • Diffie Helman. Group (Use PFS)
        • Configuring Phase 2:
          • Remote access – both subnets configured on server side
          • Site-to-site subnets on each peer must mirror
    • V2 includes improvements (Table is screenshot from Fortinet Course)
      • Recommended
      • Does not include 2 phases
      • Not compatible with v1
      • Reduced Latency
      • Better Reliablitliy
      • Support of EAP
      • Support of PPPK
      • Support of asymmetric auth
      • Support of strong security alg
      • Better resilience against DoS
      •  
  • Best Practices:
    • Ensure up to date firewalls
    • Use encryption levels that meet reqs
    • Verify both peers support same features
    • Ensure needed ports are open
    • Select proper mode when using IKEv1
  • IKE uses UDP 500 and UDP 4500 when behind NAT
  • Main mode is default for site-to-site
  • Aggressive mode is default for remote access
  • Configuring – has wizard with templates
  • Monitoring
  • SSL VPN
    • Use of common  protocol HTTP/HTTPS
    • Flexibility for client access
    • Granular access to resources
    • Integrity checks for Windows Clients
    • Cost Effective
  • Web Mode:
    • Web based access via portal
    • Reverse proxy
  • Tunnel Mode:
    • Full access
    • Requires FortiClient
  • Configuration:
    • Create Users and Groups or Remote. Auth servers
    • Review Edit Create SSL VPN Portals
      • Full-access
      • Tunnel-access
      • Web-access
      • Custom
    • Configure SSL VPN Settings
    • Create FW Policy to allow VPN traffic
  • Best Practices
    • Select appropriate SSL VPN mode
    • Reduce admin effort using remote auth servers
    • Use valid SSL cert
    • Use principle of least priv
    • Use client integrity check
    • If possible, do not allow connections from all locations
  • System Maintenance and Monitoring
    • Prevent security breaches
    • Optimize performance
    • Meet compliance
    • Ensure business continuity
  • Back up
  • Firmware upgrades
  • Monitor system performance
  • Examine licenese
  • Monitor event logs
  • System > FortiGuard
  • Licenses widget
  • Configuring Security Fabric
    • Integrated
    • Automated
    • Coordinated
      • Benefits:
        • Unified view of network
        • Object sync across devices
        • Security rating
        • Integration
        • Automatic detection of end devices
        • Centralized management
        • Automation
  • Implement
    • Requires 2 FortiGate min in NAT mode
    • One FortiAnalyzer or a cloud logging solution
  • Configuring:
    • Configure FortiAnalyzer or supported cloud logging
    • Configure FortiGate device acting as root
    • Configure downstream devices
    • Authorize downstream devices
Share this article:

Permanent link to this article: https://www.packetpilot.com/fca-fortigate-7-4-operator-self-paced-notes/

Fortinet Certified Associate in Cybersecurity Review

Reading Time: 2 minutes

Well at the end of 2024 I was on a contract job that didn’t get renewed in 2025 so since the New Year rolled over I’ve had time on my hands during the day. I figured I should do something productive. Aside from the staples of cleaning up around the house I thought I’d start heading down paths to help my career. So I did a little digging and came across this certification.

While looking into it I found out it was a free self paced training course with a free exam. Considering I have no income at the moment and need to keep my savings for the keys like mortgage, bills, loan payments, groceries, etc so this was a great find.

To add to the benefits of this I’m admittedly not a firewall guy. When I was working at the healthcare system we had out “Network Engineer 1-3” team, and then we had a “Security team”. The security team handled all the web filtering, most of the firewall maintenance with us Network Engineers doing minimal configuration changes as needed.

When working at the various VAR’s (Value Added Resellers) I’ve worked with it was a similar situation. We had our network infrastructure engineers that handled the route/switch and data center networking projects and consulting. Then we had the security engineers that handled all the various firewall vendor consulting and dedicated wireless engineers.

The Fortinet Certified Associate in Cybersecurity certification run off of a self paced course as I mentioned above. This course was perfect for me. It focuses basic configurations and information around the Fortigate firewall. It was a great intro to understanding the fundamentals of the Fortigate firewall to better understand at a high level what others are talking about. The course is: FCA – FortiGate 7.4 Operator Self-Paced

As quoted from Fortinet themselves the description of the course is:
“In this course, you will learn how to harden the security of your network by using the most common FortiGate features. Through demos and interactive simulations, you will learn how to perform basic operation tasks on FortiGate. You can then build on this knowledge by exploring more advanced topics related to these features.”

It goes over topics at a high level such as Interfaces and Routing, Firewall Policies, Authentication, SSL Inspection, Web Filtering, and more. It takes about a day to get through all the video’s and take the exam.

I found it as a good starting point for someone that hasn’t really had much experience with firewalls and a great way to start year 2025 off with a pick me up motivator. It’s kicked me in the pants to start looking back at everything else I started the last half of 2024 to get going again. I highly recommend it for anyone wanting to get their hands wet with Fortinet/Fortigate and have a achievable win to start out 2025 on a positive note. Here is to the new year and let’s all make it a good one!

Fortinet Certified Associate in Cybersecurity – Fortinet_Certified_Associate_in_CybersecurityDownload
Share this article:

Permanent link to this article: https://www.packetpilot.com/fortinet-certified-associate-in-cybersecurity-review/

Load more