Azure Firewall 서비스

방화벽 서비스를 Azure 계산기로 금액확인하면,

매우 비쌈.

사내에 방화벽 장비 도입 검토와 비슷하게 검토되어야 될 급인듯.

 

 

작게 Azure 서비스 시작하는 경우에는 

기본적인 인바운드/아웃바운드 차단/허용 기능은 NSG만 사용해도 될듯함.

NSG	방화벽
필수사용	선택옵션
인바운드, 아웃바운드 IP/포트단위 제어 가능	포트, 프로토콜, FQDN에 따라서 트래픽에 대한 아웃바운드 제어 가능 상태기반방화벽   가용성지원, Azure 모니터와 통합 인스턴스에 기반한 과금, 대역폭   추가로, 1) 위협 인텔리전스 기반 필터링 2) 서비스 태그 필터링 기능
	서비스과금 ₩32,614.85/month Data Processing 과금 ₩33.74/GB 99.95% SLA 시간단위 과금이지만, 방화벽을 껐다켰다 의미가 없으니, 월 744hours 하면될듯
	Based on whitelisted FQDN only URL Filtering Policy-based identification and control over thousands of applications Web apps only based on whitelisted FQDN

 

 

VM-Series on Azure

팔로알토 처럼 서드파티 벤더 사 방화벽 product을 Azure VM으로 구현

https://docs.paloaltonetworks.com/vm-series/8-1/vm-series-deployment/set-up-the-vm-series-firewall-on-azure/about-the-vm-series-firewall-on-azure/vm-series-firewall-templates-on-azure.html#

General Features	VM-Series on Azure	Azure Network Security Groups	Azure Firewall
IP/Port/Protocol-based security	X	X	X
Port ranges used within policy	X	X	X
Source and/or destination within policy	X	X	X
CIDR-based rules	X	X	X
ACL-like features within a policy	X	X	X
Security applied after traffic enters Resource Group	X	X	X
Drop vs. deny distinction within a policy	X
Next-Generation Firewall Features
Policy-based identification and control over thousands of applications; create custom applications; manage unknown traffic based on policy	X		Web apps only based on whitelisted FQDN
Policy-based, bi-directional SSL decryption and inspection; per-policy SSH control	X
Bi-directional control of traffic based on country or geographic region	X
QoS: policy-based traffic shaping (priority, guaranteed, maximum) per application, per user, per tunnel, based on DSCP classification	X
Zone-based network segmentation and protection	X
TCP protocol validation, ensuring that standard three-way handshake is valid	X
Additional Features
Threat Prevention: Prevent known threats (vulnerability exploits, malware and botnets), block polymorphic malware	X
Advanced Malware Protection (WildFire®): Detect potential malware, detonate, analyze and automatically deliver protections	X
URL Filtering: Control access to web resources based on category and/or specific URL; prevent access to known malicious sites and credential phishing sites	X		Based on whitelisted FQDN only
File and Data Filtering: Bi-directional control over unauthorized file and data transfer	X
Contextual Threat Intelligence (AutoFocus™): Context around attacks, adversaries and campaigns, including targeted industries	X
Policy Automation: Tagging to automate policy updates, ingest third-party data directly into policy	X
Centralized Management and Visibility: Single pane of glass delivers aggregated logging and event correlation; actionable insight into traffic and threats	X
Mobile Security (GlobalProtect™): Extend policy to remote users and devices	X
Integration with Azure Security Command Center: Gain more complete visibility into Azure account security status	X	X	X
Scale Out Architectures: Integration with load balancing for scalability and availability	X	X	X

 

 

세부구성 내용

1. 네트워크 규칙

소스IP/포트, 프로토콜, 목적지 IP/포트 단위로 정책 생성 가능
DNS 요청(port 53) 등도 차단/허용 가능

 

2. 어플리케이션 규칙

특정 웹사이트 아웃바운드 접속 차단

(ex. Github, twitter 등)

FQDN에 대한 서브넷으로부터의 접근을 차단해줌

 

아래와 같이 L7 레이어 아웃바운드 block 처리 가능