If a host, service, or network only needs to talk to another host, service, or network on a specific port or protocol, it should be restricted to only those ports and protocols. If a host, service, or network doesn't need to communicate with another host, service, or network, it should not be allowed to. Use the principles of least privilege and need‐to‐know. Just implementing a firewall or security appliance as the only security measure is not sufficient. Host-based and network-wide measures should be deployed in a complementary manner and be centrally monitored. In most cases, this applies from the data link layer up to and including the application layer however, in sensitive environments, physical isolation may be appropriate. Each host and network should be segmented and segregated, where possible, at the lowest level that can be practically managed. Implement adequately high bandwidth, low latency, reliable network connectivity between the tenant (including the tenant's remote users) and the cloud service to meet the tenant's availability requirementsĪCSC Protect: Implementing Network Segmentation and SegregationĪpply technologies at more than just the network layer. Implement Network Segmentation and Segregation, for example, use an n-tier architecture, using host-based firewalls and network access controls to limit inbound and outbound network connectivity to only required ports and protocols.
![internet usage monitor virtual appliance internet usage monitor virtual appliance](https://i.stack.imgur.com/RqhVe.png)
The following key requirements for controlling egress traffic in Azure have been identified in the ACSC documents. The ACSC documents outline the context for implementing network security and controlling traffic, and provide practical recommendations for network design and configuration.
![internet usage monitor virtual appliance internet usage monitor virtual appliance](https://slidetodoc.com/presentation_image/4954cc738a3eff603bd2fea8b20d6fbd/image-19.jpg)
To assist Commonwealth entities in implementing network security, the ACSC has published ACSC Protect: Implementing Network Segmentation and Segregation, and to assist with securing systems in Cloud environments the ACSC has published Cloud Computing Security for Tenants.
![internet usage monitor virtual appliance internet usage monitor virtual appliance](https://static.packt-cdn.com/products/9781838553531/graphics/assets/2b60ddcc-d7f1-4cf0-a0b1-1354786db2d0.png)
The overall security requirements for Commonwealth systems are defined in the ISM.
#Internet usage monitor virtual appliance manual
This article provides information on how outbound (egress) network traffic works within Azure and provides recommendations for implementing network security controls for an internet connected system that aligns with the Australian Cyber Security Centre (ACSC) Consumer Guidance and the intent of the ACSC's Information Security Manual (ISM). Visibility and control over the external systems that your applications and services communicate with helps detect compromised systems, and attempted or successful data exfiltration. Restricting communication to only the traffic necessary for a system to function reduces the potential for compromise. A fundamental component of securing ICT systems is controlling network traffic.