Threat Landscape Trends: Endpoint Security, Part 1

Part 1: Critical severity threats and MITRE ATT&CK tactics

In the ongoing battle to defend your organization, deciding where to dedicate resources is vital. To do so efficiently, you need to have a solid understanding of your local network topology, cloud implementations, software and hardware assets, and the security policies in place. On top of that, you need to have an understanding of what’s traveling through and residing in your environment, and how to respond when something is found that shouldn’t be there.

This is why threat intelligence is so vital. Not only can threat intelligence help to defend what you have, it can tell you where you’re potentially vulnerable, as well as where you’ve been attacked in the past. It can ultimately help inform where to dedicate your security resources.

What threat intelligence can’t tell you is exactly where you’ll be attacked next. The fact is that  there’s no perfect way to predict an attacker’s next move. The closest you can come is knowing what’s happening out in the larger threat landscape—how attackers are targeting organizations across the board. From there it’s possible to make those critical, informed decisions based on the data at hand.

This is the purpose of this new blog series, Threat Landscape Trends. In it, we’ll be taking a look at activity in the threat landscape and sharing the latest trends we see. By doing so, we hope to shed light on areas where you can quickly have an impact defending your assets, especially if dealing with limited security resources.

To do this, we’ll dive into various Cisco Security technologies that monitor, alert, and block suspected malicious activity. Each release will focus on a different product, given the unique view of activity each can provide, informing you on different aspects of the threat landscape.

Beginning at the endpoint

To kick off the series, we’ll begin with Cisco’s Endpoint Security solution. Over the course of two blog posts we’ll examine what sort of activity we’ve seen on the endpoint in the first half of 2020. In the first, we’ll look at critical severity threats and the MITRE ATT&CK framework. In part two, to be published in the coming weeks, we’ll dive deeper into the data, providing more technical detail on threat types and the tools used by attackers.

To protect an endpoint, Cisco’s Endpoint Security solution leverages a protection lattice comprised of several technologies that work together. We’ll drill down into telemetry from one of these technologies here: the Cloud Indication of Compromise (IoC) feature, which can detect suspicious behaviors observed on endpoints and look for patterns related to malicious activity.

In terms of methodology for the analysis that follows, the data is similar to alerts you would see within the dashboard of Cisco’s Endpoint Security solution, only aggregated across organizations to get the percentage of organizations that have encountered particular IoCs as a baseline. The data set covers the first half of 2020, from January 1st through June 30th. We’ll cover this in more detail in the Methodology section at the end of this post, but for now, let’s dive into the data.

Threat severity

When using Cisco’s Endpoint Security solution, one of the first things you’ll notice in the dashboards is that alerts are sorted into four threat severity categories: low, medium, high, and critical. Here is a breakdown of these severity categories in terms of the frequency that organizations encountered IoC alerts:

Percentage of low, medium, high, and critical severity IoCs

As you might expect, the vast majority of alerts fall into the low and medium categories. There’s a wide variety of IoCs within these severities. How serious a threat the activity leading to these alerts pose depends on a number of factors, which we’ll look at more broadly in part two of this blog series.

For now, let’s start with the most serious IoCs that Cisco’s Endpoint Security solution will alert on: the critical severity IoCs. While these make up a small portion of the overall IoC alerts, they’re arguably the most destructive, requiring immediate attention if seen.

Critical severity IoCs

Sorting the critical IoCs into similar groups, the most common threat category seen was fileless malware. These IoCs indicate the presence of fileless threats—malicious code that runs in memory after initial infection, rather than through files stored on the hard drive. Here, Cisco’s Endpoint Security solution detects activity such as suspicious process injections and registry activity. Some threats often seen here include Kovter, Poweliks, Divergent, and LemonDuck.

Coming in second are dual-use tools leveraged for both exploitation and post-exploitation tasks. PowerShell Empire, CobaltStrike, Powersploit, and Metasploit are four such tools currently seen here. While these tools can very well be used for non-malicious activity, such as penetration testing, bad actors frequently utilize them. If you receive such an alert, and do not have any such active cybersecurity exercises in play, an immediate investigation is in order.

