适用于虚拟 WAN 的 Azure 安全基线Azure security baseline for Virtual WAN

此安全基线将 Azure 安全基准版本 2.0 中的指南应用于 Azure 虚拟 WAN。This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Azure Virtual WAN. Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 内容按“安全控制”分组,这些控制由适用于虚拟 WAN 的 Azure 安全基准和相关指南定义。The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Virtual WAN. 排除了不适用于虚拟 WAN 的控制。Controls not applicable to Virtual WAN have been excluded.

若要查看虚拟 WAN 到 Azure 安全基准的完整映射,请参阅完整的虚拟 WAN 安全基准映射文件To see how Virtual WAN completely maps to the Azure Security Benchmark, see the full Virtual WAN security baseline mapping file.

网络安全Network Security

有关详细信息,请参阅 Azure 安全基线: 网络安全性For more information, see the Azure Security Benchmark: Network Security.

NS-1:实现内部流量的安全性NS-1: Implement security for internal traffic

指导:Azure 虚拟 WAN 提供自定义路由功能,并为 ExpressRoute 流量提供加密。Guidance: Azure Virtual WAN provides custom routing capabilities and offers encryption for your ExpressRoute traffic. 所有路由管理功能均由虚拟中心路由器提供,该路由器还启用了虚拟网络之间的传输连接。All route management is provided by the virtual hub router, which also enables transit connectivity between virtual networks. 使用虚拟 WAN 加密 ExpressRoute 流量,可通过 ExpressRoute 在本地网络和 Azure 虚拟网络之间提供加密的传输,而无需通过公共 Internet 或使用公共 IP 地址。Encrypting your ExpressRoute traffic with Virtual WAN provides an encrypted transit between the on-premises networks and Azure virtual networks over ExpressRoute, without going over the public internet or using public IP addresses.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

NS-2:将专用网络连接在一起NS-2: Connect private networks together

指导:Azure ExpressRoute 提供与 Azure 虚拟 WAN 的专用连接。Guidance: Azure ExpressRoute offers private connectivity to Azure Virtual WAN. 由于 ExpressRoute 连接并不通过公共 Internet,因此与典型的 Internet 连接相比,ExpressRoute 可靠性更高、速度更快且延迟时间更短。As the ExpressRoute connections do not go over the public internet, ExpressRoute offers more reliability, faster speeds and lower latencies than typical internet connections. 还可以通过站点到站点 (S2S) VPN 或点到站点 (P2S) VPN,使用虚拟专用网络连接到 Azure 中国。You can also use a virtual private network to connect to Azure China through either Site-to-site (S2S) VPN or Point-to-site (P2S) VPN.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

NS-4:保护应用程序和服务不受外部网络攻击NS-4: Protect applications and services from external network attacks

指导:虚拟 WAN 不向外部网络公开任何终结点,因此需要通过常规网络保护来保护它们。Guidance: Virtual WAN does not expose any endpoints to external networks which require them to be secured with conventional network protections. 可以使用虚拟网络保护服务来保护辐射型虚拟网络(连接到虚拟中心的任何虚拟网络)中的资源。You are free to protect resources in Spoke Virtual Networks (any virtual network connected to a virtual hub) using virtual network protection services.

使用 Azure 防火墙保护应用程序和服务免受来自 Internet 和其他外部位置的潜在恶意流量的侵害。Use Azure Firewall to protect applications and services against potentially malicious traffic from the Internet and other external locations.

选择 Azure 提供的 DDoS 防护,保护 Azure 虚拟网络上的资产免受攻击。Choose Azure-provided DDoS Protection to protect your assets against attacks on your Azure Virtual Networks. 使用 Azure 安全中心来检测网络相关资源的配置错误风险。Use Azure Security Center to detect misconfigurations risks related to your network-related resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

NS-5:部署入侵检测/入侵防护系统 (IDS/IPS)NS-5: Deploy intrusion detection/intrusion prevention systems (IDS/IPS)

指导:虚拟 WAN 是一项 Azure 托管服务。Guidance: Virtual WAN is a Azure-managed service. 它不提供本机入侵检测或入侵防护功能。It does not offer native intrusion detection or intrusion prevention capabilities. 不过,我们通过 Azure 防火墙向虚拟 WAN 提供了安全功能,以实现统一的策略控制点。However, there are security capabilities provided to Virtual WAN through Azure Firewall to enable a unified point of policy control. 可以创建 Azure 防火墙策略,并将该策略链接到虚拟 WAN 中心,以允许现有虚拟 WAN 中心充当安全虚拟中心,并部署所需的 Azure 防火墙资源。You can create an Azure Firewall policy and link the policy to a Virtual WAN hub to allow the existing Virtual WAN hub to function as a secured virtual hub, with the required Azure Firewall resources deployed.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

NS-6:简化网络安全规则NS-6: Simplify network security rules

指导:在网络安全组或 Azure 防火墙中利用虚拟网络服务标记来定义网络访问控制,可简化网络安全规则。Guidance: Simplify network security rules by leveraging Virtual Network service tags to define network access controls on network security groups or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定 IP 地址。Service tags can be used in place of specific IP addresses when creating security rules. 通过在规则的“源”或“目标”字段中指定服务标记名称,可允许或拒绝相应服务的流量。By specifying the service tag name in the source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

NS-7:安全域名服务 (DNS)NS-7: Secure Domain Name Service (DNS)

指导:通过 Azure 防火墙向虚拟 WAN 提供安全 DNS 功能。Guidance: Secure DNS capabilities are provided to Virtual WAN with Azure Firewall. 配置 Azure 防火墙,使其充当 DNS 代理,作为从客户端虚拟机到 DNS 服务器的 DNS 请求的中介。Configure Azure Firewall to act as a DNS proxy which becomes an intermediary for DNS requests from client virtual machines to a DNS server. 对于自定义 DNS 服务器配置,请启用 DNS 代理以避免 DNS 解析不匹配,并在网络规则中启用完全限定的域名筛选。For custom DNS server configurations, enable DNS proxy to avoid a DNS resolution mismatch, and enable fully qualified domain name filtering in the network rules.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

标识管理Identity Management

有关详细信息,请参阅 Azure 安全基准:标识管理For more information, see the Azure Security Benchmark: Identity Management.

IM-1:将 Azure Active Directory 标准化为中央标识和身份验证系统IM-1: Standardize Azure Active Directory as the central identity and authentication system

指导:Azure Active Directory (Azure AD) 是 Azure 服务的默认标识和访问管理服务。Guidance: Azure Active Directory (Azure AD) is the default identity and access management service for Azure services. 包括虚拟 WAN。including Virtual WAN. 使 Azure AD 标准化,以便控制组织在以下资源中的标识和访问管理:Standardize Azure AD to govern your organization's identity and access management in:

  • Azure 云资源,例如 Azure 门户、Azure 存储、Azure 虚拟机(Linux 和 Windows)、Azure Key Vault、平台即服务 (PaaS) 和软件即服务 (SaaS) 应用程序。Azure Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, platform as a service (PaaS), and software as a service (SaaS) applications.
  • 你的组织的资源,例如 Azure 上的应用程序,或公司网络资源Your organization's resources, such as applications on Azure or your corporate network resources

保护 Azure AD 是组织云安全实践中的高优先级工作。Secure Azure AD as a high priority in your organization's cloud security practice. 利用安全中心的安全分数功能评估你的标识和安全状况,以衡量你的配置与 Azure 的最佳做法建议之间的距离。Assess your identity and security posture with the security score feature from Security Center to gauge how closely your configuration matches Azure's best practice recommendations. 根据需要,实现 Azure 的最佳做法建议以改进安全状况。As necessary, implement Azure's best practice recommendations for improvements to your security posture.

Azure AD 还支持外部标识,这让没有 Microsoft 帐户的用户可以使用其外部标识登录到其应用程序和资源。Azure AD also supports external identities, which allow users without a Azure account to sign in to their applications and resources with their external identity.

请参阅引用的链接,了解有关在点到站点 VPN 方案中使用 Azure AD 的信息。Review information on using Azure AD in Point-to-Site VPN scenarios at the referenced links.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

IM-4:对所有基于 Azure Active Directory 的访问使用强身份验证控制IM-4: Use strong authentication controls for all Azure Active Directory based access

指导:目前,通过与虚拟 WAN 点到站点 VPN 集成提供 Azure Active Directory (Azure AD) 身份验证。Guidance: Currently, Azure Active Directory (Azure AD) authentication is provided through integration with Virtual WAN Point-to-site VPN.

Azure Active Directory (Azure AD) 是 Azure 服务的默认标识和访问管理服务。Azure Active Directory (Azure AD) is the default identity and access management service for Azure services. Azure AD 支持通过多重身份验证和强无密码方法进行强身份验证控制。Azure AD supports strong authentication controls with multifactor authentication, and strong passwordless methods.

