Description:
User Datagram Protocol (UDP) is an important communication protocol used for sending data over networks. However, it is often less secure than other protocols like TCP because it does not establish a connection before transmitting data, making it vulnerable to misuse. UDP access from the internet should be evaluated and restricted to protect against unwanted or malicious traffic, such as DDoS attacks or exploitation of vulnerable services. The goal is to ensure that only necessary UDP traffic is allowed and all other traffic is restricted.
Rationale:
UDP can be used by malicious actors to send large volumes of traffic or exploit vulnerable services. Evaluating and restricting UDP traffic from the internet helps mitigate the risks of unauthorized access, service disruption, and security breaches. Limiting UDP access reduces the attack surface and ensures that only legitimate services requiring UDP traffic (such as DNS or VoIP) are accessible from the internet.
Impact:
Restricting UDP access from the internet improves the security of your network resources but may cause issues if legitimate services (e.g., DNS, VoIP) depend on UDP. Careful configuration is necessary to allow necessary services while blocking unauthorized or unnecessary traffic. This may involve adjusting firewall or Network Security Group (NSG) rules to allow specific UDP ports while blocking all others.
Default Value:
By default, UDP traffic is not restricted and is allowed unless explicitly controlled by firewall rules or Network Security Groups (NSGs).
Pre-requisites:
Azure subscription.
Network Security Groups (NSGs) or Azure Firewall configured.
Azure Network Watcher for monitoring traffic.
Owner, Contributor, or Network Contributor role permissions.
Audit:
Sign in to Azure portal as an Owner, Contributor, or Network Contributor.
Navigate to Network Security Groups (NSGs) or Azure Firewall.
Verify that UDP traffic is properly evaluated and restricted according to your security policies.
Implementation Steps (Automated):
Sign in to Azure portal:
Use an account with Owner, Contributor, or Network Contributor permissions.
Navigate to Network Security Groups (NSGs):
In the Azure portal, search for Network Security Groups (NSGs) and select it.
Create or Modify NSG Rules for UDP Access:
Ensure that NSGs are configured to block UDP traffic from the internet unless specifically required for services.
Create Inbound security rules to restrict UDP traffic:
Allow specific UDP ports for trusted services (e.g., DNS on port 53, VoIP on ports 5060/5061).
Deny all other UDP traffic from the internet to ensure that unnecessary services are not exposed.
Example of an NSG configuration using Azure CLI to restrict UDP traffic:
az network nsg rule create \ --resource-group <Resource-Group-Name> \ --nsg-name <NSG-Name> \ --name "Allow-UDP-53" \ --protocol Udp \ --direction Inbound \ --priority 100 \ --source-address-prefix '*' \ --source-port-range '*' \ --destination-port-range 53 \ --access Allow
az network nsg rule create \ --resource-group <Resource-Group-Name> \ --nsg-name <NSG-Name> \ --name "Deny-UDP-All" \ --protocol Udp \ --direction Inbound \ --priority 200 \ --source-address-prefix '*' \ --source-port-range '*' \ --destination-port-range '*' \ --access Deny
Use Azure Firewall to Restrict UDP Access:
Azure Firewall can be used to create application rules to control UDP traffic.
Configure Azure Firewall to allow specific UDP services and deny others based on source, destination, or application type.
Example to create an Azure Firewall rule to allow UDP traffic for DNS:
az network firewall policy rule-rule-add \ --policy-name <Firewall-Policy-Name> \ --rule-type ApplicationRule \ --rule-name "Allow-UDP-53" \ --action Allow \ --rule-type Match \ --destination-address <Destination-IP-Address> \ --destination-port 53 \ --source-address <Trusted-IP-Ranges> \ --protocols UDP
Configure Web Application Firewall (WAF) for additional protection:
If using Azure Application Gateway with WAF, configure it to monitor and block UDP traffic that may be associated with malicious activities.
WAF can inspect UDP traffic, and configure rules to block known patterns of attack.
Monitor UDP Traffic:
Use Azure Network Watcher to monitor and analyze the UDP traffic reaching your resources.
Configure flow logs for Network Security Groups (NSGs) and use Azure Monitor to generate alerts for suspicious UDP traffic.
Automate Evaluation and Restriction with Azure Policy: Use Azure Policy to enforce UDP traffic restrictions across your resources. For example, you can create a custom policy to ensure that only specific UDP ports are allowed, and all others are blocked.
Example Azure Policy definition to restrict UDP access:
{
"properties": {
"displayName": "Restrict UDP Access from the Internet",
"policyType": "Custom",
"mode": "All",
"parameters": {},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Network/networkInterfaces"
},
"then": {
"effect": "deny"
}
}
}
}
Review Security Alerts:
Configure alerts in Azure Monitor to notify security teams of any unauthorized UDP traffic from the internet.
Regularly review the Network Watcher logs and security alerts to identify patterns of risky UDP access.
Backout Plan (Automated):
Sign in to Azure portal:
Use an account with Owner, Contributor, or Network Contributor permissions.
Navigate to NSGs or Azure Firewall:
Go to Network Security Groups (NSGs) or Azure Firewall.
Remove or Revert UDP Access Restrictions:
In NSGs, remove or adjust the rules that restrict UDP traffic.
In Azure Firewall, remove the application rules for UDP traffic.
Revert Azure Policy:
If you used Azure Policy to restrict UDP traffic, disable or revert the policy to restore previous settings.
Verify Reverted Configuration:
Test and verify that UDP traffic is no longer being restricted from the internet.
Review Network Watcher and Azure Monitor to confirm that the backout has been successfully applied.