Cloud and Automation Blog

Tag: Makram JENAYAH (page 1 of 1)

Passwordless – A new era is about to begin

A new era is about to begin in the world of IT. Passwords will be considered as a relic of the past.

With Quantum computing, even the strongest passwords will be easily predictable. The solution comes by eliminating authentication systems using passwords and moving to MFA (Multi-Factor Authentication) and passwordless authentication.

81% of hacking-related breaches used either stolen or weak passwords

Source: Verizon 2017 Data Breach Investigations Report

You can reduce your odds of being compromised by up to 99.9% by implementing multi-factor authentication(MFA).

Source: Microsoft 2018 Security Research

Advanced technologies are being put in place using biometrics, PIN, public/private key cryptography and Fast Identity Online (FIDO2). In my blog post, I will focus on the FIDO2 which is an open authentication standard, hosted by the FIDO Alliance, which consists of the W3C Web Authentication specification (WebAuthn API), and the Client to Authentication Protocol (CTAP).

CTAP is an application layer protocol used for communication between a client (browser) or a platform (operating system) with an external authenticator such as the YubiKey 5 Series, and the Security Key Series by Yubico. Yubico is a core contributor to the FIDO2 open authentication protocol.

Enough with the theory, let’s move to the practical part. 

I bought the security key by yubico from https://www.yubico.com/store/. The entry version is for 20$. I received it within a week.

and then I followed these steps:

1) First, I got to access this link yubico.com/start where I clicked on the picture Security key series

2)  Second, I  selected the app I want to apply the passwordless authentication on from the list below:

3) I have chosen GitHub

4) Github provided great documentation. Check out  this link https://help.github.com/en/articles/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key

5) I followed the steps and I received the recovery codes in case I lose the physical key and then I enabled the SMS two-factor authentication

6) In my GitHub, I clicked on settings located in the parameter tab

7) then in the security key section, I entered a nickname for the security key and clicked on ADD. At this level, I was requested to insert my security key in the USB port.

8) The next step was to touch the security key

9) Finally, the key was registered.

10) I disconnected from my Github and tried to reconnect. The screen of Two-factor authentication  directed me to click on the Use security key

11) I inserted the key and finally, I successfully logged in to my GitHub

MFA and passwordless are the future of IT security, Companies must be aware of it and they need to implement these technologies.

To be continued…

Azure Portal App – Preview

Microsoft has published a desktop client to access your Azure portal.

In the beginning, I thought to myself that this would be an app that only loads the web UI. However, after using it for a couple of days, it proved to be delivering much better response time for loading UI and blades than the Web-based portal. This app includes also the Azure shell.

This App still in preview and it’s available for download through the link below:
https://preview.portal.azure.com/app/Download

The download and setup process is so easy, click on download the Azure portal app and then follow the instructions.

Finally, log in to your Microsoft account.

Here’s a screenshot of the main interface

and another screenshot for the azure shell.

Till now, I haven’t noticed any bugs but feel free to add any comments in case you faced some issues so that we can report them to Microsoft. 🙂

Azure Bastion – Automation using ARM Templates

I have given, in my previous article, a quick guide to using the Azure Bastion Service.

In the new article, I will focus on how to automate the deployment on Azure bastion using not only ARM templates but also  Hashicorp Terraform.

So let’s get started with some definitions! 🙂

Azure Bastion, now in preview, is a managed PaaS that connects customers’ VMs via the Remote Desktop Protocol (RDP) and Secure Shell (SSH) network protocols, and it uses Secure Sockets Layer encryption in the process, Microsoft said. It’s inspired by bastion hosts and jump boxes, long a networking staple for companies that want to place dedicated gateways between the public internet and their private networks.

source: https://searchcloudcomputing.techtarget.com/news/252465418/Microsoft-Azure-Bastion-service-seeks-to-secure-VMs

What’s an ARM template?