The third–most frequently seen IoC group is another category of dual-used tools. Credential dumping is the process used by malicious actors to scrape login credentials from a compromised computer. The most commonly seen of these tools in the first half of 2020 is Mimikatz, which Cisco’s Endpoint Security solution caught dumping credentials from memory.

All told, these first three categories comprise 75 percent of the critical severity IoCs seen. The remaining 25 percent contains a mix of behaviors known to be carried out by well-known threat types:

• Ransomware threats like Ryuk, Maze, BitPaymer, and others
• Worms such as Ramnit and Qakbot
• Remote access trojans like Corebot and Glupteba
• Banking trojans like Cridex, Dyre, Astaroth, and Azorult
• …and finally, a mix of downloaders, wipers, and rootkits

MITRE ATT&CK tactics

Another way to look at the IoC data is by using the tactic categories laid out in the MITRE ATT&CK framework. Within Cisco’s Endpoint Security solution, each IoC includes information about the MITRE ATT&CK tactics employed. These tactics can provide context on the objectives of different parts of an attack, such as moving laterally through a network or exfiltrating confidential information.

Multiple tactics can also apply to a single IoC. For example, an IoC that covers a dual-use tool such as PowerShell Empire covers three tactics:

• Defense Evasion: It can hide its activities from being detected.
• Execution: It can run further modules to carry out malicious tasks.
• Credential Access: It can load modules that steal credentials.

With this overlap in mind, let’s look at each tactic as a percentage of all IoCs seen:

IoCs grouped by MITRE ATT&CK tactics

By far the most common tactic, Defensive Evasion appears in 57 percent of IoC alerts seen. This isn’t surprising, as actively attempting to avoid detection is a key component of most modern attacks.

Execution also appears frequently, at 41 percent, as bad actors often launch further malicious code during multi-stage attacks. For example, an attacker that has established persistence using a dual-use tool may follow up by downloading and executing a credential dumping tool or ransomware on the compromised computer.

Two tactics commonly used to gain a foothold, Initial Access and Persistence, come in third and fourth, showing up 11 and 12 percent of the time, respectively. Communication through Command and Control rounds out the top 5 tactics, appearing in 10 percent of the IoCs seen.

Critical tactics

While this paints an interesting picture of the threat landscape, things become even more interesting when combining MITRE ATT&CK tactics with IoCs of a critical severity.

Critical severity IoCs grouped by MITRE ATT&CK tactics

For starters, two of the tactics were not seen in the critical severity IoCs at all, and two more registered less than one percent. This effectively removes a third of the tactics from focus.

What’s also interesting is how the frequency has been shuffled around. The top three remains the same, but Execution is more common amongst critical severity IoCs than Defense Evasion. Other significant moves when filtering by critical severity include:

• Persistence appears in 38 percent of critical IoCs, as opposed to 12 percent of IoCs overall.
• Lateral Movement jumps from 4 percent of IoCs seen to 22 percent.
• Credential Access moves up three spots, increasing from 4 percent to 21 percent.
• The Impact and Collections tactics both see modest increases.
• Privilege Escalation plummets from 8 percent to 0.3 percent.
• Initial Access drops off the list entirely, previously appearing fourth.

Defending against the critical

This wraps up our high-level rundown of the IoC data. So armed with this information about the common threat categories and tactics, what can you do to defend your endpoints? Here are a few suggestions about things to look at:

Limit execution of unknown files

If malicious files can’t be executed, they can’t carry out malicious activity. Use group policies and/or “allow lists” for applications that are permitted to run on endpoints in your environment. That’s not to say that every control available should be leveraged in order to completely lock an endpoint down—limiting end-user permissions too severely can create entirely different usability problems.

If your organization utilizes dual-use tools for activities like remote management, do severely limit the number of accounts that are permitted to run the tools, only granting temporary access when the tools are needed.

Monitor processes and the registry

Registry modification and process injection are two primary techniques used by fileless malware to hide its activity. Monitoring the registry for unusual changes and looking for strange process injection attempts will go a long way towards preventing such threats from gaining a foothold.

