Imagine an enterprise company with dozens or hundreds of firewalls, each with its own set of policies for keeping corporate networks secure.
That was the situation here at Microsoft until our IT teams started using Microsoft Azure Firewall Manager.
This platform helped streamline and centralize their control over our large firewall ecosystems. It also cleared the way for insights into the thousands of policies spread out across the company. We just needed the right tool to make it a reality.
To accomplish that goal, our Microsoft Azure Firewall product team developed the new Policy Analytics feature for Microsoft Azure Firewall Manager, now available to all customers in public preview. With Policy Analytics, cloud network engineers can identify and remedy rule-based vulnerabilities before they become liabilities.
[Learn about the ways that Microsoft Azure AD MFA enhances remote security at Microsoft. See how next-generation connectivity is transforming our enterprise network.]
Streamlining and consolidating with Microsoft Azure Firewall Manager
This journey began roughly five years ago. The Microsoft Azure team recognized that maintaining multiple firewalls in isolation can be a headache.
First, there’s the need to manually update numerous individual firewalls. At the same time, threat definitions and newly discovered software weak points demand constant attention. That kind of maintenance requires immense effort from engineers.
The solution?
Virtualizing traditional hardware firewalls into a SaaS environment with Microsoft Azure Firewall and consolidating control over the entire ecosystem with Microsoft Azure Firewall Manager.
Being able to manage firewalls as a fleet and have the operational optics into the health and welfare of the firewalls, along with the ability to manage things from a holistic perspective, has tremendous benefits.
—Tom McCleery, principal engineering manager, Microsoft Digital Employee Experience
Since going live in 2019, Microsoft Azure Firewall Manager has drastically improved corporate network management both internally at Microsoft and for our enterprise customers.
There are several benefits for IT practitioners. First, it offers a central location where system engineers can update threat definitions then rapidly deploy them across the cloud. At the same time, a unified ecosystem allows for mass creation and distribution of rules and policies.
“Being able to manage firewalls as a fleet and have the operational optics into the health and welfare of the firewalls, along with the ability to manage things from a holistic perspective, has tremendous benefits,” says Tom McCleery, principal engineering manager with Microsoft Digital Employee Experience (MDEE).
Teams can also customize firewall rules for specific regions by defining policies that inherit characteristics from a baseline. This helps enforce a centrally defined policy while providing flexibility for administrators to customize firewall rules.
“The main benefit for me as an engineer is time,” says Beth Garrison, principal cloud network engineer for MDEE. “I spend less time making these small changes and more time focusing on improving our network service. That’s more time focusing on complex network problems instead of managing individual firewall updates.”
The need for an all-up policy analytics solution
Microsoft Azure Firewall Manager’s successful internal implementation significantly improved day-to-day operations for our cloud network engineers. But an organization’s network security policies constantly evolve to keep pace with workloads. Over time, network and application rules change and can lose their efficacy, impacting the firewall’s performance and security.
For example, applications might migrate to a new network, but rules referencing the former network remain. Or teams could unknowingly duplicate rules throughout a policy hierarchy.
At an organization like Microsoft with more than 80 firewalls in operation, those kinds of problems can scale rapidly. As a result, MDEE engineers need to keep a close eye on policies.
Policy analytics was one of the most sought-after features in Microsoft Azure Firewall Manager. What out-of-the-box experience could give us a sense of what happens with our policies or how we’re using rules? How can I improve my security posture or the performance of the firewall?
—Mark Gakman, senior product manager, Microsoft Azure Firewall product team
“Policy management is a very process-heavy operation in general,” McCleery says. “Across the several thousand virtual networks we oversee, managing rules is our top volume.”
To streamline MDEE’s efforts and combat vulnerabilities, the logical next step was providing visibility into policy management over time to generate actionable insights.
“Policy analytics was one of the most sought-after features in Microsoft Azure Firewall Manager,” says Mark Gakman, senior product manager on the Azure Firewall product team. “What out-of-the-box experience could give us a sense of what happens with our policies or how we’re using rules? How can I improve my security posture or the performance of the firewall?”
