Yesterday Microsoft released into public preview the premium sku of their Azure Firewall which is a managed PaaS based firewall service in Azure. Since I first wrote about Azure Firewall and some of the features, I found lacking there have been a lot of enhancements (here is the original article –> Current limitations with Azure Firewall | Marius Sandbu (msandbu.org)
As part of the premium SKU, Microsoft introduced some new capabilities which has not been part of previous standard SKU which are
NOTE: That during preview the cost for premium is billed at 50% compared to what it will normally cost. That means that Azure Firewall Premium is roughly 40% more expensive compared to standard SKU. More info and pricing here –> Pricing – Azure Firewall | Microsoft Azure
- Transport Layer Security (TLS) Inspection: Azure Firewall Premium decrypts outbound traffic, performs the required value-added security functions and re-encrypt the traffic which is sent to the original destination. This means that Azure Firewall will decrypt traffic using certificates which are stored within Azure Key Vault before re-encrypting the traffic (which is accesses using a Managed Identity). It should be noted that this does not support QUIC (which is UDP based) traffic decryption and only traffic running on TCP/HTTPS/443. Still no clear indication if this also means TLS 1.3
- Intrusion Detection and Prevention System (IDPS): Azure Firewall Premium provides signature based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. While the documentation currently is lacking in terms of signatures that are available (asked for more feedback on the documentation page) One thing to note is that IDPS allows you to detect attacks in all ports and protocols for non-encrypted traffic. However, when HTTPS traffic needs to be inspected, Azure Firewall uses TLS inspection capability to decrypt the traffic and better detect malicious traffic.
- Web Categories: Allows administrators to allow or deny user access to the Internet based on categories (e.g. social networking, search engines, gambling), reducing the time spent on managing individual FQDNs and URLs. This capability is also available for Azure Firewall Standard based on FQDNs only.
- URL Filtering: Allow users to access specific URLs for both plain text and encrypted traffic, typically being used in congestion with web categories.
Another big aspect which makes this even more attractive now is that it is pre-certified for PCI-DSS. Which means we can also provide this service for customers handling credit card transactions as well.
how well does this compare with 3.party firewall appliances?
Since my in-depth knowledge is limited on firewall vendors such as CheckPoint/Palo Alto/Cisco and such and want to highlight just some high-level impressions.
- Azure Firewall is a managed service which runs as active/active and scales automatically depending on traffic flow. While an 3.Party NVA requires complex IaaS deployment and throughput is dependent on size of virtual machines.
- Azure Firewall is fully managed trough Azure Resource Manager. If your environment has adopted a cloud based operating model and automated the environment having Azure Firewall makes it to make changes and updates to the environment using the same code structure/framework. This also means that deployment is simplistic compared to 3. parties.
- Azure Firewall provides managed service tags for different Azure Services, making it easy to update rules to approve/deny traffic to native Azure Services.
- Much of the logic from different firewall vendors is the rule engines and threat intelligence that is built-in. However I feel that Microsoft can provide somewhat of a equal threat database using the Intelligent Security API.
- If the organization is using other supporting services such as Azure Monitor and Sentinel for SIEM/SOC Azure Firewall makes more sense, since you can continue to build on existing knowledge to build dashboard and monitoring points.
However if you have an hybrid enviroment where you have existing firewall vendors where you have built-up an existing set of rules across the enviroment then I would highly recommend that you reuse the same firewall vendors in Azure, since it can make network and security operations easier if the intention is to have that type of hybrid deployment for a while. Since having mulitple firewall providers will make it difficult to troubleshoot and secondly that you would need to update rules sets on different places.
Still it will be interesting to see when Microsoft updates limits on Azure Firewall in terms of high much bandwidth the appliance can handle once we apply TLS decryption and IPDS features as well.