WEBVTT

0:00:02.680000 --> 0:00:07.900000
 When it comes to security, obviously
 network security is a key component

0:00:07.900000 --> 0:00:13.480000
 of that. As it turns out, an awful lot
 of organizations happen to already

0:00:13.480000 --> 0:00:16.640000
 have some investment
 in network security.

0:00:16.640000 --> 0:00:20.840000
 They've got firewalls, you've got firewalls,
 you've got all kinds of network

0:00:20.840000 --> 0:00:24.740000
 appliances. Well, in this video, we're
 going to take a look at how you

0:00:24.740000 --> 0:00:29.560000
 can integrate many of those network appliances
 into the Azure environment,

0:00:29.560000 --> 0:00:33.360000
 and I'm going to demonstrate one
 of them, which is PFSense.

0:00:33.360000 --> 0:00:37.980000
 Now, in this video, we're going to take
 a look at some of the vendor firewalls

0:00:37.980000 --> 0:00:38.780000
 that are available.

0:00:38.780000 --> 0:00:43.280000
 We'll take a quick look and think about
 secure network topologies, and

0:00:43.280000 --> 0:00:48.640000
 then I'm just going to demonstrate the
 implementation of a firewall, in

0:00:48.640000 --> 0:00:50.960000
 this case, a PFSense firewall.

0:00:50.960000 --> 0:00:54.220000
 The story on firewalls is
 really pretty simple.

0:00:54.220000 --> 0:01:00.380000
 That if you are using a firewall from
 a major security vendor, there's

0:01:00.380000 --> 0:01:05.800000
 a really good chance that that firewall
 is going to exist in Azure as

0:01:05.800000 --> 0:01:07.520000
 a network-fergile appliance.

0:01:07.520000 --> 0:01:13.320000
 Now, I say firewall, the truth is, it's
 beyond firewalls, these many different

0:01:13.320000 --> 0:01:17.800000
 types of network appliances, for
 example, gateway appliances.

0:01:17.800000 --> 0:01:19.900000
 You can install those as well.

0:01:19.900000 --> 0:01:23.860000
 And here are, you can see just a smattering,
 I don't think I've ever used

0:01:23.860000 --> 0:01:28.400000
 that word in the video before, but a
 smattering of the different firewalls

0:01:28.400000 --> 0:01:30.560000
 that are available to you.

0:01:30.560000 --> 0:01:35.640000
 And I literally kind of put that together
 from the marketplace to just

0:01:35.640000 --> 0:01:42.360000
 give a feel. We've got Fortinet, we've
 got ThreadStop, FortaWeb, CloudGuard,

0:01:42.360000 --> 0:01:46.440000
 Sophos, Fortgate, and Palo Alto.

0:01:46.440000 --> 0:01:52.120000
 And there's many more Cisco, F5, tons
 of different vendors that are out

0:01:52.120000 --> 0:01:55.500000
 there that provide
 firewall solutions.

0:01:55.500000 --> 0:02:00.380000
 In fact, there's over 20 templates and
 45 specific virtual machine images

0:02:00.380000 --> 0:02:03.580000
 that are vendor-supplied
 firewalls.

0:02:03.580000 --> 0:02:08.760000
 Now, when you think about a vendor
-supplied firewall, think about the

0:02:08.760000 --> 0:02:11.580000
 idea of a secured
 network topology.

0:02:11.580000 --> 0:02:15.180000
 So let's say you've got a virtual network
 and you've got an internal subnet

0:02:15.180000 --> 0:02:17.880000
 and you've got some virtual machines
 on the internal subnet, but you want

0:02:17.880000 --> 0:02:24.380000
 to set up a firewall or
 a reverse proxy, right?

0:02:24.380000 --> 0:02:26.880000
 Well, you can really pretty
 easily do that.

0:02:26.880000 --> 0:02:31.980000
 You just add an edge subnet, you put
 in a virtual machine that's running

0:02:31.980000 --> 0:02:36.680000
 your virtual appliance, typically installed
 from the marketplace, and

0:02:36.680000 --> 0:02:40.500000
 then you just set it
 up and let it run.

