You don't have clearance for that: Microsoft ups the paranoia with a preview of Azure Firewall Premium Microsoft has unveiled a preview of Azure Firewall Premium, aimed at highly sensitive and regulated environments. Azure Firewall was Microsoft's attempt to sling a virtual arm over the shoulders of harassed administrators while whispering "there now, don't worry about all that pesky firewall configuration stuff, let us take …
You still have the problem of handing your security over to a third party over which you have no direct supervision or control. Admittedly such a third party might do better than on-premise at Equifax (what couldn't) but although the buck still stops with the user of the service, if something can go wrong that user can't take any real steps to prevent it. Ultimately, accountability is only viable if you retain control.
Plenty other vendors offering similar services - Cisco , Cloudflare (iirc - I mght have rembered the name wrong), others. Anyone going all in on 365/Azure might want to use MS for this. Others not. It will be much of a muchness with only suitability for the environment and price at issue. Those with resources to do it effectively themselves should do it themselves I agree Mike 137. Others need to buy it in from someone.
TLS encryption normally takes place in the Browser, rendering the right hand side of the URL (the stuff after the host and domain name) unreadable.
I am curious as to how they get around that.
My questions:
1 . Is the protocol only based on DNS, or is all traffic filtered? (The latter being MUCH more computation intensive). What about DoH (DNS over HTTPS)? Yes, you can try filtering all known DoH service IPs, but it remains a vulnerability because it's not the "known unknowns" but "unknown unknowns" which are the hardest (disclosure: brazenly paraphrasing D.Rumsfield).
2. Do they enforce all traffic to be encrypted using a man-in-the-middle certificate, which is then translated to the correct site specific cert at the network firewall? Otherwise I can't see how the r.h.s. of the URL can be read..
3. Are they using a custom M.S. Edge browser specifically designed for this premium network? A possible problem with this. would be that maintaining a low usage browser is not only expensive, but also possibly difficult to keep secure because so few people will be looking for bugs.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
