5nine AzSec - Azure Security Getting Started Guide - Acronis

5nine AzSec - Azure Security Getting Started Guide 2017 5nine Software Inc. All rights reserved. All trademarks are the property of their respective owners. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form by any means, without written permission from 5nine Software Inc. (5nine). The information contained in this document represents the current view of 5nine on the issue discussed as of the date of publication and is subject to change without notice. 5nine shall not be liable for technical or editorial errors or omissions contained herein. 5nine makes no warranties, expressed or implied, in this document. 5nine may have patents, patent applications, trademark, copyright or other intellectual property rights covering the subject matter of this document. All other trademarks mentioned herein are the property of their respective owners. Except as expressly provided in any written license agreement from 5nine, the furnishing of this document does not give you any license to these patents, trademarks, copyrights or other intellectual property. Important! Please read the Software License Agreement before using the accompanying software program(s). Using any part of the software indicates that you accept the terms of the Software License Agreement. https://www.5nine.com/Docs/5nine SLA.pdf 2009-2017 5nine Software, Inc. All rights reserved. 1

5nine AzSec - Azure Security Getting Started Guide Table of Contents Summary . 3 System Requirements . 4 Supported Operating Systems: . 4 Software Prerequisites:. 4 Communications . 4 Installation . 5 Configuring Firewall Rules. 7 Security Templates . 11 Azure Firewall Logs . 13 Azure Billing . 15 OMS Alerts . 16 2009-2017 5nine Software, Inc. All rights reserved. 2

5nine AzSec - Azure Security Getting Started Guide Summary VMs in public clouds should be isolated by a firewall to protect from hacker attacks and other network threats. 5nine AzSec is an intuitive application that creates, maintains and manages inbound/outbound traffic rules for virtual machines in Azure. Firewall log data is collected, displayed and managed in a central console. 5nine AzSec is offered as a standalone application or comes bundled as an integrated solution with 5nine Cloud Security. The bundled offering enables hybrid cloud administrators to manage firewall rules and logs across Azure and Hyper-V from a single access point. These events can also be forwarded to SIEM and UEBA systems, which includes SPLUNK and Microsoft Operations Management Suite (OMS). 2009-2017 5nine Software, Inc. All rights reserved. 3

5nine AzSec - Azure Security Getting Started Guide System Requirements Supported Operating Systems: Microsoft Windows Server 2016 Microsoft Windows Server 2012 R2 Microsoft Windows Server 2012 Microsoft Windows Server 2008 R2 Microsoft Windows 7 64-bit Editions Microsoft Windows 8 64-bit Editions Microsoft Windows 10 64-bit Editions Software Prerequisites: .NET Framework 4.5 or higher Note: Log Forwarding to Microsoft Operations Management Suite (OMS) from 5nine Cloud Security o Requires setting Syslog server name or IP Address in Cloud Security o Target Syslog server requires OMS agent configured to forward syslog messages to the OMS Log Analytics platform o See the following link for more information: Syslog Collection in Operations Management Suite Communications 5nine AzSec requires communication outbound on ports 80 and 13 to Azure in order to function. 2009-2017 5nine Software, Inc. All rights reserved. 4

5nine AzSec - Azure Security Getting Started Guide Installation 1. Run Installer – Launch 5nine AzSec setup from standalone AzSec MSI setup: 2. Destination Folder – Click Next and specify the Destination Folder for the AzSec Application: 2009-2017 5nine Software, Inc. All rights reserved. 5

5nine AzSec - Azure Security Getting Started Guide 3. License File – Then click Next, and when prompted, specify the location of the AzSec license file that you received from 5nine Software via email. If you are installing AzSec as a part of 5nine Cloud Security, you will need to input licenses for both Cloud Security and the AzSec Addon: 4. After the license is entered, proceed with installation. You can choose to launch AzSec after installation, or launch it thereafter from the status bar or application list. 2009-2017 5nine Software, Inc. All rights reserved. 6

5nine AzSec - Azure Security Getting Started Guide Configuring Firewall Rules Configuring a firewall rule is as simple as setting the desired options in a single popup window. 1. Launch the 5nine AzSec executable from the desktop icon or from 5nine Cloud Security 10. You will see your subscriptions and resources in Azure after you log in with your Live ID: If you are launching AzSec for the first time, or have not saved the credentials previously, you will be asked to put in your Azure profile Tenant ID, User ID and password. Then your profile resources will load in AzSec Console. 2009-2017 5nine Software, Inc. All rights reserved. 7

5nine AzSec - Azure Security Getting Started Guide 2. Select the desired virtual machine and click ‘Add Rule’: 2009-2017 5nine Software, Inc. All rights reserved. 8