Azure AD 建议通过以下方案实现强身份验证控件:Azure AD recommends the following for strong authentication controls:

  • 多重身份验证 - 启用 Azure AD 多重身份验证,并遵循 Azure 安全中心的“标识和访问管理”建议,以执行安全方面的最佳做法。Multifactor authentication - Enable Azure AD multifactor authentication and follow Identity and Access Management recommendations in Azure Security Center for security best practices. 根据登录条件和风险因素,对所有用户、选定用户或以用户为单位强制执行多重身份验证Enforce multifactor authentication on all, select users or at per-user level based on sign in conditions and risk factors

  • 无密码身份验证 - 提供三个无密码身份验证选项。Passwordless authentication - Three passwordless authentication options are available. 包括 Windows Hello for Business、Azure Authenticator 应用和本地身份验证方法(例如智能卡)These include, Windows Hello for Business, Azure Authenticator app, and on-premises authentication methods such as smart cards

请确保对管理员和特权用户使用最高级别的强身份验证方法,然后向其他用户推出强身份验证策略。Ensure the highest level of the strong authentication method are used for administrator and privileged users, followed by a roll-out of a strong authentication policy to other users.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

IM-6:基于条件限制 Azure 资源访问IM-6: Restrict Azure resource access based on conditions

指导:为使用 Azure AD 身份验证的 VPN 用户(点到站点)启用 Azure Active Directory (Azure AD) 多重身份验证。Guidance: Enable Azure Active Directory (Azure AD) multifactor authentication for VPN users (point-to-site) with using Azure AD authentication. 为每个用户配置多重身份验证,或通过条件访问利用多重身份验证。Configure multifactor authentication on a per user basis, or leverage multifactor authentication with Conditional Access. 使用条件访问可对提升第二个因素的方式进行更细粒度的控制。Conditional Access allows for finer-grained control over how a second factor should be promoted. 它可以允许仅将多重身份验证分配给 VPN,并排除绑定到 Azure AD 租户的其他应用程序。It can allow assignment of multifactor authentication to only VPN, and exclude other applications tied to the Azure AD tenant.

请注意,Azure AD 身份验证仅适用于使用 OpenVPN 协议的网关以及运行 Windows 的客户端。Note that Azure AD authentication is only available for gateways using OpenVPN protocol and clients running Windows.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

IM-7:消除意外的凭据透露IM-7: Eliminate unintended credential exposure

指导:虚拟 WAN 中的站点到站点 VPN 使用提前共享的密钥 (PSK),客户可在其 Azure Key Vault 中发现、创建和管理这类秘钥。Guidance: Site-to-site VPN in Virtual WAN uses pre-shared keys (PSK) which are discovered, created and managed by the customer in their Azure Key Vault. 实施凭据扫描程序来识别代码中的凭据。Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

对于 GitHub,你可以使用原生的机密扫描功能来识别代码中的凭据或其他形式的机密。For GitHub, you can use native secret scanning feature to identify credentials or other form of secrets within the code.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

特权访问Privileged Access

有关详细信息,请参阅 Azure 安全基准:特权访问For more information, see the Azure Security Benchmark: Privileged Access.

PA-2:限制对关键业务型系统的管理访问权限PA-2: Restrict administrative access to business-critical systems

指导:Azure 虚拟 WAN 使用 Azure 基于角色的访问控制 (Azure RBAC),限制向哪些帐户授予对其所属的订阅和管理组的特权访问权限,从而隔离对业务关键系统的访问。Guidance: Azure Virtual WAN uses Azure role-based access controls (Azure RBAC) to isolate access to business-critical systems by restricting which accounts are granted privileged access to the subscriptions and management groups they are in.

还限制了对业务关键型资产具有管理访问权限的管理、标识和安全系统的访问,这些资产包括在业务关键型系统上安装了代理的 Active Directory 域控制器、安全工具和系统管理工具。Also restrict access to the management, identity, and security systems that have administrative access to your business critical access such as Active Directory Domain Controllers, security tools, and system management tools with agents installed on business critical systems. 入侵这些管理和安全系统的攻击者可以立即将它们用作损害业务关键型资产的武器。Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets.

所有类型的访问控制都应符合企业分段策略,确保访问控制保持一致。All types of access controls should be aligned to your enterprise segmentation strategy to ensure consistent access control.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

数据保护Data Protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data Protection.

DP-4:加密传输中的敏感信息DP-4: Encrypt sensitive information in transit

指导:将点到站点 VPN、站点到站点 VPN 和加密 Express Route 用于虚拟 WAN,以满足你的连接要求。Guidance: Use Point-to-site VPN, Site-to-site VPN and Encrypted Express Route with Virtual WAN for your connectivity requirements. VPN 加密可保护传输中的数据免受“带外”攻击(例如流量捕获),确保攻击者无法读取或修改数据。VPN encryption protects data in transit from 'out of band' attacks (such as, traffic capture) to ensure that attackers cannot read or modify the data.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

资产管理Asset Management

有关详细信息,请参阅 Azure 安全基准:资产管理For more information, see the Azure Security Benchmark: Asset Management.

AM-1:确保安全团队可以了解与资产相关的风险AM-1: Ensure security team has visibility into risks for assets

指南:确保在 Azure 租户和订阅中向安全团队授予了安全读取者权限,以便他们可以使用 Azure 安全中心监视安全风险。Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Azure Security Center.

