Share via

Security Control v3: Network security

Network Security covers controls to secure and protect Azure networks, including securing virtual networks, establishing private connections, preventing, and mitigating external attacks, and securing DNS.

NS-1: Establish network segmentation boundaries

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
3.12, 13.4, 4.4 AC-4, SC-2, SC-7 1.1, 1.2, 1.3

Security Principle: Ensure that your virtual network deployment aligns to your enterprise segmentation strategy defined in the GS-2 security control. Any workload that could incur higher risk for the organization should be in isolated virtual networks. Examples of high-risk workload include:

  • An application storing or processing highly sensitive data.
  • An external network-facing application accessible by the public or users outside of your organization.
  • An application using insecure architecture or containing vulnerabilities that cannot be easily remediated.

To enhance your enterprise segmentation strategy, restrict or monitor traffic between internal resources using network controls. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach by restricting the ports, protocols, source, and destination IPs of the network traffic. If you have many applications and endpoints interacting with each other, blocking traffic may not scale well, and you may only be able to monitor traffic.

Azure Guidance: Create a virtual network (VNet) as a fundamental segmentation approach in your Azure network, so resources such as VMs can be deployed into the VNet within a network boundary. To further segment the network, you can create subnets inside VNet for smaller sub-networks.

Use network security groups (NSG) as a network layer control to restrict or monitor traffic by port, protocol, source IP address, or destination IP address.

You can also use application security groups (ASGs) to simplify complex configuration. Instead of defining policy based on explicit IP addresses in network security groups, ASGs enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-2: Secure cloud services with network controls

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
3.12, 4.4 AC-4, SC-2, SC-7 1.1, 1.2, 1.3

Security Principle: Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible.

Azure Guidance: Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. You should also disable or restrict public network access to services where feasible.

For certain services, you also have the option to deploy VNet integration for the service where you can restrict the VNET to establish a private access point for the service.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-3: Deploy firewall at the edge of enterprise network

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.4, 4.8, 13.10 AC-4, SC-7, CM-7 1.1, 1.2, 1.3

Security Principle: Deploy a firewall to perform advanced filtering on network traffic to and from external networks. You can also use firewalls between internal segments to support a segmentation strategy. If required, use custom routes for your subnet to override the system route when you need to force the network traffic to go through a network appliance for security control purpose.

At a minimum, block known bad IP addresses and high-risk protocols, such as remote management (for example, RDP and SSH) and intranet protocols (for example, SMB and Kerberos).

Azure Guidance: Use Azure Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology).

If you have a complex network topology, such as a hub/spoke setup, you may need to create user-defined routes (UDR) to ensure the traffic goes through the desired route. For example, you have option to use an UDR to redirect egress internet traffic through a specific Azure Firewall or a network virtual appliance.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-4: Deploy intrusion detection/intrusion prevention systems (IDS/IPS)

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
13.2, 13.3, 13.7, 13.8 SC-7, SI-4 11.4

Security Principle: Use network intrusion detection and intrusion prevention systems (IDS/IPS) to inspect the network and payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alerts to your SIEM solution.

For more in-depth host level detection and prevention capability, use host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution in conjunction with the network IDS/IPS.

Azure Guidance: Use Azure Firewall’s IDPS capability on your network to alert on and/or block traffic to and from known malicious IP addresses and domains.

For more in-depth host level detection and prevention capability, deploy host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution, such as Microsoft Defender for Endpoint, at the VM level in conjunction with the network IDS/IPS.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-5: Deploy DDOS protection

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
13.10 SC-5, SC-7 1.1, 1.2, 1.3, 6.6

Security Principle: Deploy distributed denial of service (DDoS) protection to protect your network and applications from attacks.

Azure Guidance: Enable DDoS standard protection plan on your VNet to protect resources that are exposed to the public networks.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-6: Deploy web application firewall

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
13.10 SC-7 1.1, 1.2, 1.3

Security Principle: Deploy a web application firewall (WAF) and configure the appropriate rules to protect your web applications and APIs from application-specific attacks.

Azure Guidance: Use web application firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services and APIs against application layer attacks at the edge of your network. Set your WAF in "detection" or "prevention mode", depending on your needs and threat landscape. Choose a built-in ruleset, such as OWASP Top 10 vulnerabilities, and tune it to your application.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

NS-7: Simplify network security configuration

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.4, 4.8 AC-4, SC-2, SC-7 1.1, 1.2, 1.3

Security Principle: When managing a complex network environment, use tools to simplify, centralize and enhance the network security management.

Azure Guidance: Use the following features to simplify the implementation and management of the NSG and Azure Firewall rules:

  • Use Microsoft Defender for Cloud Adaptive Network Hardening to recommend NSG hardening rules that further limit ports, protocols and source IPs based on threat intelligence and traffic analysis result.
  • Use Azure Firewall Manager to centralize the firewall policy and route management of the virtual network. To simplify the firewall rules and network security groups implementation, you can also use the Azure Firewall Manager ARM (Azure Resource Manager) template.

Implementation and additional context: