You don’t have clearance for that: Microsoft ups the paranoia with a preview of Azure Firewall Premium

Microsoft has unveiled a preview of Azure Firewall Premium, aimed at highly sensitive and regulated environments.

Azure Firewall was Microsoft’s attempt to sling a virtual arm over the shoulders of harassed administrators while whispering “there now, don’t worry about all that pesky firewall configuration stuff, let us take care of it” in its most seductive tone.

The result was a managed network security service, based in Microsoft’s cloud, built to protect Azure Virtual Network resources from miscreants. Azure to on-premises traffic filtering was also supported.

The Premium version, which is very much a preview and thus not recommended for production workloads, ups the ante with extra features.

Alongside improvements in URL filtering (it is now possible to look at an entire URL rather than just the host and domain name as in the standard Firewall service) it is also possible to deny or allow user access by website category (eg, social networking, gambling).

While the standard Firewall service will categorise by fully qualified domain name (FQDN), it once again requires the premium version to be a little more granular and delve down into a complete URL.

More interesting is the intrusion detection and prevention system (IDPS), which will look for malicious network activity, report it and optionally try to block it. The service is signature-based and hunts for the patterns of known malware.

Finally, the service will terminate outbound and east-west TLS connections to permit inspection before the traffic is re-encrypted and sent on its way. Those still clinging to old versions of TLS and wishing to make use of the feature will need to upgrade to TLS 1.2 since Microsoft is serious about deprecating TLS 1.0 and 1.1.

In terms of management, a new Firewall policy tier has been added, comprising Standard and Premium policies. Although Firewall Classic rules remain supported, Microsoft is keen that customers use the Migrate to Firewall policy option to shift rules to the new tier.

“Migrating to Firewall Policy does not incur any downtime,” said the company before sounding a cautious note with “but it is recommended that you migrate during maintenance hours.”

Although the Firewall Policy Standard tier is Generally Available and provides a full SLA, the additional Premium toys remain in preview. There are also some known issues with Azure Firewall that merit consideration. These include the fact that rules are IPv4-address-only for the time being (IPv6 support “is under investigation”) and the fact that configuration updates can take a leisurely five minutes on average. ®

READ MORE HERE