Security

Question 1

What tool can be used to assess if Security Benchmarks are being followed in your Azure environment?

Answer 1

Microsoft Defender for Cloud (Compliance Dashboard)

Question 2

What is Network Security Control NS-1?

Answer 2

Establish network segmentation boundaries

Question 3

What is Network Security Control NS-2?

Answer 3

Secure cloud services with network controls

Question 4

What is Network Security Control NS-3?

Answer 4

Deploy a firewall at the edge of the enterprise network

Question 5

What is Network Security Control NS-4?

Answer 5

Deploy intrusion detection/intrusion prevention systems (IDS/IPS)

Question 6

What is Network Security Control NS-5?

Answer 6

Deploy DDOS protection

Question 7

What is Network Security Control NS-6?

Answer 7

Deploy web application firewall

Question 8

What is Network Security Control NS-7?

Answer 8

Simplify network security configuration

Question 9

What is Network Security Control NS-8?

Answer 9

Detect and disable insecure services and protocols

Question 10

What is Network Security Control NS-9?

Answer 10

Connect on-premises or cloud network privately

Question 11

What is Network Security Control NS-10?

Answer 11

Ensure Domain Name System (DNS) Security

Question 12

What are the two tiers of Azure DDoS Protection?

Answer 12

• IP Protection: 15 or fewer IP resources to protect
• Network Protection: More than 15 IP resources to protect

Question 13

Azure DDoS can be combined with what other Service to provide full Layer 3 to Layer 7 DDoS mitigation?

Answer 13

Application Gateway WAF (Web Application Firewall)

Question 14

What are the three types of DDoS attacks that can be protected against?

Answer 14

• Volumetric Attacks
• Protocol Attacks
• Resource/Application Layer Attacks

Question 15

What are three examples of Volumetric DDoS attacks?

Answer 15

• UDP Floods
• Amplification floods
• Spoofed-packed floods

Question 16

What are two examples of Protocol DDoS attacks?

Answer 16

• SYN Floods
• Reflection Attacks

Question 17

What are three examples of Application Layer DDoS attacks?

Answer 17

• HTTP protocol violations
• SQL Injection
• Cross-Site Scripting (XSS)

Question 18

Name the seven (7) key features of Azure DDoS protection

Answer 18

• Native Platform Integration
• Turnkey protection
• Always-On Traffic Monitoring
• Adaptive tuning
• Attack analysis
• Attack metrics and alerts
• Multi-layered protection

Question 19

What are the basic steps to Deploy DDoS to an IP Resource?

Answer 19

• Create a DDoS Plan
• Enable the DDoS Plan on a VNet (settings)
• Apply the DDoS Plan to an IP address
• Enable Metrics/Telemetry on the DDoS Plan
• Configure DDoS Diagnostics
• Configure DDoS Alerts

Question 20

What is an NSG and how does it function?

Answer 20

Network Security Group - permits or denies traffic based on IP address at the vNIC or Subnet level

Question 21

What is Best Practice for deploying NSGs?

Answer 21

• Deploy at the Subnet level to keep rules simple
• Deny all traffic by default, permit as needed

Question 22

For each NSG rule, what four (4) elements can be used to filer traffic?

Answer 22

• Source IP
• Destination IP
• Port
• Protocol

Question 23

What two types of NSG rules exist?

Answer 23

Inbound
Outbound

Question 24

What are the three (3) SKUs available for Azure Firewall?

Answer 24

• Basic
• Standard
• Premium

Question 25

Name the three (3) types of Firewall rules that can be configured in Azure Firewall

Answer 25

- DNAT: translate addresses - Application: filter on FQDN - Network: filter on IP, port, and/or protocol (Inbound and Outbound)

Question 26

What is the default behavior of Azure Firewall in terms of allowing traffic?

Answer 26

Deny all traffic until rules are defined to allow traffic

Question 27

What key elements are required when deploying Azure Firewall?

Answer 27

- VNet - Subnet (purpose: Azure Firewall) - Firewall Rules (or) Firewall Management Policy - IP address (Public)

Question 28

Assuming that Azure Firewall has been deployed to an existing VNet, what general steps are needed to route traffic to the firewall?

Answer 28

- Create a route table - Associate the Route Table with the Subnet - Add a route (default) that points to the inside IP of the firewall - Add a rules to the firewall management policy to permit traffic (

Question 29

What is the purpose of Azure Firewall Manager

Answer 29

Centrally manage configuration and firewall policies for multiple firewalls across an organization

Question 30

Azure Firewall Manager can span which two Azure constructs?

Answer 30

- Span across multiple subscriptions - Span across multiple Regions

Question 31

Name the types (and differences) of Hubs that can be created and managed with Azure Firewall Manager?

Answer 31

- Secured Virtual Hub: Microsoft Managed vWAN hub - Hub Virtual Network: a hub VNet managed by you

Question 32

What are the basic steps to deploy an Azure Firewall Manager?

Answer 32

- Create two or more "Spoke" VNets - Create a secured virtual hub (via Firewall Manager) - Connect the spoke VNets to the Hub - Create a Firewall Policy and Rules - Associate the Firewall Policy to the Secured Virtual Hub - Configure Routing from the Hub for Internet and Private Traffic

Question 33

What are some common attacks that can be defended by Web Application Firewall?

Answer 33

- SQL injection - PHP injection - Cross-Site Scripting - Local file inclusion - Remote command execution - Session fixation (hijacking) - Protocol Attacks (HTTP header injection) - Bots and scanners

Question 34

What are the two protection modes of Web Application Firewall?

Answer 34

- Detection Mode (default) - logs requests matching a rule - Prevention Mode - logs then blocks requests that match a rule

Question 35

What are the common rule sets that Microsoft includes in Web Application Firewall?

Answer 35

- Microsoft Threat Intelligence - Common Vulnerabilities and Exploits (CVE) - Core Based Rules (CRS)