last sync: 2024-Oct-11 17:51:27 UTC

Azure DDoS Protection should be enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name Azure DDoS Protection should be enabled
Id a7aca53f-2ed4-4466-a25e-0b45ade68efd
Version 3.0.1
Details on versioning
Versioning Versions supported for Versioning: 2
3.0.0
3.0.1
Built-in Versioning [Preview]
Category Security Center
Microsoft Learn
Description DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Security/assessments/status.code Microsoft.Security assessments properties.status.code True False
Rule resource types IF (1)
Microsoft.network/virtualNetworks
Compliance
The following 24 compliance controls are associated with this Policy definition 'Azure DDoS Protection should be enabled' (a7aca53f-2ed4-4466-a25e-0b45ade68efd)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1431 AU_ISM_1431 AU ISM 1431 Guidelines for Networking - Service continuity for online services Denial of service strategies - 1431 n/a Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically: • their capacity to withstand denial-of-service attacks • any costs likely to be incurred as a result of denial-of-service attacks • thresholds for notification of denial-of-service attacks • thresholds for turning off online services during denial-of-service attacks • pre-approved actions that can be undertaken during denial-of-service attacks • denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible. link 1
Azure_Security_Benchmark_v1.0 1.4 Azure_Security_Benchmark_v1.0_1.4 Azure Security Benchmark 1.4 Network Security Deny communications with known malicious IP addresses Customer Enable DDoS Standard protection on your Azure Virtual Networks to guard against DDoS attacks. Use Azure Security Center Integrated Threat Intelligence to deny communications with known malicious IP addresses. Deploy Azure Firewall at each of the organization's network boundaries with Threat Intelligence enabled and configured to "Alert and deny" for malicious network traffic. Use Azure Security Center Just In Time Network access to configure NSGs to limit exposure of endpoints to approved IP addresses for a limited period. Use Azure Security Center Adaptive Network Hardening to recommend NSG configurations that limit ports and source IPs based on actual traffic and threat intelligence. How to configure DDoS protection: https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection How to deploy Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal Understand Azure Security Center Integrated Threat Intelligence: https://docs.microsoft.com/azure/security-center/security-center-alerts-service-layer Understand Azure Security Center Adaptive Network Hardening: https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening Understand Azure Security Center Just In Time Network Access Control: https://docs.microsoft.com/azure/security-center/security-center-just-in-time n/a link 3
Azure_Security_Benchmark_v2.0 NS-4 Azure_Security_Benchmark_v2.0_NS-4 Azure Security Benchmark NS-4 Network Security Protect applications and services from external network attacks Customer Protect Azure resources against attacks from external networks, including distributed denial of service (DDoS) Attacks, application specific attacks, and unsolicited and potentially malicious internet traffic. Azure includes native capabilities for this: - Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. - Use Web Application Firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services, and APIs against application layer attacks. - Protect your assets against DDoS attacks by enabling DDoS protection on your Azure virtual networks. - Use Azure Security Center to detect misconfiguration risks related to the above. Azure Firewall Documentation: https://docs.microsoft.com/azure/firewall/ How to deploy Azure WAF: https://docs.microsoft.com/azure/web-application-firewall/overview Manage Azure DDoS Protection using the Azure portal: https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection n/a link 14
Azure_Security_Benchmark_v3.0 NS-5 Azure_Security_Benchmark_v3.0_NS-5 Microsoft cloud security benchmark NS-5 Network Security Deploy DDOS protection Shared **Security Principle:** Deploy distributed denial of service (DDoS) protection to protect your network and applications from attacks. **Azure Guidance:** Enable DDoS protection plan on your VNet to protect resources that are exposed to the public networks. **Implementation and additional context:** Manage Azure DDoS Protection using the Azure portal: https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection n/a link 1
CCCS SC-5 CCCS_SC-5 CCCS SC-5 System and Communications Protection Denial of Service Protection n/a (A) The information system protects against or limits the effects of the following denial of service attempts that attack bandwidth, transactional capacity and storage by employing geo-replication, IP address blocking, and network-based DDoS protections. link 1
FedRAMP_High_R4 SC-5 FedRAMP_High_R4_SC-5 FedRAMP High SC-5 System And Communications Protection Denial Of Service Protection Shared n/a The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]. Supplemental Guidance: A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7. References: None. link 5
FedRAMP_Moderate_R4 SC-5 FedRAMP_Moderate_R4_SC-5 FedRAMP Moderate SC-5 System And Communications Protection Denial Of Service Protection Shared n/a The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]. Supplemental Guidance: A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7. References: None. link 5
IRS_1075_9.3 .16.4 IRS_1075_9.3.16.4 IRS 1075 9.3.16.4 System and Communications Protection Denial of Service Protection (SC-5) n/a The information system must protect against or limit the effects of denial of service attacks. Refer to NIST SP 800-61 R2, Computer Security Incident Handling Guide, for additional information on denial of service. link 1
mp.s.4 Protection against denial of service mp.s.4 Protection against denial of service 404 not found n/a n/a 7
New_Zealand_ISM 18.4.7.C.02 New_Zealand_ISM_18.4.7.C.02 New_Zealand_ISM_18.4.7.C.02 18. Network security Intrusion Detection and Prevention - Intrusion Detection and Prevention strategy (IDS/IPS) n/a An IDS/IPS when configured correctly 2