5nine AzSec - Azure Security Getting Started Guide Adapter – The rule will be bound to the selected adapter for the VM. Priority – Azure firewall rules are processed in order of priority. Rules with a higher priority (lower number) take precedence over rules with a lower priority (higher number). Rule Name – A description name of your choice for the rule. Description – A field for additional details to further describe the rule. Action – Choose to allow or deny traffic that matches the criteria defined in the rule. Direction – Specify the direction of traffic, inbound or outbound, that the rule applies to. Source Port Range – One or more source ports the rule will apply to. Single port number from 1 to 65535, port range (example: 1-65635), or * (for all ports). Destination Port Range – One or more destination ports the rule will apply to. Single port number from 1 to 65535, port range (example: 1-65635), or * (for all ports). Protocol – The protocol TCP, UDP or both (*) that the rule applies to. RemoteIPs – Single IP address (example: 10.10.10.10), IP subnet (example: 192.168.1.0/24), default tag, or * (for all addresses). 2009-2017 5nine Software, Inc. All rights reserved. 9

5nine AzSec - Azure Security Getting Started Guide Default tags are system-provided identifiers to address a category of IP addresses. You can use default tags in the source address prefix and destination address prefix properties of any rule. There are three default tags you can use: o VirtualNetwork (Resource Manager) (VIRTUAL NETWORK for classic): This tag includes the virtual network address space (CIDR ranges defined in Azure), all connected on-premises address spaces, and connected Azure VNets (local networks). o AzureLoadBalancer (Resource Manager) (AZURE LOADBALANCER for classic): This tag denotes Azure’s infrastructure load balancer. The tag translates to an Azure datacenter IP where Azure’s health probes originate. o Internet (Resource Manager) (INTERNET for classic): This tag denotes the IP address space that is outside the virtual network and reachable by public Internet. The range includes the Azure owned public IP space. Set template button, see next section for a description on use. Once the desired configurations are set, select the OK to finish creating the rule and you are done. This is as simple as it is in the 5nine Cloud Security standalone version. The above example was to enable web server traffic (port 80). 2009-2017 5nine Software, Inc. All rights reserved. 10

5nine AzSec - Azure Security Getting Started Guide Security Templates Templates are provided to simplify rule creation for common workloads and network traffic scenarios. 1. Set template – Select the Set template button in the bottom left side of the rule window: 2. Select template – Choose the desired template and traffic direction: 2009-2017 5nine Software, Inc. All rights reserved. 11

5nine AzSec - Azure Security Getting Started Guide 3. Rule settings – The rule is prepopulated with the appropriate settings. Review and modify any of the settings such as name or description and select OK to save and implement the rule. 2009-2017 5nine Software, Inc. All rights reserved. 12

5nine AzSec - Azure Security Getting Started Guide Azure Firewall Logs To examine an attack or identify suspicious activities in the Azure environment, you need to analyze the Azure firewall log events. By collecting and analyzing the logs, you can understand what transpires within your VMs in Azure. On the first launch of the program the user will be prompted to configure logging. You can also open this dialog manually through the Settings menu of 5nine AzSec. 1. Enable Logging – The Settings / Set resource settings menu item is used to configure the logging. Select the subscription and resources to enable logging: Note that the log data retention configured here is subject to log availability in Azure. Select OK to enable logging. AzSec will register the providers for the selected resources. 2. View Logs – Logs are now viewable in the console in the bottom panel. Select the VM’s adapter to see the associated logs: 2009-2017 5nine Software, Inc. All rights reserved. 13

5nine AzSec - Azure Security Getting Started Guide 3. Save Logs – Logs can be saved in several different formats by selecting the menu item. 2009-2017 5nine Software, Inc. All rights reserved. 14

5nine AzSec - Azure Security Getting Started Guide Azure Billing The Azure Billing feature provides you with a convenient way to review your Azure subscription usage. 1. Select the Azure Billing / View Bill menu item: 2. Select the desired date range from the drop down menus and then click on View bill button to see an itemized list of resources and their associated costs: 2009-2017 5nine Software, Inc. All rights reserved. 15

5nine AzSec - Azure Security Getting Started Guide OMS Alerts Microsoft Operations Management Suite (OMS) alerts can be configured from within the 5nine AzSec console. Open the OMS Alerts / Alert settings menu item: 1. Create Search – In the Search field specify the desired name for the search. In the Query field enter the query to be associated with the search. More information regarding the OMS query syntax can be found here: cs/log-analytics-search-reference 2. Save the configured search, which will then appear in the list on the left side of the window. 3. Add alert – With the appropriate search highlighted, select the menu item to configure email alert settings. 4. Alert Properties 2009-2017 5nine Software, Inc. All rights reserved. 16

5nine AzSec - Azure Security Getting Started Guide a. Name – Specify a name for the alert. b. Query results amount – Set the threshold for an alert to be triggered. c. Check interval – Configure the number of minutes between checks if the alert criteria is met. d. Email subject – The subject line for the email generated by the alert. e. Recipients – Recipient email address that will receive the alert email (separate multiple email addresses with a semi-colon.) f. Save alert – Select OK to save the configured alert. You can create more than 1 alert for a search so they can be triggered when different conditions are met in the search. The alerts can be edited or deleted, as can the searches. 2009-2017 5nine Software, Inc. All rights reserved. 17

or comes bundled as an integrated solution with 5nine Cloud Security. The bundled offering enables hybrid cloud administrators to manage firewall rules and logs across Azure and Hyper-V from a single access point. These events can also be forwarded to SIEM and UEBA systems, which includes SPLUNK and Microsoft Operations Management Suite (OMS).