OASIS OpenC2 TC: A GitHub repository is to provide configuration management and to aid in the development of the first generation OpenC2 firewall profile
Microsoft Azure provides a stateful packet filter that operates as if at the network or interface(s) of a virtual machine.
To support rules more fully, we would need to support tags, application security groups, and a special name that represents the current subnet called 'VirtualNetwork' for both source and destination. Once created, it needs to be associated to a virtual machine or subnet.
Fields needed:
tag - string
application security group - string
'VirtualNetwork' - boolean (this is like all instances - boolean in GCP)
priority - int 0-65535 (lowest wins)
Example 1: Deny 1.1.1.1
action:deny, ipv4_net:1.1.1.1
azure command(s):
az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --priority 4096 --source-address-prefixes --source-port-ranges --destination-address-prefixes '1.1.1.1/32' --destination-port-ranges --access Deny --protocol --description "Deny from 1.1.1.1"
az network vnet subnet update -g MyResourceGroup -n MySubnet --vnet-name MyVNet --network-security-group MyNsg
Works? Yes, but requires a lot of fields to be known.
Example 2: Allow 2.2.2.2 ingress
in progress
Example 3: Allow dst port 33 for TCP
in progress
Example 4: Deny src=4.4.4.4,dst=5.5.5.5,dport=443,dir:egress
in progress
What does Azure support for specifying if not ipv4 addresses?
All instances on the network
Service Tags
Application Security Groups
IPv6
Microsoft Azure provides a stateful packet filter that operates as if at the network or interface(s) of a virtual machine. To support rules more fully, we would need to support tags, application security groups, and a special name that represents the current subnet called 'VirtualNetwork' for both source and destination. Once created, it needs to be associated to a virtual machine or subnet.
Fields needed: tag - string application security group - string 'VirtualNetwork' - boolean (this is like all instances - boolean in GCP) priority - int 0-65535 (lowest wins)
Example 1: Deny 1.1.1.1 action:deny, ipv4_net:1.1.1.1 azure command(s): az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --priority 4096 --source-address-prefixes --source-port-ranges --destination-address-prefixes '1.1.1.1/32' --destination-port-ranges --access Deny --protocol --description "Deny from 1.1.1.1" az network vnet subnet update -g MyResourceGroup -n MySubnet --vnet-name MyVNet --network-security-group MyNsg Works? Yes, but requires a lot of fields to be known.
Example 2: Allow 2.2.2.2 ingress in progress
Example 3: Allow dst port 33 for TCP in progress
Example 4: Deny src=4.4.4.4,dst=5.5.5.5,dport=443,dir:egress in progress
What does Azure support for specifying if not ipv4 addresses? All instances on the network Service Tags Application Security Groups IPv6