根据安全团队责任划分方式的不同,监视安全风险可能是中心安全团队或本地团队的责任。Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. 这样,安全见解和风险必须始终在组织内集中聚合。With that, security insights and risks must always be aggregated centrally within an organization.

安全读取者权限可以广泛应用于整个租户(根管理组),也可以限制到管理组或特定订阅。Security Reader permissions can be applied broadly to an entire tenant (root management group) or scoped to management groups or specific subscriptions.

注意:若要了解工作负载和服务,可能需要更多权限。Note: Additional permissions might be required to get visibility into workloads and services.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

AM-2:确保安全团队有权访问资产清单和元数据AM-2: Ensure security team has access to asset inventory and metadata

指导:将标记应用到 Azure 资源、资源组和订阅,以便有条理地将它们组织成分类。Guidance: Apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. 每个标记均由名称和值对组成。Each tag consists of a name and a value pair. 例如,可以对生产中的所有资源应用名称“Environment”和值“Production”。For example, you can apply the name "Environment" and the value "Production" to all the resources in production. Azure 虚拟 WAN 还支持基于 Azure 资源管理器的资源部署,可以通过它们导出资产模板。Azure Virtual WAN also supports Azure Resource Manager-based resource deployments with which you can export asset templates.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

AM-3:仅使用已批准的 Azure 服务AM-3: Use only approved Azure services

指导:使用 Azure Monitor 来创建规则,以便在检测到未经批准的服务时触发警报。Guidance: Use Azure Monitor to create rules to trigger alerts when a non-approved service is detected. 虚拟 WAN 整合了多种网络、安全和路由功能,提供单一操作界面。Virtual WAN brings together many networking, security, and routing functionalities to provide a single operational interface. 虚拟 WAN VPN 网关、ExpressRoute 网关和 Azure 防火墙都具有通过 Azure Monitor 提供的日志记录和指标。Virtual WAN VPN gateways, ExpressRoute gateways, and Azure Firewall have logging and metrics available through Azure Monitor.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

AM-5:限制用户与 Azure 资源管理器进行交互的能力AM-5: Limit users' ability to interact with Azure Resource Manager

指导:通过为“Azure 管理”应用配置“阻止访问”,使用 Azure 条件访问来限制用户与 Azure 资源管理器交互的能力。Guidance: Use Azure Conditional Access to limit users ability to interact with Azure Resources Manager by configuring "Block access" for the "Azure Management" App.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

日志记录和威胁检测Logging and Threat Detection

LT-1:为 Azure 资源启用威胁检测LT-1: Enable threat detection for Azure resources

指导:通过虚拟 WAN 实现的点到站点 VPN 与 Azure Active Directory (Azure AD) 集成。Guidance: Point-to-site VPN with Virtual WAN is integrated with Azure Active Directory (Azure AD). Azure AD 提供以下用户日志,可在 Azure AD 报表中进行查看,也可将这些日志与 Azure Monitor、Azure Sentinel、SIEM 或监视工具集成,以用于更复杂的威胁监视和分析用例。Azure AD provides the following user logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Azure Sentinel, SIEM or monitoring tools for more sophisticated threat monitoring and analytics use cases. 这些是:These are:

  • 登录 - 登录报告提供有关托管应用程序使用情况和用户登录活动的信息。Sign in - The sign in report provides information about the usage of managed applications and user sign in activities.
  • 审核日志 - 通过日志为 Azure AD 中的各种功能所做的所有更改提供可跟踪性。Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. 审核日志的示例包括对 Azure AD 中任何资源的更改,例如添加或删除用户、应用、组、角色和策略。Examples of audit logs include changes made to any resources within Azure AD, such as, adding or removing users, apps, groups, roles and policies.
  • 风险登录 - 风险登录指示可能有用户帐户合法拥有者以外的人进行了登录尝试。Risky sign in - A risky sign in is an indicator for a sign in attempt that might have been performed by someone who is not the legitimate owner of a user account.
  • 已标记为存在风险的用户 - 风险用户是指可能已泄露的用户帐户。Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

使用 Azure 安全中心,可针对某些可疑活动发出警报,例如身份验证尝试失败次数过多(包括使用订阅中已弃用的帐户造成的失败)。Use Azure Security Center to create alerts on certain suspicious activities such as excessive number of failed authentication attempts including deprecated accounts in the subscription. 除了基本的安全机制监视,安全中心的威胁防护模块还可从各个 Azure 计算资源(虚拟机、容器、应用服务)、数据资源(SQL DB 和存储)和 Azure 服务层收集更深入的安全警报。In addition to the basic security hygiene monitoring, use Threat Protection module from Security Center to collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. 通过此功能,可查看各个资源内的帐户异常情况。This capability allows you have visibility on account anomalies inside the individual resources.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

LT-2:启用 Azure 标识和访问管理的威胁检测LT-2: Enable threat detection for Azure identity and access management

