Network Security Archives - Inside Track Blog http://approjects.co.za/?big=insidetrack/blog/tag/network-security/ How Microsoft does IT Tue, 05 Dec 2023 16:57:12 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 137088546 Deploying global remote VWAN connectivity with Azure VWAN and Azure VPN http://approjects.co.za/?big=insidetrack/blog/deploying-global-remote-vwan-connectivity-with-azure-vwan-and-azure-vpn/ Tue, 05 Dec 2023 16:57:12 +0000 http://approjects.co.za/?big=insidetrack/blog/?p=12702 Editor’s note: This is the fifth in an ongoing series on moving our network to the cloud internally at Microsoft. Tap here to read the full series. In the modern workplace, Microsoft employees access their work from diverse locations. To ensure secure and efficient connectivity to cloud and on-premises resources for our global workforce, we’re […]

The post Deploying global remote VWAN connectivity with Azure VWAN and Azure VPN appeared first on Inside Track Blog.

]]>
Microsoft Digital storiesEditor’s note: This is the fifth in an ongoing series on moving our network to the cloud internally at Microsoft. Tap here to read the full series.

In the modern workplace, Microsoft employees access their work from diverse locations. To ensure secure and efficient connectivity to cloud and on-premises resources for our global workforce, we’re adopting Azure Virtual WAN (VWAN) in conjunction with enterprise-scale security solutions.

Our enterprise-scale security solutions are vital in authenticating remote users across Azure and on-premises resources, enabling seamless service-to-service authentication. Our approach creates a more robust and reliable environment by removing interdependencies between network services and physical locations. Through strong authentication enforcement and role-based access control, our security solutions are tailored to support deployments at an enterprise scale.

We’re evolving remote access for our employees by migrating our remote and VPN access infrastructure to a modern, cloud-based solution using Azure VPN and Azure VWAN. Our new solution accommodates evolving security requirements and scales to support the changing demands of our remote workforce. This transition improves our security posture and enhances the overall efficiency of our remote access infrastructure, aligning seamlessly with our commitment to scalable and secure solutions for our global workforce.

Moving to the Azure-based solution allows us to support all remote access users with the Azure VPN client. This unified approach creates a simplified user experience and performs better for remote employees than our previous solution.

Our solution’s core is Azure Virtual WAN, a networking service that combines many networking, security, and routing functionalities to unify Azure and on-premises networking capability into a single operational interface.

Azure VWAN supports site-to-site, point-to-site, and private connections between Azure and on-premises users and resources using ExpressRoute, Azure VPN, Azure Firewall, and advanced routing configuration. The hub and spoke architecture of Azure VWAN provides enterprise scale and performance from cloud-hosted Azure VWAN hubs in Azure regions across the globe. Using the globally distributed Azure public cloud infrastructure, we can quickly deploy a global transit network architecture for our entire enterprise, supporting instant connectivity from the closest Azure VWAN Hub to any on-premises network endpoints.

Using the Azure VPN client and integrated VPN support built into Azure VWAN, our employees connect to the closest regional hub, securely and efficiently integrating them with Azure VWAN and our global corporate network. Currently, Azure VPN is selectively deployed for specific use case scenarios. It doesn’t serve as the default network access now, but its versatility allows for such a role, and we plan to use Azure VPN as the default remote access solution soon.

User traffic flow on Azure VWAN.
Here’s an architecture diagram that shows user traffic flow on Azure VWAN in our hybrid network environment.

Using Azure VWAN and Azure VPN to manage our global network and remote access has resulted in many improvements to our wide area network architecture and the employee experience when using the network.

We’re using infrastructure as code (IaC) to deploy and scale our VPN capacity, enabling us to quickly accommodate and host over 100,000 users. Our ongoing efforts include onboarding all Microsoft employees to Azure VPN.

Protecting intellectual property is paramount for Microsoft. Our solution provides a highly secure environment through Azure VPN, using industry-standard encryption protocols and advanced security features. This ensures that all data transmitted between employees and resources in Azure or on-premises remains confidential and protected from unauthorized access.

Our architecture is designed to scale seamlessly as the user base grows. With the inherent scalability of Azure Virtual WAN, we can accommodate additional users and network resources without compromising performance. This flexibility ensures that Microsoft can support its expanding workforce without sacrificing connectivity or user experience.

Our network build process uses IaC principles to create a highly adaptable, robust, and reliable network environment. Our deployment templates and resource modules—created using the Bicep language—define the desired state of our VWAN infrastructure in a declarative manner. Following Microsoft best practices, we maintain a central Bicep template that invokes distinct modules—also defined in Bicep—to instantiate the necessary resources for deployment. This modular framework allows us to be flexible and accommodate new changes or requirements by applying various deployment patterns. For more information, visit Deploying a VWAN using infrastructure as code and CI/CD.

Our solution offers centralized management and monitoring capabilities, enabling our support ecosystem to manage our VPN infrastructure efficiently. Our security team can easily configure VPN settings and management using Azure Dashboard, allowing them to monitor usage patterns in a smart way. This centralized control ensures streamlined administration and effective troubleshooting.

We design the user experience to maximize productivity. Our solution optimizes network connectivity, relying on a global profile to minimize latency and allow employees to access hosted resources seamlessly from anywhere in the world. This eliminates barriers to productivity and empowers users to collaborate efficiently, irrespective of their geographic location.

Intellectual property protection often involves compliance requirements. Our solution adheres to industry best practices and relevant regulations to ensure that we meet necessary compliance standards. This includes data privacy, access controls, and auditability, providing peace of mind that intellectual property is handled in a secure and compliant manner.

We’re excited about the successful enterprise-scale deployment of our Azure Virtual WAN and Azure VPN-based solution. This deployment increases our ability to safeguard intellectual property while seamlessly supporting the connectivity needs of Microsoft employees. We remain committed to supporting the internal networking needs of Microsoft and ensuring secure and seamless connectivity as our organization grows.

Contact us today to explore how our solutions can help protect your intellectual property, enable remote access at scale, and provide a robust and secure network infrastructure tailored to your organization’s unique requirements.

Key Takeaways

  • Migrate to a cloud-based VPN solution. Transition your VPN and remote access infrastructure to Azure VPN and Azure VWAN for a more scalable and secure remote access solution.
  • Leverage Infrastructure as Code for network management. Adopt infrastructure as code (IaC) using the Bicep language to efficiently manage and scale your network infrastructure, allowing for flexible and rapid deployment.
  • Plan for scalability and user growth. Ensure your network architecture is designed to scale seamlessly with Azure Virtual WAN, accommodating additional users and resources without sacrificing performance.
  • Centralize management and monitoring. Use centralized management and monitoring tools, such as the Azure Dashboard, to efficiently administer VPN settings and manage network usage.

Try it out

Get started with Azure VWAN with routing intent and routing policies at your company.

Related links

We'd like to hear from you!
Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Deploying global remote VWAN connectivity with Azure VWAN and Azure VPN appeared first on Inside Track Blog.

]]>
12702
Finding and remediating rogue access points on the Microsoft corporate network http://approjects.co.za/?big=insidetrack/blog/finding-rogue-access-points-on-the-microsoft-corporate-network/ Fri, 11 Aug 2023 16:33:25 +0000 http://approjects.co.za/?big=insidetrack/blog/?p=6445 Finding rogue access points on Microsoft’s network is an important mission for our IT teams. Networked devices have come to dominate the IT world, and their prevalence has led to more complex and vulnerable gateways. As a result, employees within Microsoft and many other large organizations regularly bring in their own wireless devices. Using a […]

The post Finding and remediating rogue access points on the Microsoft corporate network appeared first on Inside Track Blog.

]]>
Microsoft Digital stories

Finding rogue access points on Microsoft’s network is an important mission for our IT teams.

Networked devices have come to dominate the IT world, and their prevalence has led to more complex and vulnerable gateways. As a result, employees within Microsoft and many other large organizations regularly bring in their own wireless devices. Using a wireless router designed for home office use or a wireless speaker system might seem harmless, but these rogue access points (APs) pose serious security risks.

