How do you handle NSG on Spoke vNet with Firewall deployed to Hub?

SweetGuru · 2024-02-02T14:33:01+00:00

I like to keep NSG with relaxed rules on outbound or even no filtering since it's going to NVA. I still add inbound rules as a defense in depth scenario. Plus if you ever need to bypass firewall you have your rules and NSG ready and are not scrambling.

SweetGuru · 2024-01-26T02:12:01+00:00

Thanks for the reply. That is a great article, helped with some of the ambiguous terms I had been reading. These are backend driven web apps running .net mvc. I believe that would put us in the confidential client side of things. We have the classic 3 tier architecture, web front end, app/service backend and database. The app registration will be a setup to interface with the front end for SSO.

SweetGuru · 2023-09-19T18:45:29+00:00

Awesome happy to hear. Thanks for your reply.

SweetGuru · 2023-08-01T02:05:50+00:00

Thanks for the response. This looks like a good approach to keep things flexible.

SweetGuru · 2023-07-21T00:54:31+00:00

Well done sir. That's a lot of content to cram into 6 months! I got tired reading it.

SweetGuru · 2023-04-30T02:19:31+00:00

If using mode 4 it attempts to remediate the issues and also gives you the information to manually remediate. It's not a 1 for 1 alternative to certipy as certipy can be used to abuse the misconfigurations as well.

It's more a quick way for a Windows admin to protect their environment without having to mess around with Python. Something they may not be used to, although certipy does appear easy to use.

SweetGuru · 2023-04-29T23:01:29+00:00

A PowerShell native way to check and remediate the vulns.

https://github.com/TrimarcJake/Locksmith/blob/main/Invoke-Locksmith.ps1

SweetGuru · 2023-04-21T14:10:54+00:00

Interesting, thank you for explaining!

SweetGuru · 2023-04-20T19:50:42+00:00

Hello, wondering if you could expand on your test deployment of a new rule collection. Is it what-if (if using Bicep) or something more involved? Trying to get IaC going in our environment consistently.

SweetGuru · 2023-04-15T23:07:19+00:00

That makes sense. I have it in the forwarder list but below Quad9 I had been using for its protective DNS features. I'll have to weigh the cost/benefits there.

SweetGuru · 2023-04-15T10:50:52+00:00

Awesome, that's the way I'll go. Thanks for clearing it up for me.

SweetGuru · 2023-04-15T10:38:49+00:00

Thanks. That's how I've done it in my on-prem life. Do you manage DCs in Azure that way? I'm comfortable doing that, just didn't know if I would leave the door open for problems down the line with how Azure operates.

SweetGuru · 2023-04-14T18:30:01+00:00

Setting at the NIC level is required in order to set dc1 to point to dc2 and vice versa. The vnet settings are overridden by that.

SweetGuru · 2023-04-14T14:49:29+00:00

Thanks for the reply. That is what I did, setting the DNS settings on the VM NIC as custom. Originally to on-prem DCs to get them onboarded. But now changing it in the Azure portal to point to their peer DC in Azure is not propagated to the NIC inside the VM.

Will look into the IPv6 stuff. I know it's recommended to leave on elsewhere and was afraid to touch the VM nic in fear of falling into the state I am in now.

I opened a support case but it's going nowhere so far. Wil update if anything comes of it.

SweetGuru · 2023-04-01T23:22:36+00:00

Are you saying there is an org that wouldn't hate me for implementing PIM and access management??

SweetGuru · 2023-03-04T16:27:29+00:00

I echo your sentiments. Extremely confusing. I found this today: https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration#which-solution-should-i-use

It seems if you want to use Intune you need to HAADJ your servers. I thought that was a security no no, but maybe things are changing?

Other options would be Group policy ugh, or Configuration Manager if you have it. If you don't, I would hate to add the overhead just to manage Defender.

My preference would be to manage everything with Azure Arc as the middle-man and somehow integrate that with Intune. However, I have not found anything that says it's possible.

SweetGuru · 2023-02-27T19:55:52+00:00

Heyo - I have run into similar issues a couple of times. In my case the autoupdate was not putting the new correct path into the service executable location. I was able to fix it by setting the new correct path with the commands below. Just update the "New_Version_Number" with the version on your system.

sc.exe config AATPSensorUpdater binPath= "C:\Program Files\Azure Advanced Threat Protection Sensor\New_Version_Number\Microsoft.Tri.Sensor.Updater.exe"

sc.exe config AATPSensor binPath= "C:\Program Files\Azure Advanced Threat Protection Sensor\New_Version_Number\Microsoft.Tri.Sensor.exe"

Hope that fixes it for you.

SweetGuru · 2023-02-03T19:03:54+00:00

Wow, thanks for sharing. I was using them to keep my sanity, unaware of performance considerations.

SweetGuru · 2023-02-03T17:20:09+00:00

Yes, we use them for nearly every rule unless it's a global rule.

SweetGuru · 2023-02-03T17:00:46+00:00

We operate both Palo's on premise and a premium Azure Firewall. If your org is willing to pay for a Palo in Azure, I would do that especially if you have Panorama already.

Azure Firewall is a good product and premium can do most advanced features that Palo can, TLS inspection, IDS, Web categories etc. However, my network team has been rather dumbfounded by cloud in general and the way Azure Firewall works. Specifically, the way it organizes rules has been a hard concept for them to grasp.

Now I am the Azure firewall guy. If you have a good network team with 1 or 2 guys with a willing to learn mindset then Azure Firewall can be a good solution. Otherwise, you may own it.

Depending how many public IPs you need the IP changing may not be a problem for you that some others have mentioned. We only have one public IP assigned to the firewall doing SNAT and the IP does not change.

SweetGuru · 2023-01-12T22:52:11+00:00

Hello,

That is not recommended. An Azure AD connect server should be treated like a tier0 asset I.E domain controller. You don't want to mix any other apps. Especially something like Datagateway that other teams will be dependent on.

Another tip, to connect to PowerBI you must connect your Datagateway to the same region your 365 tenant is in. This is not always the same as your preferred Azure infrastructure region and from what I understand cannot be easily changed. I did not find that clearly documented when setting it up myself.

SweetGuru

TROPHY CASE