Monitor connections between endpoints

Keep an eye on the connections between different endpoints, as well as connections to servers within the environment. Investigate if two machines are connecting that shouldn’t, or an endpoint is talking to a server in a way that it doesn’t normally. This could be a sign that bad actors are attempting to move laterally across a network.

Continue reading

How to Prepare for Cisco CCNP Enterprise 350-401 Certification?

Cisco ENCOR Exam Description:

This exam tests a candidate's knowledge of implementing core enterprise network technologies including dual stack (IPv4 and IPv6) architecture, virtualization, infrastructure, network assurance, security and automation. The course, Implementing Cisco Enterprise Network Core Technologies, helps candidates to prepare for this exam.

Cisco 350-401 Exam Overview:

• Exam Name: Implementing and Operating Cisco Enterprise Network Core Technologies
• Exam Number: 350-401 ENCOR
• Exam Price: $400 USD
• Duration: 120 minutes
• Number of Questions: 90-110
• Passing Score: Variable (750-850 / 1000 Approx.)
• Recommended Training: Implementing Cisco Enterprise Network Core Technologies (ENCOR)
• Exam Registration: PEARSON VUE
• Sample Questions: Cisco 350-401 Sample Questions
• Practice Exam: Cisco Certified Network Professional Enterprise Practice Test

Related Article:

• Make Way for the CCNP Enterprise 350-401 Exam!
  
  
• What Everyone Should Know About Cisco 350-401 Exam

Continue reading

Extend secure, automated branch office networking to AWS with Cisco SD-WAN Cloud OnRamp

According to a Cisco study, by 2021, there will be 20 zettabytes of traffic between the DC/branch to the clouds, as companies use popular public cloud platforms like Amazon Web Services (AWS). Meanwhile, “IaaS is forecast to grow 24% year over year, which is the highest growth rate across all market segments,” according to Gartner.

However, while a cloud strategy creates more agility, it also presents challenges for IaaS deployments. Below are three primary concerns cloud users face regularly:

Inconsistent connectivity

Large-scale networks may traverse multiple slow public and/or expensive private connections to get to the cloud deployments, while smaller networks may need to battle out a slow, jittery internet to get to the clouds. In either case, customers will need to find the fastest and most reliable link while confirming a secure transport.

Complexity with governance

No real uniformity exists as to how different platforms handle their governance and compliance. This maze of rules and frameworks can create consistency problems with companies trying to utilize more than one cloud platform, especially with (but not exclusive to) IaaS. Finally, each cloud vendor has its own policy, security and segmentation process. These variances from vendor to vendor add another layer of complexity that must be managed.

Visibility problems

Different cloud platforms also use various protocols for analytics, metrics and insights. This variance can effectively reduce visibility for companies, making it more challenging to optimize usage across the network.

Cisco’s SD-WAN Cloud OnRamp automates and optimizes the enterprise SD-WAN to IaaS and SaaS

Cloud OnRamp is a cloud networking solution and a functionality of Cisco SD-WAN through which enterprises can network their branch sites to workloads deployed in cloud environments. Cloud OnRamp provides seamless, secure and automated networking for IaaS as well as an optimized experience for various SaaS applications.

One proven way to overcome the challenges of a cloud strategy is by implementing a consistent fabric across a company’s entire WAN network using Cisco SD-WAN Cloud OnRamp. Cisco SD-WAN provides a secure WAN architecture that can extend consistent policy enforcement, segmentation and security across both on-premises and cloud networks. Cloud OnRamp simplifies the experience further through the power of automation, using vManage as the single pane of glass management platform to create a SD-WAN transit network in the cloud provider’s environment.

Advantages of Cisco SD-WAN Cloud OnRamp

◉ Greater automation — With Cloud OnRamp, users can expect to automate SD-WAN extension to the cloud in minutes with just a few clicks.

◉ Improved security – Cloud OnRamp reduces security risks by leveraging graular segmentation and streamlined policy enforcement that can control and segment the traffic that flows through the network, guarding against external and internal threats to the data.

