Azure 安全中心内的自适应网络强化Adaptive Network Hardening in Azure Security Center

了解如何在 Azure 安全中心内配置自适应网络强化。Learn how to configure Adaptive Network Hardening in Azure Security Center.

什么是自适应网络强化?What is Adaptive Network Hardening?

应用网络安全组 (NSG) 来筛选发往/来自资源的流量,可以改善网络安全状况。Applying network security groups (NSG) to filter traffic to and from resources, improves your network security posture. 但是,仍然可能存在一些这样的情况:通过 NSG 流动的实际流量是所定义 NSG 规则的子集。However, there can still be some cases in which the actual traffic flowing through the NSG is a subset of the NSG rules defined. 在这些情况下,可以根据实际流量模式强化 NSG 规则,从而进一步改善安全状况。In these cases, further improving the security posture can be achieved by hardening the NSG rules, based on the actual traffic patterns.

自适应网络强化为进一步强化 NSG 规则提供了建议。Adaptive Network Hardening provides recommendations to further harden the NSG rules. 它使用机器学习算法,这种算法会将实际流量、已知受信任的配置、威胁情报和其他泄露标志都考虑在内,然后提供仅允许来自特定 IP/端口元组的流量的建议。It uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to allow traffic only from specific IP/port tuples.

例如,假设现有的 NSG 规则是在端口 22 上允许来自 140.20.30.10/24 流量。For example, let's say the existing NSG rule is to allow traffic from 140.20.30.10/24 on port 22. 基于分析提供的自适应网络强化建议会是,缩小范围并允许来自 140.23.30.10/29 的流量(这是更小的 IP 范围),拒绝发往该端口的所有其他流量。The Adaptive Network Hardening's recommendation, based on the analysis, would be to narrow the range and allow traffic from 140.23.30.10/29 – which is a narrower IP range, and deny all other traffic to that port.

提示

自适应网络强化建议仅在以下特定端口上受支持(适用于 UDP 和 TCP):13、17、19、22、23、53、69、81、111、119、123、135、137、138、139、161、162、389、445、512、514、593、636、873、1433、1434、1900、2049、2301、2323、2381、3268、3306、3389、4333、5353、5432、5555、5800、5900、5900、5985、5986、6379、6379、7000、7001、7199、8081、8089、8545、9042、9160、9300、11211、16379、26379、27017、37215Adaptive Network Hardening recommendations are only supported on the following specific ports (for both UDP and TCP): 13, 17, 19, 22, 23, 53, 69, 81, 111, 119, 123, 135, 137, 138, 139, 161, 162, 389, 445, 512, 514, 593, 636, 873, 1433, 1434, 1900, 2049, 2301, 2323, 2381, 3268, 3306, 3389, 4333, 5353, 5432, 5555, 5800, 5900, 5900, 5985, 5986, 6379, 6379, 7000, 7001, 7199, 8081, 8089, 8545, 9042, 9160, 9300, 11211, 16379, 26379, 27017, 37215

“网络强化”视图

查看“自适应网络强化”警报和规则View Adaptive Network Hardening alerts and rules

  1. 在安全中心内,选择“网络” -> “自适应网络强化”。In Security Center, select Networking -> Adaptive Network Hardening. 网络 VM 将在下面三个不同的选项卡下列出:The network VMs are listed under three separate tabs:

    • 不正常的资源:当前具有通过运行自适应网络强化算法触发的建议和警报的 VM。Unhealthy resources: VMs that currently have recommendations and alerts that were triggered by running the Adaptive Network Hardening algorithm.

    • 正常的资源:没有警报和建议的 VM。Healthy resources: VMs without alerts and recommendations.

    • 未扫描的资源:由于以下原因之一而无法运行自适应网络强化算法的 VM:Unscanned resources: VMs that the Adaptive Network Hardening algorithm cannot be run on because of one of the following reasons:

      • VM 是经典 VM:只有 Azure 资源管理器 VM 受支持。VMs are Classic VMs: Only Azure Resource Manager VMs are supported.
      • 没有足够的数据可用:为了生成准确的流量强化建议,安全中心至少需要 30 天的流量数据。Not enough data is available: In order to generate accurate traffic hardening recommendations, Security Center requires at least 30 days of traffic data.
      • VM 不受 ASC 标准保护:只有设置为安全中心标准定价层的 VM 才有资格运行此功能。VM is not protected by ASC standard: Only VMs that are set to Security Center's Standard pricing tier are eligible for this feature.

      不正常的资源

  2. 从“不正常的资源”选项卡中,选择要查看其警报的 VM,并选择要应用的建议强化规则。From the Unhealthy resources tab, select a VM to view its alerts and the recommended hardening rules to apply.

    强化警报

  1. 从“不正常的资源”选项卡上,选择一个 VM。From the Unhealthy resources tab, select a VM. 此时会列出警报和建议的强化规则。The alerts and recommended hardening rules are listed.

    强化规则

    备注

    “规则”选项卡列出了自适应网络强化建议添加的规则。The Rules tab lists the rules that Adaptive Network Hardening recommends you add. “警报”选项卡列出了由于流量(流向不在建议规则所允许的 IP 范围内的资源)而生成的警报。The Alerts tab lists the alerts that were generated due to traffic, flowing to the resource, which is not within the IP range allowed in the recommended rules.

  2. 如果要更改规则的某些参数,可以对其进行修改,如修改规则中所述。If you want to change some of the parameters of a rule, you can modify it, as explained in Modify a rule.