An unauthorized user could be sitting in the parking lot and you just knowingly or unknowingly gave them access to the corporate network.

– Pete Fortman, principal engineer, Microsoft

In the case of a wireless router designed for home use, it might have a default password that’s literally “password” or the device’s brand name. That could give drive-by hackers easy access to an enterprise’s network.

“An unauthorized user could be sitting in the parking lot and you just knowingly or unknowingly gave them access to the corporate network,” says Pete Fortman, a principal engineer for Microsoft who focuses on security.

With networking built into more and more devices, an increasing number of seemingly benign APs can also act as connectors. That means that in spite of strict segmentation within our overall network environment, threats can piggy-back on increasing numbers of rogue APs to gain access to corporate networks.

Eliminating these vulnerabilities is essential to maintaining a Zero Trust environment.

The danger of rogue APs

Once inside, bad actors can wreak havoc. They can steal intellectual property, flood a network with useless data, or set up conversations between people who think they’re speaking with each other when in fact they’re talking to the attacker.

One of the most damaging outcomes is a ransomware attack. That’s a type of malware that blocks access to critical data or systems until the target pays a ransom, and they can be massively disruptive in terms of both operations and customer trust.

Beyond that, rogue APs can interfere with legitimate wireless traffic—often by simply competing for airtime with the unwanted device. “It’s like a conference room with 18 seats, but 50 people are in the room and they’re all trying to stream something wirelessly,” Fortman says.

We’ve fought to keep rogue APs off our network for years. But as devices become more complex and plentiful, they’ve also become more difficult to detect. That doesn’t just increase the number of risky APs attached to our network. It also vastly increases the amount of telemetry that IT teams have to address, resulting in greater data volume and complexity.

To combat that, we’re applying machine learning and other advanced techniques to track rogue APs down.

A diagram showing the corporate network being supported by two sections, wired and wireless network telemetry. Under wired telemetry is an icon for rogue access points. Rogue access points stem from unauthorized communication channels and unauthorized users.
The pathways that rogue access points can use to gain access to a wired corporate network.

When we began examining additional telemetry to find rogue access points in 2019, Fortman was surprised by what we uncovered.

“We had rogue devices all over the place,” Fortman says. “We kept the data private for a while to prevent adversaries from knowing what we can and cannot detect. When we shared the data more broadly, there was a collective gasp as people realized what was going on.”

[Learn how Microsoft 365 helps create a secure, modern workplace. Find out how Microsoft ensures security with Windows Hello for Business.]

Tracking down rogues

Obviously, rogue AP vulnerabilities aren’t good at a company that relies on Zero Trust to ensure security.

Gathering all this information into one place was a feat unto itself. We had to do it twice for two different data sets. Then we had to correlate the data sets together, and then look at suppression technology.

—Vincent Bersagol, senior software engineer, Microsoft

An engineering team within Microsoft Digital Employee Experience (MDEE), the organization that powers, protects, and transforms our internal technology, took on the challenge of identifying and removing rogue devices.

Finding rogue APs posed a substantial engineering challenge. Potentially thousands of devices from a wide range of manufacturers might be on the loose in the corporate network—all using different wireless protocols.

“Gathering all this information into one place was a feat unto itself,” says Vincent Bersagol, a senior software engineer for Microsoft. “And we had to do it twice for two different data sets. Then we had to correlate the data sets together, and then look at suppression technology.”

Microsoft’s data tools, such as Microsoft Power BI, Microsoft Azure Data Lake, and Microsoft Azure Synapse, played a key role in collecting and correlating the data. “That was a great way to visualize all this data for folks to have a look at it,” Bersagol says.

Our expertise in machine learning also proved helpful for finding rogue APs. We used it to sort through the correlations between wired and wireless devices.

“We used a clustering algorithm that allowed us to tease out all the media access control (MAC) addresses that were statistically related to each other in a way that humans couldn’t see,” Bersagol says.