指导:通过虚拟 WAN 实现的点到站点 VPN 与 Azure Active Directory (Azure AD) 集成。Guidance: Point-to-site VPN with Virtual WAN is integrated with Azure Active Directory (Azure AD). Azure AD 提供以下用户日志,可在 Azure AD 报表中进行查看,也可将这些日志与 Azure Monitor、Azure Sentinel、SIEM 或监视工具集成,以用于更复杂的威胁监视和分析用例。Azure AD provides the following user logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Azure Sentinel, SIEM or monitoring tools for more sophisticated threat monitoring and analytics use cases. 这些是:These are:

  • 登录 - 登录报告提供有关托管应用程序使用情况和用户登录活动的信息。Sign in - The sign in report provides information about the usage of managed applications and user sign in activities.
  • 审核日志 - 通过日志为 Azure AD 中的各种功能所做的所有更改提供可跟踪性。Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. 审核日志的示例包括对 Azure AD 中任何资源的更改,例如添加或删除用户、应用、组、角色和策略。Examples of audit logs include changes made to any resources within Azure AD, such as, adding or removing users, apps, groups, roles and policies.
  • 风险登录 - 风险登录指示可能有用户帐户合法拥有者以外的人进行了登录尝试。Risky sign in - A risky sign in is an indicator for a sign in attempt that might have been performed by someone who is not the legitimate owner of a user account.
  • 已标记为存在风险的用户 - 风险用户是指可能已泄露的用户帐户。Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

使用 Azure 安全中心,可针对某些可疑活动发出警报,例如身份验证尝试失败次数过多(包括使用订阅中已弃用的帐户造成的失败)。Use Azure Security Center to create alerts on certain suspicious activities such as excessive number of failed authentication attempts including deprecated accounts in the subscription. 除了基本的安全机制监视,安全中心的威胁防护模块还可从各个 Azure 计算资源(虚拟机、容器、应用服务)、数据资源(SQL DB 和存储)和 Azure 服务层收集更深入的安全警报。In addition to the basic security hygiene monitoring, use Threat Protection module from Security Center to collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. 通过此功能,可查看各个资源内的帐户异常情况。This capability allows you have visibility on account anomalies inside the individual resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

LT-3:为 Azure 网络活动启用日志记录LT-3: Enable logging for Azure network activities

指导:使用 Azure Monitor 监视 Azure 虚拟 WAN。Guidance: Monitor Azure Virtual WAN with Azure Monitor. 虚拟 WAN 整合了多种网络、安全和路由功能,提供单一操作界面。Virtual WAN brings together many networking, security, and routing functionalities to provide a single operational interface. 虚拟 WAN VPN 网关、ExpressRoute 网关和 Azure 防火墙都具有通过 Azure Monitor 提供的日志记录和指标。Virtual WAN VPN gateways, ExpressRoute gateways, and Azure Firewall have logging and metrics available through Azure Monitor. 默认情况下会收集活动日志条目,可在 Azure 门户中查看这些条目。Activity log entries are collected by default and can be viewed in the Azure portal. 可以使用 Azure 活动日志(以前称为操作日志和审核日志)查看提交到 Azure 订阅的所有操作。You can use Azure activity logs (formerly known as operational logs and audit logs) to view all operations submitted to your Azure subscription.

还为虚拟 WAN 提供了各种诊断日志,可使用 Azure 门户为虚拟 WAN 资源配置这些日志。A variety of diagnostic logs are also available for Virtual WAN, and can be configured for the Virtual WAN resource with Azure portal. 你可以选择发送到 Log Analytics、流式传输到事件中心,或者直接存档到某个存储帐户。You can choose to send to Log Analytics, stream to an event hub, or to simply archive to a storage account.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

LT-4:为 Azure 资源启用日志记录LT-4: Enable logging for Azure resources

指导:自动启用了 Azure 活动日志,其中包含针对 Azure 虚拟 WAN 资源的所有写入操作(PUT、POST、DELETE),但读取操作 (GET) 除外。Guidance: Azure Activity logs, enabled automatically, contain all write operations (PUT, POST, DELETE) for your Azure Virtual WAN resources except read (GET) operations. 活动日志可用于在进行故障排除时查找错误,或监视组织中的用户如何对资源进行修改。Activity logs can be used to find an error during troubleshooting or to monitor how a user in your organization modified a resource.

为虚拟 WAN 启用 Azure 资源日志。Enable Azure resource logs for Virtual WAN. 可以使用 Azure 安全中心和 Azure Policy 来启用资源日志和日志数据收集。You can use Azure Security Center and Azure Policy to enable resource logs and log data collecting. 这些日志可能对日后调查安全事件和执行取证演练至关重要。These logs can be critical for later investigating security incidents and performing forensic exercises.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

LT-5:集中管理和分析安全日志LT-5: Centralize security log management and analysis

指导:使用 Azure Monitor 为虚拟 WAN 启用安全日志记录。Guidance: Enable security logging for Virtual WAN with Azure Monitor. 虚拟 WAN 整合了多种网络、安全和路由功能,提供单一操作界面。Virtual WAN brings together many networking, security, and routing functionalities to provide a single operational interface. 虚拟 WAN VPN 网关、ExpressRoute 网关和 Azure 防火墙都具有通过 Azure Monitor 提供的日志记录和指标。Virtual WAN VPN gateways, ExpressRoute gateways, and Azure Firewall have logging and metrics available through Azure Monitor. 默认情况下会收集活动日志条目,可在 Azure 门户中查看这些条目。Activity log entries are collected by default and can be viewed in the Azure portal. 可以使用 Azure 活动日志(以前称为操作日志和审核日志)查看提交到 Azure 订阅的所有操作。You can use Azure activity logs (formerly known as operational logs and audit logs) to view all operations submitted to your Azure subscription.

还为虚拟 WAN 提供了各种诊断日志,可使用 Azure 门户为虚拟 WAN 资源配置这些日志。A variety of diagnostic logs are also available for Virtual WAN, and can be configured for the Virtual WAN resource with Azure portal. 发送到 Log Analytics,流式传输到事件中心,或者直接存档到某个存储帐户。Send to Log Analytics, stream to an event hub, or to simply archive to a storage account. 另外,请启用 Azure Sentinel 或第三方安全信息和事件管理解决方案并将数据载入其中。In addition, enable and onboard data to Azure Sentinel or a third-party Security Information and Event Management solution.

Azure 虚拟 WAN 安全性通过 Azure 防火墙实现。Azure Virtual WAN security is provided through Azure Firewall.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

LT-6:配置日志存储保留期LT-6: Configure log storage retention

指导:根据合规性、法规和业务要求配置日志保留。Guidance: Configure your log retention according to your compliance, regulation, and business requirements. 在 Azure Monitor 中,可根据组织的合规性规则设置 Log Analytics 工作区保持期。In Azure Monitor, you can set your Log Analytics workspace retention period according to your organization's compliance regulations. 将 Azure 存储、Data Lake 或 Log Analytics 工作区帐户用于长期存储和存档存储。Use Azure Storage, Data Lake or Log Analytics workspace accounts for long-term and archival storage.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

事件响应Incident Response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident Response.

IR-2:准备 - 设置事件通知IR-2: Preparation - setup incident notification

指导:在 Azure 安全中心中设置安全事件联系人信息。Guidance: Set up security incident contact information in Azure Security Center. 如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的一方访问了你的数据,Azure 将使用此联系信息来与你联系。This contact information is used by Azure to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 还可以选择基于事件响应需求在不同的 Azure 服务中自定义事件警报和通知。You also have options to customize incident alert and notification in different Azure services based on your incident response needs.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

IR-3:检测和分析 - 基于高质量警报创建事件IR-3: Detection and analysis - create incidents based on high quality alerts

指南:确保你有创建高质量警报和衡量警报质量的流程。Guidance: Ensure you have a process to create high quality alerts and measure the quality of alerts. 这样,你就可以从过去的事件中吸取经验,并为分析人员确定警报的优先级,这样他们就不会浪费时间来处理误报。This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives.

可以基于从过去的事件中吸取的经验、经过验证的社区来源以及各种工具来生成高质量警报,这些工具旨在通过融合和关联各种信号源来生成和清除警报。High quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources.

Azure 安全中心可跨许多 Azure 资产提供高质量的警报。Azure Security Center provides high quality alerts across many Azure assets. 可以使用 ASC 数据连接器将警报流式传输到 Azure Sentinel。You can use the ASC data connector to stream the alerts to Azure Sentinel. 借助 Azure Sentinel,可创建高级警报规则来自动生成事件以进行调查。Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation.

使用导出功能导出 Azure 安全中心警报和建议,以帮助识别 Azure 资源的风险。Export your Azure Security Center alerts and recommendations using the export feature to help identify risks to Azure resources. 手动导出或持续导出警报和建议。Export alerts and recommendations either manually or in an ongoing, continuous fashion.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

IR-4:检测和分析 - 调查事件IR-4: Detection and analysis - investigate an incident

指南:确保分析人员在调查潜在事件时可查询和使用不同的数据源,以全面了解所发生的情况。Guidance: Ensure analysts can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. 应收集各种各样的日志,以跟踪整个终止链中潜在攻击者的活动,避免出现盲点。Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. 还应确保收集见解和经验,以供其他分析人员使用和用作将来的历史参考资料。You should also ensure insights and learnings are captured for other analysts and for future historical reference.

用于调查的数据源包括已从作用域内服务和正在运行的系统中收集的集中式日志记录源,但还可以包括以下内容:The data sources for investigation include the centralized logging sources that are already being collected from the in-scope services and running systems, but can also include:

  • 网络数据 - 使用网络安全组的流日志、Azure 网络观察程序和 Azure Monitor 来捕获网络流日志和其他分析信息。Network data - use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information.

  • 正在运行的系统的快照:Snapshots of running systems:

    • 使用 Azure 虚拟机的快照功能创建正在运行的系统磁盘的快照。Use Azure virtual machine's snapshot capability to create a snapshot of the running system's disk.

    • 使用操作系统的本机内存转储功能来创建正在运行的系统内存的快照。Use the operating system's native memory dump capability to create a snapshot of the running system's memory.

    • 使用 Azure 服务的快照功能或软件自带的功能来创建正在运行的系统的快照。Use the snapshot feature of the Azure services or your software's own capability to create snapshots of the running systems.

Azure Sentinel 提供几乎针对任何日志源的广泛数据分析,并提供一个事例管理门户来管理事件的整个生命周期。Azure Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. 调查过程中的情报信息可与事件相关联,以便进行跟踪和报告。Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

IR-5:检测和分析 - 确定事件的优先级IR-5: Detection and analysis - prioritize incidents

指南:根据警报严重性和资产敏感度,为分析人员提供上下文来确定应首要关注哪些事件。Guidance: Provide context to analysts on which incidents to focus on first based on alert severity and asset sensitivity.

Azure 安全中心为每条警报分配严重性,方便你根据优先级来确定应该最先调查的警报。Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心对调查结果或用于发出警报的分析的可信度,以及对导致警报的活动背后存在恶意意图的可信度级别。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,使用标记来标记资源,并创建命名系统来对 Azure 资源进行标识和分类,特别是处理敏感数据的资源。Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

IR-6:遏制、根除和恢复 - 自动执行事件处理IR-6: Containment, eradication and recovery - automate the incident handling

指导:自动执行手动重复性任务来加快响应时间并减轻分析人员的负担。Guidance: Automate manual repetitive tasks to speed up response time and reduce the burden on analysts. 执行手动任务需要更长的时间,这会导致减慢每个事件的速度,并减少分析人员可以处理的事件数量。Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. 手动任务还会使分析人员更加疲劳,这会增加可导致延迟的人为错误的风险,并降低分析人员专注于复杂任务的工作效率。Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays, and degrades the ability of analysts to focus effectively on complex tasks. 使用 Azure 安全中心和 Azure Sentinel 中的工作流自动化功能,可自动触发操作或运行 playbook,对传入的安全警报作出响应。Use workflow automation features in Azure Security Center and Azure Sentinel to automatically trigger actions or run a playbook to respond to incoming security alerts. playbook 执行多项操作,如发送通知、禁用帐户和隔离有问题的网络。The playbook takes actions, such as sending notifications, disabling accounts, and isolating problematic networks.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

安全状况和漏洞管理Posture and Vulnerability Management

PV-8:执行定期攻击模拟PV-8: Conduct regular attack simulation

指导:根据需要,对 Azure 资源进行渗透测试或红队活动,并确保修正所有关键安全发现。Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. 请遵循 Microsoft 云渗透测试互动规则,确保你的渗透测试不违反 Azure 政策。Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Azure policies. 使用 Azure 红队演练策略和执行,并针对 Azure 托管云基础结构、服务和应用程序执行现场渗透测试。Use Azure's strategy and execution of Red Teaming and live site penetration testing against Azure-managed cloud infrastructure, services, and applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

终结点安全性Endpoint Security

有关详细信息,请参阅 Azure 安全基线:终结点安全性For more information, see the Azure Security Benchmark: Endpoint Security.

ES-1:使用终结点检测和响应 (EDR)ES-1: Use Endpoint Detection and Response (EDR)

指导:并未明确允许客户配置终结点检测和响应设置。Guidance: Customers are not explicitly allowed to configure Endpoint Detection and Response settings. 但是,Azure 虚拟 WAN 产品中使用的虚拟机确实使用了这些功能。However, the Virtual Machines used in the Azure Virtual WAN offering do use these capabilities. 可通过引用的链接详细了解这些常规功能。Learn more about these general capabilities at the referenced links.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

治理和策略Governance and Strategy

有关详细信息,请参阅 Azure 安全基准:治理和策略For more information, see the Azure Security Benchmark: Governance and Strategy.

GS-1:定义资产管理和数据保护策略GS-1: Define asset management and data protection strategy

指导:确保为系统和数据的持续监视和保护记录并传达明确的策略。Guidance: Ensure you document and communicate a clear strategy for continuous monitoring and protection of systems and data. 确定业务关键数据和系统的发现、评估、保护和监视优先级。Prioritize discovery, assessment, protection, and monitoring of business-critical data and systems.