0:02:40.500000 --> 0:02:42.880000
 It's really a fairly
 simple process.

0:02:42.880000 --> 0:02:46.140000
 You can set these up with
 single network interfaces.

0:02:46.140000 --> 0:02:48.580000
 You can set them up with
 dual network interfaces.

0:02:48.580000 --> 0:02:53.920000
 Configuration thereof will really depend
 on the actual virtual machine,

0:02:53.920000 --> 0:02:58.300000
 the virtual appliance that you
 are, in fact, setting up.

0:02:58.300000 --> 0:03:02.260000
 Now, one thing to keep in mind is that
 when you're doing this, even if

0:03:02.260000 --> 0:03:07.880000
 you don't have public endpoints for
 your back-end virtual machines, you

0:03:07.880000 --> 0:03:12.780000
 still want to set up NSG's network
 security groups and really control

0:03:12.780000 --> 0:03:16.760000
 the access to those
 virtual machines.

0:03:16.760000 --> 0:03:20.400000
 You should also never rely on
 a single layer of protection.

0:03:20.400000 --> 0:03:24.360000
 You should also set up the guest OS firewall
 within those virtual machines.

0:03:24.360000 --> 0:03:31.700000
 So you have a multi-layered defense-in
-depth architecture for your solution,

0:03:31.700000 --> 0:03:36.800000
 but really the overall network
 architecture is pretty simple.

0:03:36.800000 --> 0:03:38.140000
 And typically that's
 what you'll have.

0:03:38.140000 --> 0:03:44.240000
 You'll have a couple of, at least a
 couple of subnets, different NSG's,

0:03:44.240000 --> 0:03:48.520000
 no external direct access to the internal
 subnet and controlled access

0:03:48.520000 --> 0:03:52.520000
 to the subnet that you've got your appliance,
 your firewall, your reverse

0:03:52.520000 --> 0:03:56.000000
 proxy, or frankly, whatever else
 you're going to use it for.

0:03:56.000000 --> 0:04:00.620000
 And what I want to do is I want to
 demonstrate this using PFSense.

0:04:00.620000 --> 0:04:07.460000
 PFSense is a fairly common open source
 firewall solution, and there is

0:04:07.460000 --> 0:04:13.340000
 a solution that is in the Azure marketplace
 that will let you deploy this

0:04:13.340000 --> 0:04:17.900000
 firewall. And I've already got the
 system completely set up because it

0:04:17.900000 --> 0:04:22.220000
 takes a while to actually configure
 the entire process, and that would

0:04:22.220000 --> 0:04:23.820000
 be a really boring demonstration.

0:04:23.820000 --> 0:04:27.400000
 But I'm going to walk through all of
 the steps that I went through to

0:04:27.400000 --> 0:04:31.020000
 get to the final demonstration
 of this.

0:04:31.020000 --> 0:04:40.080000
 So let's go ahead and let's take a
 look at setting up a vendor network

0:04:40.080000 --> 0:04:42.140000
 virtual appliance.

0:04:42.140000 --> 0:04:50.820000
 Okay, so I've got my Azure dashboard
 here, and I've already deployed its

0:04:50.820000 --> 0:04:59.980000
 apology. Now, I actually deployed this
 topology using a template so I

0:04:59.980000 --> 0:05:01.080000
 could deploy it again.

0:05:01.080000 --> 0:05:04.840000
 One thing that if you are going to deploy
 via a template and you're going

0:05:04.840000 --> 0:05:10.640000
 to deploy one of these virtual network
 appliances, have to say it the

0:05:10.640000 --> 0:05:12.560000
 way that Microsoft
 tends to say it.

0:05:12.560000 --> 0:05:17.120000
 But if you're going to deploy one of
 them from a vendor, then it's almost

0:05:17.120000 --> 0:05:18.440000
 certainly a marketplace image.

0:05:18.440000 --> 0:05:23.300000
 And if you want to do it via a template,
 or if you want to do it via other

0:05:23.300000 --> 0:05:26.080000
 programmatic means, you have
 to take a few extra steps.

0:05:26.080000 --> 0:05:31.280000
 You have to allow programmatic access from
 your subscription to that particular

0:05:31.280000 --> 0:05:35.060000
 marketplace solution.

0:05:35.060000 --> 0:05:40.360000
 And if you're deploying via a template,
 you actually have to add some

0:05:40.360000 --> 0:05:44.060000
 additional configuration
 to your template itself.

0:05:44.060000 --> 0:05:47.500000
 There's a plan element that needs
 to be added to your template.

0:05:47.500000 --> 0:05:53.880000
 That is, I will tell you not terribly
 well documented, but even though

0:05:53.880000 --> 0:05:58.480000
 I did deploy this via a template with
 the arrangement I ended up going

0:05:58.480000 --> 0:06:00.280000
 with, I didn't really need to.

0:06:00.280000 --> 0:06:07.400000
 I could have deployed the whole
 thing from the portal.

0:06:07.400000 --> 0:06:10.300000
 All right. So let's see
 what we have here.

0:06:10.300000 --> 0:06:12.960000
 All right, you notice we've
 got three subnets.

0:06:12.960000 --> 0:06:14.980000
 I've got a private subnet,
 a public subnet.

0:06:14.980000 --> 0:06:19.140000
 I have a bastion subnet because I needed
 to go in and do some things.

0:06:19.140000 --> 0:06:26.420000
 On the private subnet, I've got a machine,
 one machine here, my web server.

0:06:26.420000 --> 0:06:29.400000
 It has a NIC and there is an NSG.

0:06:29.400000 --> 0:06:33.920000
 On the public subnet, there
 is a different NSG.

0:06:33.920000 --> 0:06:39.920000
 And I have my vendor firewall, which
 is again a PF sense firewall, Netgate

0:06:39.920000 --> 0:06:43.200000
 PF sense. And I do have
 a public IP address.

0:06:43.200000 --> 0:06:45.020000
 I have no public IP address
 on my web server.

0:06:45.020000 --> 0:06:48.280000
 The web server is just running a very
 simple web service that just returns

0:06:48.280000 --> 0:06:53.260000
 the name of the web server itself, just
 to make sure that we have connectivity.

0:06:53.260000 --> 0:06:56.840000
 All right. This is the
 overall architecture.

0:06:56.840000 --> 0:07:02.940000
 Let's take a look at my actual
 network security groups.

0:07:02.940000 --> 0:07:04.760000
 So here I've got a network
 security group.

0:07:04.760000 --> 0:07:07.240000
 This is my public network
 security group.

0:07:07.240000 --> 0:07:11.940000
 And the outbound is the
 same as it would be.

0:07:11.940000 --> 0:07:14.520000
 All right. The inbound.

0:07:14.520000 --> 0:07:18.940000
 I've got really in addition to the
 standard rules, the built in system

0:07:18.940000 --> 0:07:20.120000
 rules. I've got three.

0:07:20.120000 --> 0:07:23.520000
 I'm allowing port 8080 because that
 is actually the port I'm going to

0:07:23.520000 --> 0:07:25.240000
 use for my reverse proxy.

0:07:25.240000 --> 0:07:28.480000
 And I'm also allowing
 HTTPS and HTTP.

0:07:28.480000 --> 0:07:35.600000
 Now, normally I would not allow these
 into my firewall unless I was, you

0:07:35.600000 --> 0:07:38.620000
 know, you really needed external
 connectivity to that.

0:07:38.620000 --> 0:07:42.840000
 But in this case, it just made it easier
 because the interface for configuring

0:07:42.840000 --> 0:07:45.400000
 the firewall is on 443.

0:07:45.400000 --> 0:07:50.020000
 And if I forgot and I just typed it in
 without putting in HTTPS, it would

0:07:50.020000 --> 0:07:53.300000
 automatically redirect
 me to the HTTPS.

0:07:53.300000 --> 0:07:57.860000
 So that's simply those two are simply
 me being lazy for configuration.

0:07:57.860000 --> 0:08:01.820000
 I could take them out, but I thought full
 disclosure, I'd leave them there.

0:08:01.820000 --> 0:08:06.540000
 All right. So that
 is the public NSG.

0:08:06.540000 --> 0:08:14.320000
 And if I look at the private NSG,
 this is a standard NSG, right?

0:08:14.320000 --> 0:08:17.740000
 These are the rules that
 come essentially.

0:08:17.740000 --> 0:08:22.740000
 There's no direct external access
 to anything on this subnet.

0:08:22.740000 --> 0:08:27.140000
 And the virtual machine itself also
 doesn't have a public IP address.

0:08:27.140000 --> 0:08:30.540000
 So I've got the virtual machine, really
 the network connectivity to that

0:08:30.540000 --> 0:08:34.100000
 virtual machine really fairly
 well locked down.

0:08:34.100000 --> 0:08:44.660000
 All right. Now, if I go back here and
 if I go to my firewall, I'm going

0:08:44.660000 --> 0:08:48.500000
 to go to my firewall and I'm going to
 go to the public IP address of my

0:08:48.500000 --> 0:08:58.260000
 firewall. Now, this firewall, as I
 mentioned, is a PF since firewall.

0:08:58.260000 --> 0:09:02.540000
 I have already configured
 the PF since firewall.

0:09:02.540000 --> 0:09:08.220000
 This, in this case, only has one
 NIC, one network interface.

0:09:08.220000 --> 0:09:10.080000
 And I've got everything
 going through that.

0:09:10.080000 --> 0:09:14.800000
 If this were production, I would likely
 have a LAN and a LAN two different

0:09:14.800000 --> 0:09:16.800000
 network interfaces.

0:09:16.800000 --> 0:09:19.900000
 And by the way, if you are going to
 install it with multiple interfaces,

0:09:19.900000 --> 0:09:22.460000
 you should do that
 from a template.

0:09:22.460000 --> 0:09:24.920000
 And then I've got my firewall.

0:09:24.920000 --> 0:09:30.780000
 And if I look at my firewall rules,
 I've got fairly standard firewall

0:09:30.780000 --> 0:09:35.340000
 rules. Really, the big one here
 is I've got 8080 added in.

0:09:35.340000 --> 0:09:38.900000
 Okay. So any traffic I'm just
 letting it straight through.

0:09:38.900000 --> 0:09:43.340000
 Now, I will also tell you I could have
 locked this down farther, but wanted

0:09:43.340000 --> 0:09:46.360000
 to make my life as
 easy as possible.

0:09:46.360000 --> 0:09:50.840000
 So I've got this port 8080
 that I'm allowing in here.

0:09:50.840000 --> 0:09:57.760000
 And I also installed a reverse proxy
 server for this PF since firewall

0:09:57.760000 --> 0:10:01.400000
 called HAProxy. And
 I have it set up.

0:10:01.400000 --> 0:10:05.960000
 So I've got a front end that is listening
 for port 8080 and it sends any

0:10:05.960000 --> 0:10:11.060000
 traffic on port 8080 over to
 a back end of web server.

0:10:11.060000 --> 0:10:18.860000
 And my back end web server
 is actually 10.10.0.5.

0:10:18.860000 --> 0:10:23.360000
 That's the local IP address
 of that web server.

0:10:23.360000 --> 0:10:25.200000
 All right. So that's all cool.

0:10:25.200000 --> 0:10:26.440000
 What does this do for me?

0:10:26.440000 --> 0:10:32.020000
 Well, if I go back and this is going
 to be anti-climactic, but I have

0:10:32.020000 --> 0:10:34.780000
 that entire architecture set up.

0:10:34.780000 --> 0:10:36.160000
 I've got a single virtual network.


