Which of the following tools allows you to determine the traffic that is allowed and or denied inbound or outbound from a virtual machine?
|
Microsoft Azure network security groups are used to filter network traffic to and from virtual machine instances running inside a virtual network. A network security group (NSG) contains security rules that allow or deny inbound network traffic to your VM resources. For each NSG rule, you can specify source, destination, port, and network protocol. Opening range of ports within your Azure network security groups is not a good practice because it can allow attackers to use port
scanners and other probing techniques to identify services running on your instances and exploit their vulnerabilities. 01 Sign in to Azure Management Portal. 02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources. 03 From the Subscription filter box, select the Azure account subscription that you want to examine. 04 From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription. 05 Click on the name of the network security group that you want to examine. 06 In the navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group. 07 On the Inbound security rules page, verify the value available in the Port column for each inbound/ingress rule defined. If one or more rules have the Port attribute set to range or ports (e.g. 0 – 65535, 80 – 8080, 111 – 32800), the selected Azure network security group (NSG) is using range of ports to allow traffic, therefore the inbound access to the associated Microsoft Azure virtual machine(s) is not secured. 08 Repeat steps no. 5 – 7 for each network security group available in the selected subscription. 09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account. 01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account: az account list --query '[*].id' 02 The command output should return the requested subscription identifiers: [ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd", ] 03 Run network nsg list command (Windows/macOS/Linux) using custom query filters to list the names of all network security groups (and the name of their associated resource groups) available in the selected Azure subscription: az network nsg list --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd --output table --query '[*].{name:name, resourceGroup:resourceGroup}' 04 The command output should return a table with requested information: Name ResourceGroup --------------------- ------------------------------ cc-prod-endpoint-nsg cloud-shell-storage-westeurope cc-dev-web-server-nsg cloud-shell-storage-westeurope 05 Run az network nsg rule list command (Windows/macOS/Linux) using the name of the Azure network security group (NSG) that you want to examine and its associated resource group as identifier parameters, to describe the NSG rules that allow inbound/ingress traffic to the virtual machines associated with the selected network security group: az network nsg rule list --nsg-name cc-prod-endpoint-nsg --resource-group cloud-shell-storage-westeurope --query "[?direction=='Inbound' && access=='Allow']" 06 The command output should return the requested network security group rule(s) metadata: [ { "access": "Allow", "description": null, "destinationAddressPrefix": "*", "destinationAddressPrefixes": [], "destinationApplicationSecurityGroups": null, "destinationPortRange": "0-65535", "destinationPortRanges": [], "direction": "Inbound", "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-prod-endpoint-nsg/securityRules/cc-web-inbound-access", "name": "cc-web-inbound-access", "priority": 100, "protocol": "TCP", "provisioningState": "Succeeded", "resourceGroup": "cloud-shell-storage-westeurope", "sourceAddressPrefix": "*", "sourceAddressPrefixes": [], "sourceApplicationSecurityGroups": null, "sourcePortRange": "*", "sourcePortRanges": [], "type": "Microsoft.Network/networkSecurityGroups/securityRules" } ] If the "destinationPortRange" and/or "destinationPortRanges" attributes value is set to range or ports such as 0 – 65535, 80 – 8080 and 111 – 32800, the selected Azure network security group (NSG) is using range of ports to allow traffic, therefore the inbound/ingress access to the associated Microsoft Azure virtual machine(s) is not secured. 07 Repeat step no. 5 and 6 for each Azure network security group created within the selected subscription. 08 Repeat steps no. 3 – 7 for each subscription available in your Microsoft Azure cloud account. 01 Sign in to Azure Management Portal. 02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources. 03 From the Subscription filter box, select the Azure account subscription that you want to access. 04 From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription. 05 Click on the name of the network security group that you want to reconfigure. 06 In the navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group. 07 On the Inbound security rules page, click on the non-compliant rule that you want to reconfigure (see Audit section part I to identify the right rule). 08 On the selected security group rule configuration panel, perform the following:
09 Repeat step no. 7 and 8 for each NSG rule that allows inbound traffic using wide range of ports, created for the selected security group. 10 Repeat steps no. 5 – 9 for each non-compliant network security group available in the selected Azure subscription. 11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account. 01 Run network nsg rule update command (Windows/macOS/Linux) using the name of the network security group (NSG) rule that you want to reconfigure as identifier parameter (see Audit section part II to identify the right rule) to restrict inbound access to specific ports only by setting the --destination-port-ranges parameter to those ports on which inbound traffic will be allowed by the selected NSG rule. You can specify a single value or a space-separated list of multiple values, as shown in the example below: az network nsg rule update --name cc-web-inbound-access --nsg-name cc-prod-endpoint-nsg --resource-group cloud-shell-storage-westeurope --access Allow --protocol Tcp --destination-port-ranges 80 443 --description "Allow traffic on specific ports only, i.e. TCP port 80 (HTTP) and TCP port 443 (HTTPS)" 02 The command output should return the metadata for the reconfigured Azure NSG rule: { "access": "Allow", "description": "Allow traffic on specific ports only, i.e. TCP port 80 (HTTP) and TCP port 443 (HTTPS)", "destinationAddressPrefix": "*", "destinationAddressPrefixes": [], "destinationApplicationSecurityGroups": null, "destinationPortRange": null, "destinationPortRanges": [ "80", "443" ], "direction": "Inbound", "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-prod-endpoint-nsg/securityRules/cc-web-inbound-access", "name": "cc-web-inbound-access", "priority": 100, "protocol": "Tcp", "provisioningState": "Succeeded", "resourceGroup": "cloud-shell-storage-westeurope", "sourceAddressPrefix": "*", "sourceAddressPrefixes": [], "sourceApplicationSecurityGroups": null, "sourcePortRange": "*", "sourcePortRanges": [], "type": "Microsoft.Network/networkSecurityGroups/securityRules" } 03 Repeat step no. 1 and 2 for each NSG rule that allows inbound traffic using wide range of ports, defined for the selected security group. 04 Repeat steps no. 1 – 3 for each non-compliant network security group (NSG) available in the selected Azure subscription. 05 Repeat steps no. 1 – 4 for each subscription created within your Microsoft Azure cloud account.
Publication date Jul 8, 2020
Unlock the Remediation Steps Free 30-day Trial Automatically audit your configurations with Conformity  No thanks, back to article You are auditing: Check for Network Security Groups with Port Ranges Risk level: Medium Which of the following enables you to filter network traffic to and from Azure resources within an Azure Virtual Network?You can use a network security group to filter inbound and outbound network traffic to and from Azure resources in an Azure virtual network. Network security groups contain security rules that filter network traffic by IP address, port, and protocol.
What is inbound and outbound traffic in Azure?Inbound is data moving to your VM/service also known as ingress and is free on Azure. Outbound is data moving away from your machine and is priced in tiers with the 5GB being free of charge.
Which of the following controls and secures network traffic entering and leaving virtual machines?Detailed Solution. The correct answer is option 4) i.e. Firewall.
What's the default security rule for inbound and outbound data outside a virtual network and to the Internet?ICMP Traffic
There is no specific ICMP tag. However, ICMP traffic is allowed within a virtual network by default thanks to the virtual network rules of entry (default 65000 input rule) that allow traffic to and from any port and protocol within the virtual network.
|
