- Steef-Jan WiggersFOLLOW
Microsoft Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. The company recently announced a preview release of a premium version of the cloud-based network security service.
Azure Firewall became generally available during Ignite in 2018 and received several updates later on, such as Threat Intelligence and Service Tags filters, Custom DNS, IP Groups, and now has an additional tier with premium. The release of the premium tier includes the following features according to the Azure documentation:
- TLS inspection – decrypts outbound traffic, processes the data, encrypts the data, and sends it to the destination.
- IDPS – a network intrusion detection and prevention system (IDPS), which allows users to monitor network activities for malicious activity, log information about this activity, report it, and optionally attempt to block it.
- URL filtering – extends Azure Firewall’s FQDN filtering capability to consider an entire URL. For example, www.contoso.com/a/c instead of www.contoso.com.
- Web categories – administrators can allow or deny user access to website categories such as gambling websites, social media websites, etc.
Eliran Azulai, Principal Program Manager, Azure Networking, told InfoQ:
When it comes to network security, the key is to use cloud-native services to secure the network infrastructure and application delivery. To minimize attack surface, customers need network segmentation, threat protection, and encryption. Network segmentation helps prevent lateral movement and data exfiltration. Our customers can use Virtual Networks and Azure Firewall to perform network segmentation effectively When it comes to threat protection, the most basic protection they must turn on is DDoS protection on all public IPs. We have added our unique intelligent threat protection to Azure Firewall to stay ahead of the attacks. Customers can also use IDPS to identify, alert and block malicious traffic. Finally, customers can encrypt communication channels across the cloud and hybrid networks with industry leading encryption such as TLS.
The premium release also includes a new firewall policy tier for Firewall Premium configuration. Previously, the standard tier also had policies, which Premium tier policies can inherit. Moreover, Azure Firewalls configured by classic rules created before the premium release can be easily migrated to Firewall Policy with the Migrate to Firewall Policy option from the Azure Firewall resource page. This migration process doesn’t incur downtime.
Azure Firewall is not the only offering available for Microsoft Azure customers. They also can provision other Firewall solutions through the Azure Marketplace such as Barracuda, Palo Alto, Fortinet, and Checkpoint. Marius Sandbu, a guild lead for Public Cloud at TietoEVRY, compared Azure Firewall Premium to third-party offerings CheckPoint, Palo Alto, and Cisco in a blog post :
- Azure Firewall is a managed service that runs as active/active and scales automatically depending on traffic flow, while a 3rd party NVA requires complex IaaS deployment and throughput is dependent on the size of virtual machines.
- Azure Firewall is fully managed through Azure Resource Manager. If your environment has adopted a cloud-based operating model and automated the environment, Azure Firewall changes and updates the environment using the same code structure/framework. This also means that deployment is simplistic compared to 3rd parties.
- Much of the logic from different firewall vendors are the rule engines and built-in threat intelligence. However, Microsoft can provide somewhat of an equal threat database using the Intelligent Security API.
- If the organization uses other supporting services such as Azure Monitor and Sentinel for SIEM/SOC, Azure Firewall makes more sense since you can continue to build on existing knowledge to build dashboard and monitoring points.
In addition, Azulai told InfoQ:
Azure Firewall Premium is a next-generation firewall with capabilities that are required for highly sensitive and regulated environments. As the world increasingly shifts toward digitization, it’s imperative that our customers are able to protect and rely on their virtual network infrastructures using products like Azure Firewall Premium from trusted companies like Microsoft.