Azure Policy - Subnets should have an Network Security Group

 I often find it useful to create a proof for a security control and demonstrate how it works and pick up some useful techniques on the way.  Download the Postman export here. The issue with this fine policy is in the way the latest Terraform works. It creates the subnet prior to associating the NSG which means it is blocked from creating the subnet. Use the Terraform in the initial_env directory to create the starting point for the lab work.

Attach the Policy to the Resource Group

Obtain the 'Subnets should have a Network Security Group' policy definition from here and add to your subscription. The name may conflict with a built-in policy so add something to the end - I added Andy on the end to differentiate it. 



Attach the policy to a resource group. In this example the resource group 'az-900'.
Azure Policy Definition

Assigned to the Resource Group az-900
Azure Policy Assignment

Postman Create Subnet

Use the HTTP API to create a subnet and associate an NSG in a single step.
Details here for the create subnet and here for the association of an NSG.
Using Try It:
API Try it


First get the Subscription ID.

Outputs the Subscription ID.

Next, create a service principal (SP).

This provides the necessary credentials for use in postman.

Create a new Collection in Postman called Azure API.

From the right-hand side Postman toolbar select Environment and click add.

Add Environment variables

At the  Environment level add a variable for the Tenant ID. This is used in the get-token request.
This can be obtained by using this command:

Create Environment variables in Postman with the values as shown below as shown and click save.
Variable NameOutput Label
ClientID = AppID
tenantID = tenant
clientSecret = Password
resource = https://management.azure.com/
resourceGroup = [Resource Group]
subscriptionID = [Subscription ID]
bearerToken = "leave it blank, we will programmatically fill the field later"
test_number =1
Environment Variables in Postman.
Environment Variables


Set the Authorisation method in the Azure API Collection.
Authorisation Method in the Collection
All the Folders and Requests can then be set to Inherit from Parent.
Inherit from parent
Create a new post request called get-token to the oauth endpoint:

with the form as shown below:

Add a test in the tests tab store the bearer token to an environment variable called bearerToken that will be sent with all requests.

In Postman select the Tests tab and paste the JavaScript in.
Get-Token JS to store bearer token
For this request the Authorisation method should be left set to No Auth, as this will be used to obtain the bearer token.

Create Folder in the Azure API Collection called Create Subnets
Add this short script to increment an Environment variable called test_number under pre-request script.

Create a new PUT request under the folder called 'Create Subnet without NSG'.

Create a JSON body for the request (ensure the AddressPrefix aligns with the VNET, in this case the VNET vent1 10.0.0.0/16). Each test will increment the value of test_number.

It should look like this in Postman
Create a second request by duplicating the first, and rename it in to 'Create Subnet with NSG Associated in existing VNET' with a JSON body as shown.

Make sure the NSG you want to associate with has already been created.

Run Tests:

That's it, just run the get-token request and then the two tests:
  1. Create Subnet without NSG
  2. Create Subnet with NSG Associated the existing VNET vent1

Results:

  1. Fails with a "403 Forbidden" error code. Disallowed by Policy with the message set in the policy.


  1. Success with "201 Created" response code.

Clean-up

This will delete ALL of the subnets in the resource group VNET used (change names as needed).

Terraform

 In this post I looked at how the Azure Policy prevents the creation of a subnet without an associated Network Security Group.  I have created two Terraform scripts showing terraform for the first test this script will fail with Policy effect set to Deny.  The second script creates another resource group and assigns the same policy but with it set Audit only which works as Terraform can create the subnet without being blocked. 



Comments

Post a Comment

Popular posts from this blog

Squid Proxy with SOF-ELK Part 1

Image
In this post I wanted show how a Squid Proxy could be used with OpenDNS to provide a simple but effective security for home  or small business. This blog post was inspired by the SANS course SEC530 Security Architecture & Engineering  which leads to the GIAC Defensible Security Architecture (GDSA) certification. This is a great course for anyone looking to develop and improve their 'full stack' defensive posture.  Monitoring is by courtesy of SOF-ELK , one of the many tools by those nice people at SANS .  SOF-ELK is used in a few SANS course including FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response ,  and SEC555 SIEM with Tactical Analytics . OpenDNS Enterprise is now Cisco Umbrella , however, the OpenDNS Home service is available for free and small businesses can use the Prosumer services for a modest fee. The fist step is to install a CentOS 7 minimal and then apply the latest updates. In order to use the OpenDNS Home service I inst
Read more

Netflow analysis with SiLK - Part 1 Installation

Image
About netsa SiLK SiLK provides a way to capture netflow and interrogate flow data. It can be used for a variety of purposes including situational awareness, forensics and anomaly detection. Installing SiLK Prerequisites Before installing SiLK examine the perquisites for the build. I’m using CentOS 6.3 minimal install with a virtual machine disk of 100GB in total with a separate partition for /data of about 60GB. The virtual machine will be allocated 4GB of RAM and 2 virtual processors. Configure the network settings for your lab environment. In order to use YUM for installing software the the lab system will require access to the Internet. Download the following source code files from the netsa CERT project home page libfixbuf-1.2.0.tar.gz netsa-python-1.3.tar.gz silk-2.5.0.tar.gz yaf-2.3.2.tar.gz Copy the required packages to the /usr/local/src directory. If you are using scp to copy over the packages dont’ forget ‘yum install openssh-clients’ first on the serv
Read more

Password Cracking with CUDA 2 ways

Image
A few weeks ago I decided to generate Rainbow Tables for LM hash password cracking. The Rainbowcrack project provides Windows and Linux software that can be used to generate the tables and do the actual cracking. I also wanted to leverage the CUDA GPU support to make the cracking as fast as possible. The first thing I needed to do was to generate the actual rainbow tables. In my lab I have two Proliant ML350 servers running ESXi 5.1 (dual Xeon E5645 in each) so rather than running the table generation on my laptop I created a Windows VM on one of the servers gave it 8 vcpu's and cut 'n' paste the commands for the table generation into a batch file. I set the batch file running and went to bed. The next morning I checked on progress and calculated how long it was going to take to complete. With a bit of rough math I reckoned about six weeks! Six Weeks Later... After running at a near constant 100% CPU utilisation for the full six weeks my rainbow tables were finally re
Read more