0:10:36.160000 --> 0:10:41.420000
 I've got two different subnets
 with different NSGs.

0:10:41.420000 --> 0:10:49.720000
 My router, my firewall, PF sense
 is in the public subnet.

0:10:49.720000 --> 0:10:54.100000
 So it's going to allow traffic coming
 in on port 8080 particularly.

0:10:54.100000 --> 0:10:58.440000
 And I've got a reverse proxy set
 up on there, that HAProxy.

0:10:58.440000 --> 0:11:05.320000
 So that anything coming on 8080 into
 the firewall is actually going to

0:11:05.320000 --> 0:11:09.960000
 be proxy back to the virtual machine
 on port 80 to the web server virtual

0:11:09.960000 --> 0:11:12.620000
 machine. So how does all this go?

0:11:12.620000 --> 0:11:16.940000
 Again, this will be a little bit
 anti-climactic, hopefully.

0:11:16.940000 --> 0:11:29.960000
 I'm going to go HTTP, put in that
 IP address and go to 8080.

0:11:29.960000 --> 0:11:36.180000
 And I get a service unavailable,
 outstanding.

0:11:36.180000 --> 0:11:39.320000
 All right. Let's try
 this one more time.

0:11:39.320000 --> 0:11:49.160000
 All right. Most likely what has happened
 is my web server went down.

0:11:49.160000 --> 0:11:57.080000
 So I am going to come back here.

0:11:57.080000 --> 0:12:00.060000
 And go back to my diagram.

0:12:00.060000 --> 0:12:03.820000
 All right. And when I come back,
 that web server will be working.

0:12:03.820000 --> 0:12:11.100000
 Okay. We're back that little bit of
 magical delay that you won't really

0:12:11.100000 --> 0:12:14.760000
 see is brought to you by the fact that
 the web server itself is a very

0:12:14.760000 --> 0:12:19.600000
 simple Python web server that doesn't
 have a whole lot of stability and

0:12:19.600000 --> 0:12:25.660000
 it crashed. Nothing to do with
 the actual firewall itself.

0:12:25.660000 --> 0:12:26.780000
 So let's try this again.

0:12:26.780000 --> 0:12:30.600000
 We got a copy of that
 public address again.

0:12:30.600000 --> 0:12:39.380000
 And there we go.

0:12:39.380000 --> 0:12:42.840000
 Very not exciting except for the fact
 that you saw the one that didn't

0:12:42.840000 --> 0:12:46.780000
 work before. And now it's
 working, which is great.

0:12:46.780000 --> 0:12:48.540000
 Okay. And that is it.

0:12:48.540000 --> 0:12:50.460000
 That's the full payout for that.

0:12:50.460000 --> 0:12:54.960000
 What you're doing, what I'm doing is I'm
 going through the firewall, right?

0:12:54.960000 --> 0:12:58.140000
 I'm connecting to the public
 IP address of the firewall.

0:12:58.140000 --> 0:13:02.680000
 It is reverse proxying that request
 over to the web server and then the

0:13:02.680000 --> 0:13:07.140000
 web server sending the response back to
 the firewall, which is then sending

0:13:07.140000 --> 0:13:09.980000
 that very complex response
 back to me.

0:13:09.980000 --> 0:13:15.420000
 All right. So the really the takeaway
 from this video is that, you know,

0:13:15.420000 --> 0:13:19.880000
 if you're using an appliance, whether
 it's a virtual appliance or a physical

0:13:19.880000 --> 0:13:20.440000
 appliance, you know, you're
 using an appliance.

0:13:20.440000 --> 0:13:23.620000
 From a major vendor on
 premises right now.

0:13:23.620000 --> 0:13:26.200000
 And that's where you have your
 security gear towards.

0:13:26.200000 --> 0:13:31.340000
 There's a really good chance that you
 can find a virtual version of that

0:13:31.340000 --> 0:13:36.880000
 in the Azure environment and continue
 to secure your Azure network the

0:13:36.880000 --> 0:13:38.680000
 same way you secure your
 on premises network.