NIST_SP_800-53_R4 SC-5 NIST_SP_800-53_R4_SC-5 NIST SP 800-53 Rev. 4 SC-5 System And Communications Protection Denial Of Service Protection Shared n/a The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]. Supplemental Guidance: A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7. References: None. link 5
NIST_SP_800-53_R5 SC-5 NIST_SP_800-53_R5_SC-5 NIST SP 800-53 Rev. 5 SC-5 System and Communications Protection Denial-of-service Protection Shared n/a a. [Selection: Protect against;Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]. link 5
NZ_ISM_v3.5 NS-5 NZ_ISM_v3.5_NS-5 NZISM Security Benchmark NS-5 Network security 18.3.19 Content of a Denial of Service (DoS) response plan Customer n/a An VTC or IPT DoS response plan will need to address the following: how to identify the source of the DoS, either internal or external (location and content of logs); how to diagnose the incident or attack type and attack method; how to minimise the effect on VTC or IPT, of a DoS of the data network (e.g. Internet or internal DoS), including separate links to other office locations for VTC and IPT and/or quality of service prioritisation; strategies that can mitigate the DOS (banning certain devices/Ips at the call controller and firewalls, implementing quality of service, changing VoIP authentication, changing dial-in authentication; and alternative communication options (such as designated devices or personal mobile phones) that have been identified for use in case of an emergency. link 1
NZISM_Security_Benchmark_v1.1 NS-5 NZISM_Security_Benchmark_v1.1_NS-5 NZISM Security Benchmark NS-5 Network security 18.3.19 Content of a Denial of Service (DoS) response plan Customer A Denial of Service response plan SHOULD include monitoring and use of: . router and switch logging and flow data; . packet captures; . proxy and call manager logs and access control lists; . VTC and IPT aware firewalls and voice gateways; . network redundancy; . load balancing; . PSTN failover; and . alternative communication paths. An VTC or IPT DoS response plan will need to address the following: how to identify the source of the DoS, either internal or external (location and content of logs); how to diagnose the incident or attack type and attack method; how to minimise the effect on VTC or IPT, of a DoS of the data network (e.g. Internet or internal DoS), including separate links to other office locations for VTC and IPT and/or quality of service prioritisation; strategies that can mitigate the DOS (banning certain devices/Ips at the call controller and firewalls, implementing quality of service, changing VoIP authentication, changing dial-in authentication; and alternative communication options (such as designated devices or personal mobile phones) that have been identified for use in case of an emergency. link 1
RBI_CSF_Banks_v2016 19.6b RBI_CSF_Banks_v2016_19.6b Incident Response & Management Recovery From Cyber - Incidents-19.6b n/a Establish and implement a Security Operations Centre for centralised and coordinated monitoring and management of security related incidents. 4
RBI_CSF_Banks_v2016 22.1 RBI_CSF_Banks_v2016_22.1 Forensics Forensics-22.1 n/a Have support/ arrangement for network forensics/forensic investigation/DDOS mitigation services on stand-by. 1
RMiT_v1.0 11.18 RMiT_v1.0_11.18 RMiT 11.18 Security Operations Centre (SOC) Security Operations Centre (SOC) - 11.18 Shared n/a The SOC must be able to perform the following functions: (a) log collection and the implementation of an event correlation engine with parameter-driven use cases such as Security Information and Event Management (SIEM); (b) incident coordination and response; (c) vulnerability management; (d) threat hunting; (e) remediation functions including the ability to perform forensic artifact handling, malware and implant analysis; and (f) provision of situational awareness to detect adversaries and threats including threat intelligence analysis and operations, and monitoring indicators of compromise (IOC). This includes advanced behavioural analysis to detect signature-less and file-less malware and to identify anomalies that may pose security threats including at endpoints and network layers. link 11
RMiT_v1.0 Appendix_5.7 RMiT_v1.0_Appendix_5.7 RMiT Appendix 5.7 Control Measures on Cybersecurity Control Measures on Cybersecurity - Appendix 5.7 Customer n/a Ensure overall network security controls are implemented including the following: (a) dedicated firewalls at all segments. All external-facing firewalls must be deployed on High Availability (HA) configuration and “fail-close” mode activated. Deploy different brand name/model for two firewalls located in sequence within the same network path; (b) IPS at all critical network segments with the capability to inspect and monitor encrypted network traffic; (c) web and email filtering systems such as web-proxy, spam filter and anti-spoofing controls; (d) endpoint protection solution to detect and remove security threats including viruses and malicious software; (e) solution to mitigate advanced persistent threats including zero-day and signatureless malware; and (f) capture the full network packets to rebuild relevant network sessions to aid forensics in the event of incidents. link 21
SWIFT_CSCF_v2021 1.1 SWIFT_CSCF_v2021_1.1 SWIFT CSCF v2021 1.1 SWIFT Environment Protection SWIFT Environment Protection n/a Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. link 28
SWIFT_CSCF_v2022 1.5A SWIFT_CSCF_v2022_1.5A SWIFT CSCF v2022 1.5A 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. Shared n/a A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment. link 24
U.09.3 - Detection, prevention and recovery U.09.3 - Detection, prevention and recovery 404 not found n/a n/a 24
U.12.1 - Network connections U.12.1 - Network connections 404 not found n/a n/a 6
U.12.2 - Network connections U.12.2 - Network connections 404 not found n/a n/a 6
UK_NCSC_CSP 5.3 UK_NCSC_CSP_5.3 UK NCSC CSP 5.3 Operational security Protective Monitoring Shared n/a A service which does not effectively monitor for attack, misuse and malfunction will be unlikely to detect attacks (both successful and unsuccessful). As a result, it will be unable to quickly respond to potential compromises of your environments and data. link 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-01-12 18:35:06 change Patch (3.0.0 > 3.0.1)
2021-01-05 16:06:49 change Major (2.0.0 > 3.0.0)
2020-06-08 18:42:36 change Previous DisplayName: DDoS Protection Standard should be enabled
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC