安全控制 V2:网络安全Security Control V2: Network Security

网络安全涵盖了用于保护 Azure 网络的控制措施。Network Security covers controls to secure and protect Azure networks. 其中包括保护虚拟网络、建立专用连接、阻止和减少外部攻击以及保护 DNS。This includes securing virtual networks, establishing private connections, preventing and mitigating external attacks, and securing DNS.

NS-1:实现内部流量的安全性NS-1: Implement security for internal traffic

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
NS-1NS-1 9.2、9.4、14.1、14.2、14.39.2, 9.4, 14.1, 14.2, 14.3 AC-4、CA-3、SC-7AC-4, CA-3, SC-7

确保所有 Azure 虚拟网络都遵循与业务风险相匹配的企业分段原则。Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns to the business risks. 任何可能会给组织带来更高风险的系统都应隔离在其自己的虚拟网络中,并通过网络安全组 (NSG) 和/或 Azure 防火墙进行充分保护。Any system that could incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with either a network security group (NSG) and/or Azure Firewall.

考虑应用程序和企业分段策略的实际情况,根据网络安全组规则限制或允许内部资源之间的流量传递。Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on network security group rules. 对于明确定义的特定应用程序(例如 3 层应用),可采用高度安全的“默认拒绝,允许例外”方法。For specific well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach. 如果有多个应用程序和终结点彼此交互,那么这种方法的扩展性可能并不好。This might not scale well if you have many applications and endpoints interacting with each other. 如果需要在大量企业分段或分支(中心辐射型拓扑)上进行集中管理,也可使用 Azure 防火墙。You can also use Azure Firewall in circumstances where central management is required over a large number of enterprise segments or spokes (in a hub/spoke topology).

请使用 Azure 安全中心自适应网络强化功能,针对网络安全组配置提出建议来根据外部流量规则限制端口和源 IP。Use Azure Security Center Adaptive Network Hardening to recommend network security group configurations that limit ports and source IPs based with the reference to external network traffic rules.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

NS-2:将专用网络连接在一起NS-2: Connect private networks together

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
NS-2NS-2 空值N/A CA-3、AC-17、MA-4CA-3, AC-17, MA-4

在共置环境中,使用 Azure ExpressRoute 或 Azure 虚拟专用网 (VPN) 在 Azure 数据中心与本地基础结构之间创建专用连接。Use Azure ExpressRoute or Azure virtual private network (VPN) to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment. ExpressRoute 连接并不绕过公共 Internet,与典型的 Internet 连接相比,它们的可靠性更高、速度更快且延迟时间更短。ExpressRoute connections do not go over the public internet , and they offer more reliability, faster speeds, and lower latencies than typical internet connections. 对于点到站点 VPN 和站点到站点 VPN,可使用这些 VPN 选项的任意组合以及 Azure ExpressRoute 将本地设备或网络连接到虚拟网络。For point-to-site VPN and site-to-site VPN, you can connect on-premises devices or networks to a virtual network using any combination of these VPN options and Azure ExpressRoute.

若要将 Azure 中的两个或更多虚拟网络连接在一起,请使用虚拟网络对等互连或专用链接。To connect two or more virtual networks in Azure together, use virtual network peering or Private Link. 对等互连虚拟网络之间的网络流量是专用的,且保留在 Azure 主干网络上。Network traffic between peered virtual networks is private and is kept on the Azure backbone network.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

NS-3:建立对 Azure 服务的专用网络访问NS-3: Establish private network access to Azure services

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
NS-3NS-3 14.114.1 AC-4、CA-3、SC-7AC-4, CA-3, SC-7

使用 Azure 专用链接,无需通过 Internet 即可从虚拟网络对 Azure 服务进行专用访问。Use Azure Private Link to enable private access to Azure services from your virtual networks, without crossing the internet. 在 Azure 专用链接尚不可用的情况下,请使用 Azure 虚拟网络服务终结点。In situations where Azure Private Link is not yet available, use Azure Virtual Network service endpoints. 借助 Azure 虚拟网络服务终结点,可通过 Azure 主干网络上的优化路由对服务进行安全访问。Azure Virtual Network service endpoints provide secure access to services via an optimized route over the Azure backbone network.

专用访问是除 Azure 服务提供的身份验证和流量安全性之外的另一项深度防护措施。Private access is an additional defense in depth measure in addition to authentication and traffic security offered by Azure services.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

NS-4:保护应用程序和服务不受外部网络攻击NS-4: Protect applications and services from external network attacks

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
NS-4NS-4 9.5、12.3、12.99.5, 12.3, 12.9 SC-5、SC-7SC-5, SC-7

帮助 Azure 资源防范来自外部网络的攻击,包括分布式拒绝服务 (DDoS) 攻击、特定于应用程序的攻击,以及未经请求和可能存在恶意的 Internet 流量。Protect Azure resources against attacks from external networks, including distributed denial of service (DDoS) Attacks, application specific attacks, and unsolicited and potentially malicious internet traffic. 为此, Azure 提供了一些原生功能:Azure includes native capabilities for this:

  • 使用 Azure 防火墙保护应用程序和服务免受来自 Internet 和其他外部位置的潜在恶意流量的侵害。Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations.

  • 使用 Azure 应用程序网关、Azure Front Door 和 Azure 内容分发网络 (CDN) 中的 Web 应用程序防火墙 (WAF) 功能来保护应用程序、服务和 API,使之免受应用程序层攻击。Use Web Application Firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services, and APIs against application layer attacks.

  • 通过在 Azure 虚拟网络上启用 DDoS 标准保护,保护资产免受 DDoS 攻击。Protect your assets against DDoS attacks by enabling DDoS standard protection on your Azure virtual networks.

  • 使用 Azure 安全中心来检测与上述内容相关的配置错误风险。Use Azure Security Center to detect misconfiguration risks related to the above.

  • Azure 防火墙文档Azure Firewall Documentation

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

None

NS-5:部署入侵检测/入侵防护系统 (IDS/IPS)NS-5: Deploy intrusion detection/intrusion prevention systems (IDS/IPS)

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
NS-5NS-5 12.6、12.712.6, 12.7 SI-4SI-4

使用基于 Azure 防火墙威胁情报的筛选功能,针对进出已知恶意 IP 地址和域的流量发出警报并/或阻止该流量。Use Azure Firewall threat intelligence-based filtering to alert on and/or block traffic to and from known malicious IP addresses and domains. IP 地址和域源自 Microsoft 威胁智能源。The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. 需要进行有效负载检查时,可使用有效负载检查功能从 Azure 市场部署第三方入侵检测/入侵防护系统 (IDS/IPS)。When payload inspection is required, you can deploy a third-party intrusion detection/intrusion prevent system (IDS/IPS) from Azure Marketplace with payload inspection capabilities. 另外,还可将基于主机的 ID/IPS 或基于主机的终结点检测和响应 (EDR) 解决方案与基于网络的 ID/IPS 结合使用,或者替代基于网络的 ID/IPS。Alternately you can use host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution in conjunction with or instead of network-based IDS/IPS.

注意:如果在 IDS/IPS 的使用方面存在法规或其他要求,请确保始终对其进行优化,以便为 SIEM 解决方案提供高质量的警报。Note: If you have a regulatory or other requirement for IDS/IPS use, ensure that it is always tuned to provide high quality alerts to your SIEM solution.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

NS-6:简化网络安全规则NS-6: Simplify network security rules

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
NS-6NS-6 1.51.5 IA-4IA-4

利用服务标记和应用程序安全组 (ASG) 简化网络安全规则。Simplify network security rules by leveraging service tags and application security groups (ASGs).

在网络安全组或 Azure 防火墙中使用虚拟网络服务标记来定义网络访问控制。Use Virtual Network service tags to define network access controls on network security groups or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 通过在规则的“源”或“目标”字段中指定服务标记名称,可允许或拒绝相应服务的流量。By specifying the service tag name in the source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

还可使用应用程序安全组来帮助简化复杂的安全配置。You can also use application security groups to help simplify complex security configuration. 应用程序安全组可将网络安全性配置为应用程序结构的固有扩展,而不是基于网络安全组中的显式 IP 地址来定义策略,从而能对虚拟机进行分组,并基于这些组定义网络安全策略。Instead of defining policy based on explicit IP addresses in network security groups, application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

NS-7:安全域名服务 (DNS)NS-7: Secure Domain Name Service (DNS)

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
NS-7NS-7 空值N/A SC-20、SC-21SC-20, SC-21

遵循 DNS 安全的最佳做法来防范常见攻击,例如无关联 DNS、DNS 放大攻击、DNS 中毒和欺骗等。Follow the best practices for DNS security to mitigate against common attacks like dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, etc.

将 Azure DNS 用作权威 DNS 服务时,请确保使用 Azure RBAC 和资源锁保护 DNS 区域和记录,使之免受意外或恶意的修改。When Azure DNS is used as your authoritative DNS service, ensure DNS zones and records are protected from accidental or malicious modification using Azure RBAC and resource locks.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):