◉ Ease of management – Cloud OnRamp provides end-to-end data sharing between cloud and branch and establishes inter-regional visibility across transit data and network telemetry.

Cisco SD-WAN Cloud OnRamp Integration with AWS Transit Gateway

Cisco has partnered with AWS to provide end-to-end solutions for joint customers to create the best possible user experience. Customers benefit from fully automated networking to workloads in AWS Cloud and native integration between Cisco SD-WAN and AWS Transit Gateway and Transit Gateway Network Manager.

Sneak peek of the new features and benefits:

◉ Fully automated Cisco SD-WAN fabric extension to AWS Cloud: instead of spending hours of time per region and going through error-prone manual processes, now enterprise customers can bridge their branches to AWS workloads through a fully secure Cisco SD-WAN network in just minutes.

◉ Single pane of glass management through Cloud OnRamp: jumping back and forth between different management consoles of Cisco and AWS to orchestrate networking resources can be challenging and ineffective. With this new integration, enterprise customers will be able to manage both the Cisco SD-WAN virtual router and AWS Transit Gateway through Cloud OnRamp.

◉ Extending enterprise segmentation to AWS Cloud: one important aspect of secure networking is to ensure consistent enterprise segmentation across the entire network. By using the GUI-based Intent Management feature in Cloud OnRamp, enterprise customers can easily manage VPN to VPC and VPC to VPC communications through simple clicks.

◉ End-to-end visibility: by populating elements of both the SD-WAN network and AWS cloud network into AWS Network Manager, enterprise customers will have a unified and visualized view of both branch and cloud sites.

Watch AWS, Cisco and joint customer ENGIE discuss the benefits of integrating Cisco SD-WAN with AWS Transit Gateway Network Manager in a recent webinar and learn how to get started.

With more than half of enterprise workloads expected to be deployed in public clouds within the next year, cloud computing is a growing opportunity and challenge for today’s enterprises. By deploying an integrated solution like Cisco’s Cloud OnRamp for IaaS, companies will stay competitive by making their cloud strategy more productive, consistent and secure.

Continue reading

API-Based Tools Make Cisco Device Management and Monitoring Easier

Cisco’s Intent-Based Networking (IBNG) Innovation Team is responsible for providing training labs, bootcamps and demos for customers, partners, internal sales at individual and public events. After each training we have to reset hundreds of devices and multiple controllers like Cisco DNA Center, ISE, DHCP, WLC etc. This manual reset takes the team a lot of time. During some of our events, we are required to reset multiple times a week or daily. To minimize the manual work and be more efficient, we created some API based tools that can complete the whole process in less than 30 minutes.

If you have any requirement for similar use cases, you can try our API-based tools that can save you time and reduce the tedious work!

We have 20-30 pods in each training lab. A pod is an individual testbed that contains different devices, such as edge/access, distribution and core devices.  These devices mimic a small customer Enterprise environment, with Catalyst3k and 9k switches, ASR and ISR routers and wireless controllers. During the lab, the devices are configured per various use cases.  Post each event, the devices need to be brought back to the beginning state. With the help of the APIs and scripts, we automated this reset process.

API-based Tools

For resetting devices such as Cat9ks, Cat3ks, ASRs and ISRs we are using SecureCRT APIs which can reset the device to a default state or configure the device to a base state. Using these scripts if a switch is in configuration mode, enable mode or in any other mode it will do necessary configuration changes and do the reset on the devices. Sometimes after reset we want to provide additional configuration that is not part of the base. For that we will use another script which can simultaneously run on multiple devices.

We also created a button bar in secure CRT and pointed the script to this button. This button bar is a quick way to run scripts, send strings and issue protocol commands on multiple sessions simultaneously. Step by step instructions for configuring this button can be referred here. Whenever we want to execute a script on any number of sessions just clicking on the button will execute the script on all the sessions opened. The following is an example for mapping a python script to a button in a button bar. All the links to these scripts is referred in What Next? section.