ARM Templates, stands for Azure Resource Manager templates, are a way to declare the objects you want, the types, names, and properties in a JSON file which can be checked into source control and managed like any other code file. ARM Templates are what gives us the ability to roll out Azure “Infrastructure as code”.

source: https://www.red-gate.com/simple-talk/cloud/infrastructure-as-a-service/azure-resource-manager-arm-templates/

ARM template Syntax

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "",
  "apiProfile": "",
  "parameters": {  },
  "variables": {  },
  "functions": [  ],
  "resources": [  ],
  "outputs": {  }
}

$schema, content version, apiProfile, and resources are required elements. below is a description of different parts of the template

parameters: Values that are provided when deployment is executed to customize resource deployment.

variables: Values that are used as JSON fragments in the template to simplify template language expressions.

functions: User-defined functions that are available within the template.

resources: Yes Resource types that are deployed or updated in a resource group or subscription.

outputs: No Values that are returned after deployment.

For more information take a look at https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates

Now, let’s move to the ARM template to build the Azure Bastion.

In my git repository below, I uploaded two files :

https://github.com/makramjenayah/AzBastionARM

The first one is the template file, which containsthe resources that will be created:

1- The public IP address.

2- The virtual network associated with the AZ bastion and its different subnets.

3- The Azure Bastion.

The second one, contains the parameters needed to deploy the resources and which need to be personalized..

Now, let’s deploy the template.

  1. To deploy a customized template through the portal, select Create a resource, search for a template. and then select Template deployment.
  2. Select Create.
  3. You see several options for creating a template choose to Build your own template in the editor: create a template using the portal template editor. The editor is capable to add a resource template schema.
  4. Select the Edit template to explore the portal template editor. The template is loaded in the editor.
  5. Make a minor change to the template. For example, update the  {{changeIT }} by adding your subscription id.
  6. Select Save. Now you see the portal template deployment interface. Notice the two parameters that you defined in the template.
  7. Enter or select the property values:
  • Subscription: Select an Azure subscription.
  • Resource group: Select Create new and give a name.
  • I agree to the terms and conditions stated above: (select)

Finally, click on purchase and your Azure Bastion will be deployed.

I hope this article gives you an overview and a quick-start to deploy ARM template. Stay tuned for my next article, I will focus on how to deploy the Azure Bastion using Terraform.

Azure Bastion – The Guide

You don’t want to assign a public IP to each virtual machine on Azure? You want a secure way to manage your VMS? This article will help you implement the brand new Azure service to get a private and fully managed service which will allow you to access VMS directly from the Azure portal using your browser over the SSL protocol.

So let’s start with some theoretical aspects, the Azure bastion is advantageous in many ways :

  • RDP and SSH sessions over SSL on port 443 via the Azure portal; so from any modern browser you will be able to access your VMS.
  • Azure Bastion is fully managed by Microsoft which means that you will no longer need to manage Network security groups (NSGs) and much more administrative tasks.
  • Your VMs will be protected against port scanning.
  • No need to assign Public IP to your Azure VMs.

The Architecture as designed by Microsoft:

Azure Bastion is currently in public preview and limited to some regions:

  • West Europe
  • West US
  • East US
  • South Central US
  • Australia East
  • Japan East

To participate, you can click on the link below :

https://aka.ms/BastionHost

After the theoretical part, let’s answer the question How to deploy the AZ Bastion?

First, you will need to deploy the service in your virtual network ( a subnet called AzureBastionSubnet with at least /27 must be created) :

Second, since it’s natively integrated, the platform will automatically detect if the Azure Bastion is deployed on the virtual network your virtual machine and in the connect menu you will get Bastion as a connection option.

Now you can enter your username and password to log in. This will open a web-based SSL RDP Session in the Azure Portal.

And as previously mentioned in this article, there is no need to have a Public IP address assigned to your virtual machine.

I hope this article gives you an overview of the azure bastion. If you want to know more check out the Microsoft documentation. If you have any questions or feedback, feel free to leave a comment or contact me.

In my next article, I will explain how to automate the deployment of the Azure Bastion using ARM template and terraform.