Firewalls play a critical role in securing an environment, but not all firewalls are created equally. While traditional firewalls secure a perimeter, web-based applications require a content-aware solution beyond port and IP address blocking. Azure Web Application Firewall is a cloud-native service that protects web applications from new and well-known web-based attacks.
In this course, we review Azure Web Application Firewall. We examine different options for implementing the Web Application Firewall, including using it with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network. We create and apply rulesets, including Azure managed and user-managed custom rules. We also configure diagnostic logging options and review firewall logs from the Web Application Gateway.
Learning Objectives
- Configuring detection or prevention mode
- Implementing a WAF policy
- Associating a WAF policy
- Configuring rule sets for Azure Front Door, including Microsoft-managed and user-defined
- Configuring rule sets for Application Gateway, including Microsoft-managed and user-defined
Intended Audience
- System administrators with responsibilities for managing web applications
- Security professionals responsible for securing Azure web applications
- Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam
Prerequisites
- A basic understanding of networking and security principles
- An Azure subscription (sign up for a free trial at https://azure.microsoft.com/free/ if you don’t have a subscription)
Welcome, in this lecture, we configure a Web Application Firewall policy for Azure Front Door. Just like with the Application Gateway, the Web Application Firewall policy with Azure Front Door protects against common exploits and vulnerabilities. There are a lot of similarities between the Web Application Firewall policy for Application Gateway and Azure Front Door. There are also some differences.
For starters, Azure Front Door works at the Microsoft Network Edge, and with the Web Application Firewall, malicious activity is blocked close to the attack source before it enters the Microsoft network. There are two types of rules for a Front Door Web Application Firewall policy. Custom rules authored by the end user at a set of preconfigured Azure managed rules.
Additionally, there are four rule actions available with custom and managed rules. Allow passes the request through with no further processing, Block stops the request, sends the response to the client, and stops processing the request. We can also log the request and continue evaluating the lower priority rules.
With Azure Front Door, we can also redirect the connection to a different URL allowing us to direct a request that matches a rule to a different URL. Just like the Application Gateway, we can deploy a policy in two modes. Detection mode doesn't take any actions other than monitoring and logging requests that match rules and the policy.
Prevention mode takes the action specified when the rule is matched. Managed rules with a Front Door policy are applied with a default rule set or DRS. These rules are based on the OWASP categories and managed and updated by Azure to protect against new and emerging attack signatures. Each rule in the rule set can be enabled or disabled and the default action of block can be modified to allow log or redirect.
One of the available rule sets is written in partnership with a Microsoft Threat Intelligence team to provide increased patches for specific vulnerabilities with a lower false positive rate. There's also a bot protection rule set in preview with three different categories of bots, bad bots that have been identified as malicious, good bots such as search engine crawlers, and unknown bots. Unknown are self-identified as market analyzers and other data collection bots.
The Azure Managed rule set includes rules to protect from cross-site scripting, Java attacks, local file inclusion, PHP injection attacks, remote command execution, remote file inclusion, session fixation, SQL injection protection, and protocol attacks. There are also custom rules available in a Web Application Firewall policy with Azure Front Door. Custom rules are processed managed rules.
Custom rules can be created to block or allow based on IPv4 and IPv6 addresses or the geography of the client IP. Rules can be created based on the HTTP and HTTPS request parameters and request methods. There is an option to crate rules based on size constraints, or the lengths of specific parts of a request and rate-limiting rules to prevent abnormally high traffic from a client IP address.
Coming up next, we are going to walk through a demonstration of implementing and assigning a Web Application Firewall policy to Azure Front Door. We create a custom response code that users will see when they are denied access, we'll review and modify managed rules and add a bot protection rule. Finally, we'll add a custom rule to the Web Application Firewall policy.
Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.