Next step is to reset Cisco DNA Center. For Cisco DNA Center, we are using Cisco DNA Center internal APIs to perform the backup and restore operations. We can also use these APIs to check the status of backups and restoration operations. Currently backup/restore APIs are for internal purposes only, these will be published in future. We also integrated these backup/restore scripts with Webex teams. So, if you execute any backup or restore script it will send a notification to the Webex teams and everyone in that Webex group will be aware of the changes.

Next step is to reset other controllers such as ISE/DHCP/DNS/Cat9800. We installed these controllers as VMs on ESXI hosts. To reset these VMs, we are using the snapshots and non-persistent modes for the VMs. Using the PowerCLI cmdlets we are creating new VMs from the snapshots and resetting the VMs for non-persistent mode. The following is an example to reset the controllers and create VMs from snapshots. All the links to these scripts is referred in What Next? section.

Monitoring API-Based Tools

After the reset process has completed, we are also monitoring the devices by using python applications.  If something happens to the device, such as a link or switch goes down, we will be notified in Webex Teams of this issue. We integrated Cisco DNA Center with Webex teams and configured the events on Cisco DNA Center to notify us of these alerts. If any issue happens, we will get a notification in the webex teams as alert. The following is an example for the switch unreachable notification in Webex teams that DNAC has sent via APIs.

The following is an example to subscribe to an event in Cisco DNA center and provide receiver details for sending the alerts. You can subscribe to specific events that may occur in your network. After your subscription, if the event does occur you will receive a notification by REST APIs. You can refer here for more details on how to subscribe to events.

Continue reading

Cisco 500-440 Sample Questions | Syllabus | UCCED Practice Test

Cisco UCCED Exam Description:

This exam tests a candidate's knowledge of design considerations and guidelines for deploying Cisco Unified Contact Center Enterprise (Cisco Unified CCE) solutions. Cisco Unified CCE is part of Cisco Unified Communications application suite, which delivers intelligent call routing, network-to-desktop computer telephony integration (CTI), and multichannel contact management to contact center agents over an IP network.

Cisco 500-440 Exam Overview:

• Exam Name: Designing Cisco Unified Contact Center Enterprise
• Exam Number: 500-440 UCCED
• Exam Price: $300 USD
• Duration: 75 minutes
• Number of Questions: 65-75
• Passing Score: Variable (750-850 / 1000 Approx.)
• Recommended Training:
• Administering Cisco Unified Contact Center Enterprise Part 1 (AUCCE1) 2.0
• Administering Cisco Unified Contact Center Enterprise Part 2 (AUCCE2) 2.0
• Deploying Cisco Unified Contact Center Enterprise (DUCCE) 2.0
• Exam Registration: PEARSON VUE
• Sample Questions: Cisco 500-440 Sample Questions
• Practice Exam: Cisco Unified Contact Center Enterprise Specialist Practice Test

Continue reading

Streamline NX-OS fabric deployments with Cisco DCNM and Red Hat Ansible

Today I will give an overview of our recent integration between Cisco Data Center Network Manager (DCNM) and Red Hat Ansible to streamline NX-OS fabric deployments.

Introduction

Traditionally in data center network management, configuration was often a manual, error prone process, with an operator going device by device to make changes, with every change requiring a deep understanding of both the OS specific CLIs as well as an knowledge of the technology and the implications of each CLI change, to attain a desired outcome.

Cisco DCNM

Cisco DCNM is a turnkey solution for NX-OS network-wide workload orchestration and workflow automation, providing everything from Day 0 auto-provision, through Day N configuration changes. The solution is delivered through an easy to use UI for a single point of management for both network configuration and monitoring.

Additionally, operators have begun to understand and embrace the DevOps model to streamline network management. It is now widely accepted that network automation can be leveraged to accelerate network deployment and optimize network operations in a data center.

With the current global COVID-19 pandemic, network teams are being asked to do more with less, all while working remotely.

The importance of automation was highlighted even further in a recent IDC survey[1].

As part of the responses to the survey,

1. 48% of respondents said they will increase investment in automation solutions to reduce manual management of the network

2. 46% require increased ability to remotely manage network operations

Ansible and Cisco DCNM

Red Hat Ansible is an open-source solution that addresses challenges from network automation and application deployment, to managing a cloud infrastructure, in order to drive a more efficient IT environment with a simplified toolchain.

