Exercise 4: Securing the network
In this exercise, attendees will utilize Network Security Groups to ensure that virtual machines are segregated from other Azure hosted services and then explore the usage of the Network Packet Capture feature of Azure to actively monitor traffic between networks.
- In the Azure Portal, select Virtual Machines.
- Select paw-1, then select Connect. In the dialog, select Download RDP file Anyway. Open the downloaded RDP file and connect to the Virtual Machine.Note: Default username is wsadmin with p@ssword1rocks as password and you may need to request JIT Access if you have taken a break between exercises.
- In the PAW-1 virtual machine, open PowerShell ISE as administrator.
- Run the following command:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted
- In the popup, click Yes.
- Select File->Open, browse to the extracted GitHub directory and open the \Hands-on lab\Scripts \PortScanner.ps1.Note: You would have downloaded the GitHub repo and extracted this in the setup steps. If you did not perform those steps, perform them now. You can also choose to copy the file from your desktop to the VM.
- Review the script. It does the following:a. Installs NotePad++b. Adds hosts entries for DNSNote: When using multiple virtual networks, you must setup a DNS server in the Azure tenant.c. Executes port scans
- Run the script, and press F5. You should see the following (the Azure ARM Template created a default rule to block all traffic):a. Port scan for port 3389 (RDP) to DB-1 and WEB-1 is unsuccessful from the PAW-1 machine.b. The information above for port 3389 (RDP) is visible after running the script and pressing F5.c. Port scan for port 1433 (SQL) to DB-1 and WEB-1 is unsuccessful from the PAW-1 machine. DB-1 is running SQL Server but traffic is blocked at NSG and via the Windows Firewall.d. Port scan for port 80 (HTTP) to DB-1 and WEB-1 is unsuccessful from the PAW-1 machine, if traffic was allowed, it would always fail to DB-1 because it is not running IIS or any other web server.
- Switch to the Azure Portal.
- Configure the database server to only allow SQL Connections from the web server:a. Select Network Security Groups.b. Select DbTrafficOnly.c. Select Inbound Security Rules.d. Select +Add.e. For the Source, select IP Addresses.f. For the Source IP address, enter 10.2.0.4.g. For the Destination port range, enter 1433.h. For the Priority, enter 100.i. For the Name, enter Port_1433.g. Select Add.
- Configure the web server to allow all HTTP and HTTPS connections:a. Select Network Security Groups.b. Select WebTrafficOnly.c. Select Inbound Security Rules.d. Select +Add.e. For the Destination port range, enter 80,443.f. For the Priority, enter 100.g. Change the Name to Port_80_443.h. Select Add.Note: In some rare cases it may take up to 15 minutes for your Network Security Group to change is status from Updating. You won’t be able to add any other rules until it completes.
- Configure both the database and web server to only allow RDP connections from the PAW machine:a. Select Network Security Groups. For both the DbTrafficOnly and WebTrafficOnly, do the following:
- Select Inbound Security Rules.
- Select +Add.
- For the Source, select IP Addresses.
- For the Source IP address, enter 10.0.0.4.
- For the Destination port range, enter 3389.
- For the Priority, enter 101.
- For the Name, enter Port_3389.
- Select Add.
- Configure all NSGs to have Diagnostic logs enabled.a. Select Network security groups. For each NSG (DBTrafficOnly and WebTrafficOnly), do the following:
- In the content menu, select Diagnostic logs, and then select Turn on diagnostics.
- For the name, enter the NSG name and then add Logging to the end.
- Check the Send to Log Analytics checkbox, in the Log Analytics box, select Configure.
- Select the azsecuritylogging workspace.
- Select both LOG checkboxes.
- Select Save.
- Repeat for all remaining Network Security Groups
- Switch back to the PAW-1 virtual machine.
- Run the script, press F5, and you should see the following:a. Port scan for port 3389 (RDP) to DB-1 and WEB-1 is successful from the PAW-1 machine.b. Port scan for port 1433 (SQL) to DB-1 is successful, and WEB-1 is unsuccessful from the PAW-1 machine.
Note: You may need to disable the windows firewall on the DB-1 server to achieve this result.
c. If IIS has been setup on WEB-1, the port scan for port 80 (HTTP) to DB-1 is unsuccessful and WEB-1 is successful from the PAW-1 machine
- Switch to the Azure Portal.
- Select Virtual Machines.
- Select db-1.
- In the blade menu, select Extensions, then select +Add.
- Browse to the Network Watcher Agent for Windows, and select it.
- Select Create.
- In the next Install extension dialog window (note that it could be blank) select OK. You should see a toast notification about the script extension being installed into the Virtual Machine.
- In the main Azure Portal menu, select Monitor.
- In the context menu, select Network.
- Select the Overview link.
- Expand the subscription region item.
- For the East US region (or whatever region you deployed your VMs too), select the ellipses, then select Enable Network Watcher.
- In the new context menu, select Packet capture.
- Select +Add.
- For the target virtual machine, ensure that db-1 is selected.
- For the capture name, enter databasetraffic.
- Notice the ability to save the capture file to the local machine or an Azure storage account. Ensure that the resource group storage account is selected.
- For the values, enter the following:
- Maximum bytes per packet: 0
- Maximum bytes per session: 1073741824
- Time limit: 600
- Select OK.
- Switch your Remote Desktop connection to the PAW-1 virtual machine.
- Uncomment the last line of the script, and press F5.
Note: You should see the basic ports scanned, and then a port scan from 80 to 443. This will generate many security center logs for the Network Security Group which will be used in the Custom Alert in the next exercise.