Securing your azure virtual network with a next generation firewall
Part 4: Routing, Firewall Policies, and Security Profiles
User Defined Routes (UDR)
By default, Azure networks automatically generate system routes for connectivity between subnets within a VNET. A default route of 0.0.0.0/0 also exists to forward traffic out to the internet for VM’s residing in that VNET. With that said, introducing an NGFW virtual appliance to the environment will require that these routes be updated to utilize the NGFW as its next hop. If not, Azure traffic will continue to route through the transparent system routes and will never touch the NGFW virtual appliance.
System routes can be overridden using User Defined Routes (UDR). The UDR can be deployed via the Azure Marketplace (known as Route Table). Within the Route Table object, new routes can be specified to route subnet and internet bound traffic through the NGFW. The Route Table object will also need to be associated to each subnet that require the use of UDR’s. If different subnets require different UDR’s, multiple Route Tables can be implemented to achieve this.
Firewall Policies and NGFW UTM Features
Once Azure traffic is routed through the NGFW virtual appliance, firewall policies must be in place to allow both subnet to subnet and inside to outside communication. The benefit now is that these policies can be built out and managed using a familiar NGFW GUI, and traffic can be inspected using UTM (Unified Threat Management) features such as Antivirus (AV), Intrusion Prevention System (IPS), Web and Application content filtering.
The FortiGate virtual appliance, for example, provides Botnet C&C blocking to known malicious IP’s and domains. Sandbox cloud AV detection can be enabled to provide protection against zero-day virus’, and advanced logging and traffic analytics will be available to assist with both traffic monitoring and troubleshooting.
Full SSL inspection (deep packet inspection) should also be implemented since it provides the highest accuracy when it comes to content filtering, IPS and AV. Considering that roughly 97% of all traffic is now encrypted, full SSL inspection is a must to ensure that your environment is secure. With full SSL inspection, the NGFW acts as a MITM (man in the middle) to decrypt encrypted traffic, inspect it, then re-encrypt it for transmission to its destination.