Ansible has emerged as one of the most popular platforms to automate and simplify network management tasks and boost cost savings and operational efficiency. Ansible works with many different operating systems that run on Cisco Networking platforms including ACI, IOS-XE and IOS-XR.

For several years now, Cisco has offered industry leading Ansible modules for NX-OS, which have been widely adopted and remain extremely popular to automate and streamline network deployments.

However, customers are increasingly looking to move towards a single point of management for their fabrics, rather than making changes at a device by device level.

Ansible, in conjunction with Cisco DCNM, provides a perfect combination for customers to embrace the DevOps model and accelerate NX-OS deployment, monitoring, day-to-day management, and more. Ansible achieves this goal by leveraging the open APIs of DCNM to automate the most common tasks.

Operational efficiencies made possible by Ansible and Cisco DCNM include the following:

◉ Addition or removal of NX-OS switches from a fabric

◉ Management of networks within a VXLAN fabric

◉ Addition or removal of VRFs from a VXLAN fabric

◉ Orchestration of switch interfaces within a DCNM managed fabric

Key Benefits of Cisco DCNM/Ansible solution

◉ Enables Admins to align on a unified approach to managing NX-OS fabrics with the same toolchain of their application deployments, enabling a tight coupling of application and network provisioning.

◉ Like all Ansible modules, the DCNM modules are idempotent ensuring that only necessary changes are made to the fabric. If the fabric is already in the desired state, no changes are made.

◉ Easy entry to leveraging Ansible, with all playbooks being written in human readable YAML.

Continue reading

Cisco Secure Remote Worker Architecture for Azure

Today companies are investing in empowering their workforce to have a secure connection to the resources hosted in the Cloud. Cisco provides a secure remote worker solution that uses the Cisco AnyConnect Secure Mobility Client, Cisco Duo, Cisco Umbrella, and Cisco Advanced Malware Protection (AMP) for Endpoints.

◉ Cisco AnyConnect Secure Mobility Client: Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization. It provides a consistent user experience across devices, both on and off-premises, without creating a headache for your IT teams. Simplify management with a single agent.

◉ Cisco Duo: Cisco Duo is a user-friendly, scalable way to keep business ahead of ever-changing security threats by implementing the Zero Trust security model. Multi-factor authentication from Duo protects the network by using a second source of validation, like a phone or token, to verify user identity before granting access. Cisco Duo is engineered to provide a simple, streamlined login experience for every remote user. As a cloud-based solution, it integrates easily with your existing technology and provides administrative, visibility, and monitoring.

◉ Cisco Umbrella Roaming Security Module: Cisco Umbrella Roaming Security module for Cisco AnyConnect provides always-on security on any network, anywhere, any time — both on and off your corporate VPN. The Roaming Security module enforces security at the DNS layer to block malware, phishing, and command and control callbacks over any port. Umbrella provides real-time visibility into all internet activity per hostname both on and off your network or VPN.

◉ Cisco Advanced Malware Protection (AMP) Enabler: Cisco AnyConnect AMP Enabler module is used as a medium for deploying Advanced Malware Protection (AMP) for Endpoints. It pushes the AMP for Endpoints software to a subset of endpoints from a server hosted locally within the enterprise and installs AMP services to its existing user base. This approach provides AnyConnect user base administrators with an additional security agent that detects potential malware threats in the network, removes those threats, and protects the enterprise from compromise. It saves bandwidth and time taken to download, requires no changes on the portal side, and can be done without authentication credentials being sent to the endpoint. AnyConnect AMP Enabler protects the user both on and off the network or VPN.