此策略应包括针对以下元素的记录在案的指南、策略和标准:This strategy should include documented guidance, policy, and standards for the following elements:

  • 与业务风险相符的数据分类标准Data classification standard in accordance with the business risks

  • 安全组织对风险和资产清单的洞察力Security organization visibility into risks and asset inventory

  • 安全组织对 Azure 服务使用的审批Security organization approval of Azure services for use

  • 资产在其生命周期中的安全性Security of assets through their lifecycle

  • 与组织数据分类相符的必需访问控制策略Required access control strategy in accordance with organizational data classification

  • 使用 Azure 原生的和第三方的数据保护功能Use of Azure native and third party data protection capabilities

  • 传输中数据用例和静态数据用例的数据加密要求Data encryption requirements for in-transit and at-rest use cases

  • 合适的加密标准Appropriate cryptographic standards

有关详细信息,请参阅以下资源:For more information, see the following references:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

GS-5:定义网络安全策略GS-5: Define network security strategy

指导:制定 Azure 网络安全方法,作为组织的整体安全访问控制策略的一部分。Guidance: Establish an Azure network security approach as part of your organization's overall security access control strategy.

此策略应包括针对以下元素的记录在案的指南、策略和标准:This strategy should include documented guidance, policy, and standards for the following elements:

  • 集中化的网络管理和安全职责Centralized network management and security responsibility

  • 符合企业分段策略的虚拟网络分段模型Virtual network segmentation model aligned with the enterprise segmentation strategy

  • 各种威胁和攻击场景中的补救策略Remediation strategy in different threat and attack scenarios

  • Internet 边缘及入口和出口策略Internet edge and ingress and egress strategy

  • 混合云和本地互连策略Hybrid cloud and on-premises interconnectivity strategy

  • 最新的网络安全项目(例如网络关系图、参考网络体系结构)Up-to-date network security artifacts (e.g. network diagrams, reference network architecture)

有关详细信息,请参阅以下资源:For more information, see the following references:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

GS-6:定义标识和特权访问策略GS-6: Define identity and privileged access strategy

指导:制定 Azure 标识和特权访问方法,作为组织的整体安全访问控制策略的一部分。Guidance: Establish an Azure identity and privileged access approaches as part of your organization's overall security access control strategy.

此策略应包括针对以下元素的记录在案的指南、策略和标准:This strategy should include documented guidance, policy, and standards for the following elements:

  • 集中化的标识和身份验证系统及其与其他内部和外部标识系统的互连A centralized identity and authentication system and its interconnectivity with other internal and external identity systems

  • 各种用例和条件中的强身份验证方法Strong authentication methods in different use cases and conditions

  • 保护权限高的用户Protection of highly privileged users

  • 异常用户活动监视和处理Anomaly user activities monitoring and handling

  • 用户标识和访问评审及协调流程User identity and access review and reconciliation process

有关详细信息,请参阅以下资源:For more information, see the following reference:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

GS-7:定义日志记录和威胁响应策略GS-7: Define logging and threat response strategy

指南:建立日志记录和威胁响应策略,以在满足符合性要求的同时快速检测和修正威胁。Guidance: Establish a logging and threat response strategy to rapidly detect and remediate threats while meeting compliance requirements. 优先为分析师提供高质量警报和无缝体验,以便他们能够专注于威胁,而不是执行集成和手动步骤。Prioritize providing analysts with high quality alerts and seamless experiences so that they can focus on threats rather than integration and manual steps.

此策略应包括针对以下元素的记录在案的指南、策略和标准:This strategy should include documented guidance, policy, and standards for the following elements:

  • 安全运营 (SecOps) 组织的角色和职责The security operations (SecOps) organization's role and responsibilities

  • 符合 NIST 或其他行业框架要求的明确定义的事件响应流程A well-defined incident response process aligning with NIST or another industry framework

  • 日志捕获和保留,用于支持威胁检测、事件响应和合规性需求Log capture and retention to support threat detection, incident response, and compliance needs

  • 使用 SIEM、原生 Azure 功能和其他源,集中查看和关联有关威胁的信息Centralized visibility of and correlation information about threats, using SIEM, native Azure capabilities, and other sources

  • 与客户、供应商和公开的利益相关方之间的通信和通知计划Communication and notification plan with your customers, suppliers, and public parties of interest

  • 使用 Azure 原生的和第三方的平台进行事件处理,例如日志记录和威胁检测、取证以及攻击补救和根除Use of Azure native and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication

  • 处理事件和事件后活动的流程,例如经验教训和证据保留Processes for handling incidents and post-incident activities, such as lessons learned and evidence retention

有关详细信息,请参阅以下资源:For more information, see the following references:

后续步骤Next steps