A collaboration between Microsoft Azure engineers and MDEE led to Policy Analytics for Microsoft Azure Firewall Manager.
Policy Analytics with Microsoft Azure Firewall Manager
Our Policy Analytics feature focuses on providing oversight on all rules in operation across an enterprise’s entire firewall ecosystem.
Four key Policy Analytics features deliver insights for network engineers:
- Firewall flow logs display the traffic flowing through Microsoft Azure Firewall, hit rates, and network and application rule matches. This view helps identify top flows across all rules, filtered by specific sources, destinations, ports, and protocols.
- Rule analytics present traffic flows mapped to destination network address translation (DNAT), network, and application rules. This provides enhanced visibility into all flows matching a rule over time. As a result, users can analyze rules across both parent and child policies.
- The policy insight panel aggregates insights and highlights recommendations to optimize Microsoft Azure Firewall policies.
- Single-rule analysis analyzes traffic flows matching the selected rule, then recommends optimizations based on intelligent insights.
These features help MDEE cloud network engineers identify patterns associated with different kinds of vulnerabilities including fat flows, top talkers, underutilized rules, and duplicate policies.
For the MDEE engineers supporting our internal corporate network, the top priority was eliminating duplicate rules. These introduce risk into networks by creating backdoor entry points, which complicate rule management and slow firewall performance among other problems.
We get weekly tickets saying users can’t connect from a particular source to a particular destination. But we just type in a source IP and we can see what’s happening at a pretty high level—very quickly. So from an on-call perspective for direct-response individuals like me, it’s been a huge help.
—Beth Garrison, principal cloud network engineer, Microsoft Digital Employee Experience
With the added visibility that Policy Analytics provides, the team managed to discover 1,400 duplicate rules and eliminate more than 1,200 of them. Clearing these duplicates has both significantly improved our security posture and paved the way for automated ACL updates to run more smoothly.
An improved security posture is a massive win for our corporate networks as a whole. But for Garrison and her team of cloud network engineers, the biggest impact has been time savings, especially in their troubleshooting work.
“We get weekly tickets saying users can’t connect from a particular source to a particular destination,” Garrison says. “But we just type in a source IP and we can see what’s happening at a pretty high level very quickly. So from an on-call perspective for direct-response individuals like me, it’s been a huge help.”
By Garrison’s estimate, analytics queries that used to take five or 10 minutes now clock in at around 30 seconds. Those time savings translate to better service and more flexibility for her team.
The emerging possibilities of Policy Analytics
Policy Analytics for Microsoft Azure Firewall Manager is currently in public preview. Even at this early stage, the response from customers has been incredible.
“This solves a big pain point for large organizations with tens or hundreds of firewall deployments,” Gakman says. “After only six months in preview, more than 1,000 enterprise customers have activated Policy Analytics. From the conversations I’m having, the demand for these capabilities is strong.”
The team continues to add more analysis and features as Policy Analytics matures. One of the most exciting developments is the ongoing growth of intelligent recommendations for single-rule analysis.
That kind of support is especially helpful for organizations who don’t have cloud network engineers in their IT organizations. By following AI-driven, automated recommendations when a user zooms in on a particular rule, even teams who lack network expertise will be able to increase their security posture.
For our support teams and our customers’ IT professionals, Policy Analytics for Microsoft Azure Firewall Manager is one more step toward a truly cloud-driven business world.
“It’s a feature, but it’s really the underpinning for a whole discipline within my team,” McCleery says. “Our biggest goal is helping people and processes work at the pace of the cloud.”
- The tech is the easy part: Focus on people and process as you’re developing solutions.
- If it’s not measured, it’s not valued. Do everything you can to get the data on the table.
- Deploy to your most underutilized firewalls first to build confidence and comfort.
- Get in the habit of looking into your rules periodically and adjustments will become simpler over time.
- Watch how Microsoft’s IT teams manage our corporate firewalls with Microsoft Azure Firewall Manager.
- Learn about the ways that Microsoft Azure AD MFA enhances remote security at Microsoft.
- See how next-generation connectivity is transforming our enterprise network.
Tags: Microsoft Azure, security