Figure 1 – Components of the Cisco secure remote worker solution

Cisco Secure Remote Worker Architecture for Azure

Today organizations are consuming services, workloads, and applications hosted in Azure (Public Cloud). Azure provides a wide range of services that offer ease of usability, orchestration, and management. Customers are embracing these services, but this resource consumption model opens another attack surface. Using Cisco Security controls, customers can provide a secure connection to the Azure cloud infrastructure. This remote access VPN architecture protects multi-VNet, multi-AZ (availability zone) by extending the Cisco Secure Remote Worker solution. This Architecture brings together Cisco Security and Azure Infrastructure-as-a-service (IaaS) and extends remote access VPN capabilities with Duo, Umbrella, and AMP Enabler.

Figure 2 – Secure Remote Worker architecture for multi-VNet, multi-AZ

The above network design has the following components and services:

◉ Cisco ASAv or Cisco NGFWv for Remote access VPN termination (TLS or DTLS)

◉ Cisco Secure AnyConnect Mobility Client on the endpoints

◉ Microsoft Windows 2019 Active Directory for LDAP

◉ Cisco Duo for Multi-Factor Authentication

◉ Umbrella Security Roaming Module for DNS Layer Security

◉ AMP Enabler for protection against Malware

This Architecture is designed on the bases of the Hub and Spoke model, the hub-vnet has firewalls for VPN termination. The Hub-VNet is connected to spoke-VNets using VNet peering. VNet peering uses the Azure backbone network and the Azure backbone network provides higher throughput.

◉ Remote Access VPN sessions are load balanced by Azure Traffic Manager

◉ Azure Internal Load Balancer (Standard) is used for non-VPN traffic load balancing (East/West)

◉ Azure External/Public Load Balancer is used for non-VPN traffic load balancing (North/South)

Traffic Flow 

Remote Access VPN: Azure blocks layer-2 visibility required for native HA and VPN load balancing to work. To enable resiliency and VPN load balancing, one must rely on the native cloud services such as Azure Traffic Manager (ATM), DNS, and UDR. In this architecture, VPN users send VPN traffic to the Azure Traffic Manager. ATM tracks all the firewalls using probes, and it load-balances VPN connection endpoints (Cisco Firewalls).

◉ Each Firewall has a separate VPN pool

◉ Azure User Defined Route (UDR) forwards traffic back to the correct firewall

◉ Azure Traffic Manager load balances the RAVPN traffic

Figure 3 – Secure Remote Worker architecture for multi-VNet, multi-AZ (RA VPN Traffic Flow)

Non-VPN (East/West): Firewalls in the HubvNET inspects east-west traffic, each subnet in the spoke VNet has a route-table that has a user-defined route (UDR) pointing to Azure ILB “virtual-IP address”. Traffic lands on ILB and ILB forward it to the firewall. The firewall inspects the traffic; if traffic is allowed, it is sent to the destination VNet using VNet peer. Return traffic is forwarded back to the ILB because of the similar UDR is applied on destination VNet also. ILB maintains the state and sends traffic back to the same firewall that processed the initial packet flow.

Figure 4 – Non-VPN East/West Traffic Flow

Non-VPN (North/South)

◉ Outbound Traffic Flow: Each spoke subnet has a route-table associated with it. UDR controls traffic routing, and it has a default route that points to ILB’s virtual IP (VIP). HubvNET has ILB, and ILB points to firewalls for internet connectivity. Internet traffic is load-balanced on the perimeter firewall, and traffic is SNATed to the outside interface IP address. Outbound traffic does not hit the external load balancer because a public IP mapped to the outside interface of the firewall and UDR on the outside subnet used 10.82.1.1 as a default gateway. Azure ILB used in this architecture is a standard SKU that requires explicit Azure NSG to allow traffic on firewalls (backend devices). There is an azure NSG applied to inside and outside interfaces of firewalls; this NSG has allow-all rule applied, but you can restrict traffic according to your Infosec policy.

Figure 5 – Non-VPN North/South (Outbound Traffic Flow)

◉ Inbound Traffic Flow: External users would access frontend IP on the Azure public load balancer (ELB), ELB has external interfaces in the backend pool. ELB is responsible for load balancing incoming non-VPN traffic, ELB sends traffic to the firewall if allowed traffic is SNATed to inside interface to maintain traffic symmetry.

Figure 6 – Non-VPN North/South (Inbound Traffic Flow)

Continue reading