In this section I will be writing about Web Application firewall.
Table of Contents
What is Azure WAF?
Preventing such attacks in application code is challenging. It can require rigorous maintenance, patching, and monitoring at multiple layers of the application topology. A centralized web application firewall helps make security management much simpler. A WAF also gives application administrators better assurance of protection against threats and intrusions.
A WAF solution can react to a security threat faster by centrally patching a known vulnerability, instead of securing each individual web application.
WAF protects Your resources from malicious attacks such as SQL Injection, Cross Site Scripting (XSS), and other OWASP top 10 threats could cause service outage or data loss, and pose a big threat to web application owners. Web Application Firewall (WAF) protects your web applications from common web attacks, keeps your service available and helps you meet compliance requirements.
Supported services
WAF can be deployed with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) service from Microsoft. WAF on Azure CDN is currently under public preview. WAF has features that are customized for each specific service. For more information about WAF features for each service, see the overview for each service.
How to setup
Search for Web Application Firewall inside Azure and add a new one.
In the first page You will see two options that You have to consider. Global which will be with Frontdoor and Regional which will be thru Application Gateway that we deployed in the last post.
Preview features won’t be in the test so I won’t cover them but Azure Content Delivery Network will be an nice addition to WAF.
Basics
I will choose Regional WAF and associate it with App GW.
Under instance details, You will see Policy state and Policy mode.
A WAF policy can be either enabled or disabled. If disabled, the WAF policy will not be applied to any web sites.
Detection mode monitors and logs all threat alerts to a log file. Ensure that Application gateway diagnostics are enabled and WAF policy action is set to ‘log’. Prevention mode takes the corresponding WAF action if a request matches a rule.
- Detection mode: Monitors and logs all threat alerts. You turn on logging diagnostics for Application Gateway in the Diagnostics section. You must also make sure that the WAF log is selected and turned on. Web application firewall doesn’t block incoming requests when it’s operating in Detection mode.
- Prevention mode: Blocks intrusions and attacks that the rules detect. The attacker receives a “403 unauthorized access” exception, and the connection is closed. Prevention mode records such attacks in the WAF logs.
I will go with Prevention for demonstration purposes.
Managed rules
A pre-configured rule set is enabled by default. This rule set protects your web application from common threats defined in the top-ten OWASP categories. The default rule set is managed by the Azure WAF service. Rules are updated as needed for new attack signatures.
The following managed rules can be selected.
Link to OWASP 3.1 rule sets https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp31#tabpanel_1_owasp31
The WAF protects against the following web vulnerabilities:
- SQL-injection attacks
- Cross-site scripting attacks
- Other common attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion
- HTTP protocol violations
- HTTP protocol anomalies, such as missing host user-agent and accept headers
- Bots, crawlers, and scanners
- Common application misconfigurations (for example, Apache and IIS)
Policy settings
A Web Application Firewall (WAF) policy allows you to control access to your web applications by a set of custom and managed rules. There are multiple settings that apply to all rules within the policy.
If the request body inspection is turned off, WAF doesn’t evaluate the content of HTTP message body. In such cases, WAF continues to enforce WAF rules on headers, cookies, and URI. If the request body inspection is turned off, then maximum request body size field isn’t applicable and can’t be set.
The maximum request body size controls the overall request size limit excluding any file uploads.
Custom rules
Configure a policy with custom-authored rules. Once a rule is matched, the corresponding action defined in the rule is applied to the request. Once such a match is processed, rules with lower priorities are not processed further. A smaller integer value for a rule denotes a higher priority.
Association
Associate this WAF policy with a specific application gateway, listener, or route path. A WAF policy can be associated with multiple listeners, route paths, and application gateways. Associating with an application gateway will remove and replace existing WAF policy associations with the selected application gateway.
Note! You have to use WAF V2 tier for Application Gateway to associate it with WAF.
If You already have an WAF policy inside Application Gateway, use the checkbox to override.
You can also add the Listeners we specified earlier.
Or routing rules.
Review and deploy
WAF configuration page
Switching modes
In the main page You can switch to Detection mode or to Prevention mode is using detection.
Configuration settings
You will the same configuration options available than in the deployment phase.
Alerts
Action groups
And You can also create action groups for the following.
App GW with WAF
You can see the associated WAF policy under App GW
Diagnostic logs
You can use different types of logs in Azure to manage and troubleshoot application gateways. You can access some of these logs through the portal. All logs can be extracted from Azure Blob storage and viewed in different tools, such as Azure Monitor logs, Excel, and Power BI. You can learn more about the different types of logs from the following list:
- Activity log: You can use Azure activity logs to view all operations that are submitted to your Azure subscription, and their status. Activity log entries are collected by default, and you can view them in the Azure portal.
- Access Resource log: You can use this log to view Application Gateway access patterns and analyze important information. This includes the caller’s IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 300 seconds. This log contains one record per instance of Application Gateway. The Application Gateway instance is identified by the instanceId property.
- Performance Resource log: You can use this log to view how Application Gateway instances are performing. This log captures performance information for each instance, including total requests served, throughput in bytes, total requests served, failed request count, and healthy and unhealthy back-end instance count. A performance log is collected every 60 seconds. The Performance log is available only for the v1 SKU. For the v2 SKU, use Metrics for performance data.
- Firewall Resource log: You can use this log to view the requests that are logged through either detection or prevention mode of an application gateway that is configured with the web application firewall.
You have three options for storing your logs:
- Storage account: Storage accounts are best used for logs when logs are stored for a longer duration and reviewed when needed.
- Event hubs: Event hubs are a great option for integrating with other security information and event management (SIEM) tools to get alerts on your resources.
- Azure Monitor logs: Azure Monitor logs is best used for general real-time monitoring of your application or looking at trends.
Things to remember
WAF comes in two modes, Detection and Prevention. Detection only detects, nothing else.
Logs can be stored inside Storage Account, Event Hubs or Azure Monitor logs.
Global WAF = Azure Front Door
Regional WAF = Azure Application Gateway
The WAF protects against the following web vulnerabilities:
- SQL-injection attacks
- Cross-site scripting attacks
- Other common attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion
- HTTP protocol violations
- HTTP protocol anomalies, such as missing host user-agent and accept headers
- Bots, crawlers, and scanners
- Common application misconfigurations (for example, Apache and IIS)
WAF relies on OWASP Application Security Verification Standard and currently the 3.1 version of this framework.
You have to use WAF V2 tier for Application Gateway to associate it with WAF.