Many access points have commonly identifiable designs we can determine by looking at multiple sets of network telemetry, including the MAC addresses. Finding these identifiable designs began with a manual examination of the rogue APs we’d already discovered. We recognized that requiring a sample of every type of rogue AP to generate a manual identification to find new patterns would present problems as the project scaled.

But collecting all the wired and wireless telemetry to hunt for new rogue AP designs wasn’t enough. “That’s too much data for humans to sift through,” Bersagol says.

Instead, we ran a script that matched the two telemetry sets across all machines encountered. If the script found any correlated wireless and wired data, the odds were very high that they came from the same device—a rogue AP. We gained further confidence that we’d found a rogue AP when the correlated addresses came from within the same building.

So far, so good.

But some devices have designs that elude direct correlation using the existing telemetry. By using additional telemetry sources, we’ve been able to unearth devices that are more difficult to detect.

Still, even finding the simpler devices yields an impressive collection.

In the early stages of the project in October 2019, a sweep of about 100 buildings on the Microsoft campus unearthed more than 1,000 rogue APs.

COVID-19 plays a role (of course)

The COVID-19 pandemic had several impacts on the team tasked with finding rogue access points. Many rogue devices disappeared from the network because their owners were working from home.

The disruption also challenged some of the engineers working on the problem.

Blaze Kotsenburg, a software engineer, began work on the project in June 2020—his first month as a Microsoft employee. But onboarding, meeting new team members, and getting up to speed on the rogue AP project all took place over Microsoft Teams.

“I couldn’t go to my mentor Vincent and ask him for a 15-minute whiteboard,” Kotsenburg says. “I’d work on something for a few hours, then ping him and say, ‘Hey, I need some help.’”

In spite of these challenges, the entire team found new ways to collaborate and recreate the in-office dynamic. Diego Baccino, a principal software engineering manager, shares that the virtual work environment helped create a single team, rather than one team led by Fortman and one by Baccino.

“Working with two teams in parallel worked even better because of the remote situation,” Baccino says. “If I were to do this over again, I’d put even more emphasis on communication between everyone involved.”

This strong collaborative stance has remained as employees have transitioned from fully remote to hybrid work.

Pulling the plug

It’s possible to take a very fine-grained approach to finding rogue access points and booting them off a network, such as assigning traffic through their ports to a virtual local area network (VLAN), or by blocking the devices’ MAC addresses.

In this case, we opted for a more blanket approach: shutting down any port connected to a rogue AP. This technique proved simple and effective, and safer than trying gentler approaches.

There’s what Fortman calls “collateral damage” because when a port is shut down, its user might lose network connectivity for other devices in their office, and Microsoft loses visibility to anything connected to that port.

“Shutting down a port is a basic capability of wired access” Fortman says. “As more Zero Trust networking capabilities become available on the infrastructure, we’re leveraging them to proactively prevent some devices from connecting and to enact more precise rogue AP suppression through automated remediation.”

While our earlier work was about identifying, cataloging, and remediating accumulated rogue AP issues, we’ve now developed a more real-time approach. We’re using Azure EventHub and Data Explorer to handle real-time telemetry to help improve the security response time.

That set the stage for automated remediation. Now, when our systems detect a rogue AP, we can automatically suppress it through an automation platform that turns off the associated ports—no human intervention required.

Extending the lessons of rogue AP suppression

MDEE’s work tracking down and remediating rogue APs has been so successful that they’re preparing slices of that data to provide to Azure datacenter teams. They’ll use the lessons learned to enact their own rogue AP detection to fulfill regulatory requirements across different geographies throughout the world.

Finally, these capabilities are spawning other abilities across teams as well. MDEE is actively looking for opportunities to apply the platform they’ve created throughout Microsoft. That might eventually lead to a self-serve platform that other business groups within Microsoft can access for their own AP security needs.

As new threats emerge and old ones find new ways to cause problems, security is a constant challenge. At Microsoft, preventing unwanted intruders is a top priority, and digital sleuthing has helped us close off one more avenue that bad actors might use.

Related links

The post Finding and remediating rogue access points on the Microsoft corporate network appeared first on Inside Track Blog.

]]>
6445