Workloads and applications are moving from a traditional data center to the public cloud as the public cloud provides an app-centric environment. Microsoft Azure offers critical features for application agility, faster deployment, scalability, and high availability using native cloud features. Microsoft Azure recommends tiered architecture for web applications, as this architecture separates various functions. There is the flexibility to make changes to each tier independent of another tier.
Figure1 shows a three-tier architecture for web applications. This architecture has a presentation layer (web tier), an application layer (app tier), and a database layer (database tier). Azure has a shared security model, i.e., the customers are still responsible for protecting workloads, applications, and data.
In addition to the native cloud security controls, Cisco recommends using security controls for visibility, segmentation, and threat protection.
Cisco recommends protecting workloads and applications using Cisco Validated Design (CVD) shown in figure 3. We focused on three-essential pillars (visibility, segmentation, and threat protection) of security validating this cloud security architecture.
This solution brings together a Cisco, Radware, and Azure to extend unmatched security for workloads hosted in the Azure environment.
- Visibility: Cisco Tetration, Cisco Stealthwatch Cloud, Cisco AMP for Endpoints, Cisco SecureX Threat Response, and Azure Network Security Group flow logs.
- Segmentation: Cisco Firepower Next-Generation Virtual Firewall (NGFWv), Cisco Adaptive Security Virtual Appliance (ASAv), Cisco Tetration, Azure Network Security Group
- Threat Protection: Cisco Firepower Next-Generation Virtual Firewall (NGFWv), Cisco Tetration, Cisco AMP for Endpoints, Cisco Umbrella, Cisco SecureX Threat Response, Azure WAF, Azure DDoS, Radware WAF, and Radware DDoS.
In addition to visibility, segmentation, and threat protection, we also focused on Identity and Access Management using Cisco Duo.
Cisco security controls used in the Cisco Validated Design (Figure 3):
- Workload level
- Cisco Tetration: Cisco Tetration agent on Azure instances forwards “network flow and process information” this information essential for getting visibility and policy enforcement.
- Cisco AMP for Endpoints: Cisco AMP for Endpoints offers protection against Malware.
- VNet level
- Cisco Umbrella (VNet DNS settings): Cisco Umbrella cloud offers a way to configure and enforce DNS layer security and IP enforcement to workloads in the VNet.
- Cisco Stealthwatch Cloud (NSG flow logs): SWC consumes Azure NSG flow logs to provided unmatched cloud visibility. SWC includes compliance-related observations, and it provides visibility into your Azure VNet cloud infrastructure.
- Cisco Next-Generation Firewall Virtual (NGFWv): Cisco NGFWv provides capabilities like a stateful firewall, “application visibility and control”, next-generation IPS, URL-filtering, and network AMP in Azure.
- Cisco Adaptative Security Appliance Virtual (ASAv): Cisco ASAv provides a stateful firewall, network segmentation, and VPN capabilities in Azure VNet.
- Cisco Defense Orchestrator (CDO): CDO manages Cisco NGFWv and enables segmentation and threat protection.
- Cisco Duo: Cisco Duo provides MFA service for Azure console and applications running on the workloads.
- Unify Security View
- Cisco SecureX Threat Response: Cisco SecureX Threat Response has API driven integration with Umbrella, AMP for Endpoints, and SWC (coming soon). Using these integrations security ops team can get visibility and perform threat hunting.
Azure controls used in the Cisco Validated Design (Figure 3):
- Azure Network Security Groups (NSGs): Azure NSG provides micro-segmentation capability by adding firewalls rules directly on the instance virtual interfaces. NSGs can also be applied at the network level for network segmentation.
- Azure Web Application Firewall (WAF): Azure WAF protects against web exploits.
- Azure DDoS (Basic and Standard): Azure DDoS service protects against DDoS.
- Azure Internal and External Load Balancers (ILB and ELB): Azure ILB and ELB provide load balancing for inbound and outbound traffic.
Radware controls used in the Cisco Validated Design (Figure 3):
- Radware (WAF and DDoS): Radware provides WAF and DDoS capabilities as a service.
Cisco recommends enabling the following key capabilities on Cisco security controls. These controls provide unmatched visibility, segmentation, and threat protection and help in adhering security compliances.
In addition to the above Cisco security control, Cisco recommends using the following native Azure security components to protect workloads and applications.
Secure Cloud for Azure – Cisco Validated Design Guide (July 2020)
For detailed information on Secure Cloud Architecture for Azure, refer to our recently published Cisco Validated Design Guide. This design guide is based on the Secure Cloud Architecture Guide. The Secure Cloud Architecture Guide explains cloud services, critical business flows, and security controls required for the cloud environment to protect workloads. This guide covers the Cisco Validated Designs for workload protection in Azure three-tiered architecture. This also includes cloud-native security controls and Radware WAF/DDoS for workload protection in the cloud.
Anubhav Swami (CCIEx2: 21208)
Security Solutions Architect
Cisco Systems Inc.
- Cisco SAFE design guide for Azure
- Cisco SAFE Cloud Architecture Guide
- Cisco SAFE secure remote worker
- Cisco Tetration
- Cisco Stealthwatch Cloud
- Cisco AMP for Endpoints
- Cisco Duo
- Cisco Umbrella
- Deploy Umbrella VA in Azure
- Cisco Defense Orchestrator
- Cisco ASA
- Cisco Next-Generation Firewall
- Microsoft Azure
- Azure Network Security Group
- Azure Load Balancers
- Azure WAF
- Azure DDoS
- Radware WAF and DDoS (SaaS)
Cisco Live Sessions
- NGFWv and ASAv in AWS and Azure (BRKSEC-2064)
- Deploy ASAv and NGFWv in AWS and Azure (LTRSEC-3052)
- ARM yourself using NGFWv and ASAv in Azure (BRKSEC-3093)