    备注

    还可以删除添加规则。You can also delete or add a rule.

  3. 选择要应用于 NSG 的规则,然后单击“强制执行”。Select the rules that you want to apply on the NSG, and click Enforce.

    备注

    强制执行的规则将添加到保护 VM 的 NSG。The enforced rules are added to the NSG(s) protecting the VM. (VM 可由关联到其 NIC 的 NSG 和/或 VM 所在的子网保护)(A VM could be protected by an NSG that is associated to its NIC, or the subnet in which the VM resides, or both)

    强制执行规则

修改规则 Modify a rule

你可能想要修改已建议的规则的参数。You may want to modify the parameters of a rule that has been recommended. 例如,你可能想要更改建议的 IP 范围。For example, you may want to change the recommended IP ranges.

有关修改自适应网络强化规则的一些重要准则:Some important guidelines for modifying an Adaptive Network Hardening rule:

  • 只能修改“允许”规则的参数。You can modify the parameters of "allow" rules only.

  • 不能将“允许”规则更改为“拒绝”规则。You cannot change "allow" rules to become "deny" rules.

    备注

    创建和修改“拒绝”规则是直接在 NSG 上执行的。Creating and modifying "deny" rules is done directly on the NSG. 有关详细信息,请参阅创建、更改或删除网络安全组For more information, see Create, change, or delete a network security group.

  • 拒绝所有流量规则是此处列出的唯一“拒绝”规则类型,并且该规则不能修改。A Deny all traffic rule is the only type of "deny" rule that would be listed here, and it cannot be modified. 不过,你可以删除它(请参阅删除规则)。You can, however, delete it (see Delete a rule).

    备注

    在运行算法后,如果安全中心根据现有的 NSG 配置未识别出应允许的流量,则会建议执行拒绝所有流量规则。A Deny all traffic rule is recommended when, as a result of running the algorithm, Security Center does not identify traffic that should be allowed, based on the existing NSG configuration. 因此,建议的规则是拒绝发往指定端口的所有流量。Therefore, the recommended rule is to deny all traffic to the specified port. 此类型规则的名称显示为“系统生成”。The name of this type of rule is displayed as "System Generated". 强制执行此规则后,此规则在 NSG 中的实际名称将是包含协议、流量方向、“DENY”和随机数字的字符串。After enforcing this rule, its actual name in the NSG will be a string comprised of the protocol, traffic direction, "DENY", and a random number.

若要修改自适应网络强化规则,请执行以下操作:To modify an Adaptive Network Hardening rule:

  1. 若要修改规则的某些参数,请在“规则”选项卡中单击规则行末尾的三个点 (...),然后单击“编辑”。To modify some of the parameters of a rule, in the Rules tab, click on the three dots (...) at the end of the rule's row, and click Edit.

    编辑规则

  2. 在“编辑规则”窗口中,更新要更改的详细信息,然后单击“保存”。In the Edit rule window, update the details that you want to change, and click Save.

    备注

    单击“保存”后,便已成功更改了规则。After clicking Save, you have successfully changed the rule. 但尚未将其应用到 NSG。However, you have not applied it to the NSG. 若要应用该规则,必须在列表中选择该规则,然后单击“强制执行”(如下一步所述)。To apply it, you must select the rule in the list, and click Enforce (as explained in the next step).

    编辑规则

  3. 若要应用更新的规则,请从列表中选择更新的规则,然后单击“强制执行”。To apply the updated rule, from the list, select the updated rule and click Enforce.

    强制执行规则

添加新规则 Add a new rule

可以添加安全中心未建议的“允许”规则。You can add an "allow" rule that was not recommended by Security Center.

备注

在这里只能添加“允许”规则。Only "allow" rules can be added here. 如果要添加“拒绝”规则,可以直接在 NSG 上执行此操作。If you want to add "deny" rules, you can do so directly on the NSG. 有关详细信息,请参阅创建、更改或删除网络安全组For more information, see Create, change, or delete a network security group.

若要添加自适应网络强化规则,请执行以下操作:To add an Adaptive Network Hardening rule:

  1. 单击“添加规则”(位于左上角)。Click Add rule (located in the top-left corner).

    添加规则

  2. 在“新建规则”窗口中,输入详细信息,然后单击“添加”。In the New rule window, enter the details and click Add.

    备注

    单击“添加”后,便已成功添加了规则,该规则会随其他建议的规则一起列出。After clicking Add, you have successfully added the rule, and it is listed with the other recommended rules. 但是,还尚未将其应用到 NSG。However, you have not applied it on the NSG. 若要激活该规则,必须在列表中选择该规则,然后单击“强制执行”(如下一步所述)。To activate it, you must select the rule in the list, and click Enforce (as explained in the next step).

  3. 若要应用新规则,请从列表中选择新规则,然后单击“强制执行”。To apply the new rule, from the list, select the new rule and click Enforce.

    强制执行规则

删除规则 Delete a rule

必要时,可以删除当前会话的建议规则。When necessary, you can delete a recommended rule for the current session. 例如,你可能会确定应用建议的规则会阻止合法的流量。For example, you may determine that applying a suggested rule could block legitimate traffic.

若要删除当前会话的自适应网络强化规则,请执行以下操作:To delete an Adaptive Network Hardening rule for your current session:

  1. 在“规则”选项卡中单击规则行末尾的三个点 (...),然后单击“删除”。In the Rules tab, click on the three dots (...) at the end of the rule's row, and click Delete.

    强化规则