安全控制:网络安全Security Control: Network Security

网络安全建议侧重于指定允许或拒绝哪些网络协议、TCP/UDP 端口和网络连接服务访问 Azure 服务。Network security recommendations focus on specifying which network protocols, TCP/UDP ports, and network connected services are allowed or denied access to Azure services.

1.1:保护虚拟网络中的 Azure 资源1.1: Protect Azure resources within virtual networks

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
1.11.1 9.2、9.4、14.1、14.2、14.39.2, 9.4, 14.1, 14.2, 14.3 客户Customer

确保所有虚拟网络子网部署都应用了网络安全组,且具有针对应用程序受信任端口和源的网络访问控制。Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources. 如果可以,请将专用终结点与专用链接结合使用,通过将 VNet 标识扩展到服务来保护虚拟网络的 Azure 服务资源。When available, use Private Endpoints with Private Link to secure your Azure service resources to your virtual network by extending VNet identity to the service. 如果无法使用专用终结点和专用链接,请使用服务终结点。When Private Endpoints and Private Link not available, use Service Endpoints. 有关特定于服务的要求,请参阅该特定服务的安全建议。For service specific requirements, please refer to the security recommendation for that specific service.

或者,如果你有特定用例,则可以通过实施 Azure 防火墙来满足要求。Alternatively, if you have a specific use case, requirement may be met by implementing Azure Firewall.

1.2:监视和记录虚拟网络、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and NICs

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
1.21.2 9.3、12.2、12.89.3, 12.2, 12.8 客户Customer

使用 Azure 安全中心并遵循网络保护建议来帮助保护 Azure 中的网络资源。Use Azure Security Center and follow network protection recommendations to help secure your network resources in Azure. 启用 NSG 流日志,并将日志发送到存储帐户以进行流量审核。Enable NSG flow logs and send logs into a Storage Account for traffic audit. 还可以将 NSG 流日志发送到 Log Analytics 工作区,并使用流量分析来提供有关 Azure 云中流量流的见解。You may also send NSG flow logs to a Log Analytics Workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
1.31.3 9.59.5 客户Customer

在关键 Web 应用程序前部署 Azure Web 应用程序防火墙 (WAF),以对传入的流量进行额外的检查。Deploy Azure Web Application Firewall (WAF) in front of critical web applications for additional inspection of incoming traffic. 启用 WAF 的诊断设置,并将日志引入存储帐户、事件中心或 Log Analytics 工作区。Enable Diagnostic Setting for WAF and ingest logs into a Storage Account, Event Hub, or Log Analytics Workspace.

1.4:拒绝与已知恶意的 IP 地址进行通信1.4: Deny communications with known malicious IP addresses

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
1.41.4 12.312.3 客户Customer

在组织的每个网络边界上部署 Azure 防火墙,启用威胁情报,并配置为“发出警报并拒绝”恶意网络流量。Deploy Azure Firewall at each of the organization's network boundaries with Threat Intelligence enabled and configured to "Alert and deny" for malicious network traffic.

使用 Azure 安全中心实时网络访问,将 NSG 配置为只能在有限时间内将终结点公开给已批准的 IP 地址。Use Azure Security Center Just In Time Network access to configure NSGs to limit exposure of endpoints to approved IP addresses for a limited period.

使用 Azure 安全中心自适应网络强化,推荐基于实际流量和威胁情报限制端口和源 IP 的 NSG 配置。Use Azure Security Center Adaptive Network Hardening to recommend NSG configurations that limit ports and source IPs based on actual traffic and threat intelligence.

1.5:记录网络数据包1.5: Record network packets

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
1.51.5 12.512.5 客户Customer

启用网络观察程序数据包捕获来调查异常活动。Enable Network Watcher packet capture to investigate anomalous activities.

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network based intrusion detection/intrusion prevention systems (IDS/IPS)

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
1.61.6 12.6、12.712.6, 12.7 客户Customer

从 Azure 市场中选择一种产品/服务,该产品/服务应支持包含有效负载检查功能的 ID/IPS 功能。Select an offer from the Azure Marketplace that supports IDS/IPS functionality with payload inspection capabilities. 如果不需要基于有效负载检查的入侵检测和/或防护,则可以使用包含威胁情报功能的 Azure 防火墙。If intrusion detection and/or prevention based on payload inspection is not a requirement, Azure Firewall with Threat Intelligence can be used. 使用基于 Azure 防火墙威胁情报的筛选,能发出警报并拒传入和传出已知恶意 IP 地址和域的流量。Azure Firewall Threat intelligence-based filtering can alert and deny traffic to and from known malicious IP addresses and domains. IP 地址和域源自 Microsoft 威胁智能源。The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.

在组织的每个网络边界上部署所选的防火墙解决方案,以检测和/或拒绝恶意流量。Deploy the firewall solution of your choice at each of your organization's network boundaries to detect and/or deny malicious traffic.

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
1.71.7 12.9、12.1012.9, 12.10 客户Customer

为 Web 应用程序部署 Azure 应用程序网关,并为受信任的证书启用 HTTPS/TLS。Deploy Azure Application Gateway for web applications with HTTPS/TLS enabled for trusted certificates.

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
1.81.8 1.51.5 客户Customer

在网络安全组或 Azure 防火墙中使用虚拟网络服务标记来定义网络访问控制。Use Virtual Network Service Tags to define network access controls on Network Security Groups or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 在规则的相应源或目标字段中指定服务标记名称(例如 ApiManagement),可以允许或拒绝相应服务的流量。By specifying the service tag name (e.g., ApiManagement) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

还可使用应用程序安全组来帮助简化复杂的安全配置。You may also use Application Security Groups to help simplify complex security configuration. 使用应用程序安全组可将网络安全性配置为应用程序结构的固有扩展,从而可以基于这些组将虚拟机分组以及定义网络安全策略。Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
1.91.9 11.111.1 客户Customer

使用 Azure Policy 为网络资源定义并实施标准安全配置。Define and implement standard security configurations for network resources with Azure Policy.

还可以使用 Azure 蓝图,通过在单个蓝图定义中打包关键环境项目(例如 Azure 资源管理器模板、RBAC 控制措施和策略),来简化大规模的 Azure 部署。You may also use Azure Blueprints to simplify large scale Azure deployments by packaging key environment artifacts, such as Azure Resources Manager templates, RBAC controls, and policies, in a single blueprint definition. 可将蓝图应用到新的订阅,并通过版本控制来微调控制措施和管理。You can apply the blueprint to new subscriptions, and fine-tune control and management through versioning.

1.10:阐述流量配置规则1.10: Document traffic configuration rules

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
1.101.10 11.211.2 客户Customer

将标记用于 NSG 以及其他与网络安全和流量流有关的资源。Use Tags for NSGs and other resources related to network security and traffic flow. 对于单个 NSG 规则,请使用“说明”字段针对允许流量传入/传出网络的任何规则指定业务需求和/或持续时间等。For individual NSG rules, use the "Description" field to specify business need and/or duration (etc.) for any rules that allow traffic to/from a network.

使用标记相关的任何内置 Azure Policy 定义(例如“需要标记及其值”)来确保使用标记创建所有资源,并在有现有资源不带标记时发出通知。Use any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with Tags and to notify you of existing untagged resources.

可以使用 Azure PowerShell 或 Azure CLI 根据资源的标记查找资源或对其执行操作。You may use Azure PowerShell or Azure CLI to look-up or perform actions on resources based on their Tags.

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
1.111.11 11.311.3 客户Customer

使用 Azure 活动日志监视网络资源配置,并检测 Azure 资源的更改。Use Azure Activity Log to monitor resource configurations and detect changes to your Azure resources. 在 Azure Monitor 中创建当关键资源发生更改时触发的警报。Create alerts within Azure Monitor that will trigger when changes to critical resources take place.

后续步骤Next steps