Welcome to our first lecture. A good place to start is at the beginning, so let's get started with what exactly is a Web Application Firewall? Let's start with what a firewall is first. Although there are many variations of firewall solutions available, in it's simplest form, a firewall is a device, physical or virtual, that separates a trusted network from an untrusted network.

Commonly, an internal private network and a public network, such as the internet. Rules are created on the device that deny or allows access between the two networks. Without a firewall, our private internal resources would be exposed to the internet. The traditional firewall model does not offer much protection for web applications. Web applications need to be available to the public network to be useful. Because of that, web applications are exposed to common malicious attacks and vulnerabilities.

A Web Application Firewall protects web applications from these common exploits. To better understand what makes a Web Application Firewall different from a traditional firewall, let's compare the two. A traditional firewall will allow or deny traffic based on source and destination traffic, including IP addresses and ports.

For a public web application to work, common web ports 80 and 443 need to be open from the public internet to the internal network. This offers some protection to the internal private network but not much protection for the web applications. There are common web exploits and vulnerabilities that simple port blocking won't stop. For example, SQL injection, where an input such as a username is formatted with a SQL statement that returns information not intended to be public; or cross-site scripting that injects malicious scripts into trusted websites that's executed on visitor's web browser. 

There are also malicious bots or web-based automation processes that search for sites with vulnerabilities and known exploits. There are many other exploits cataloged as Common Vulnerabilities and Exposures or CVEs. A CVE is a method of publishing and sharing information on newly-discovered vulnerabilities. The list goes on. There are a lot of attack vectors for web-based applications. Command injections, HTTP Request Smuggling, remote file inclusions, PHP and Java attacks, just to name a few. It would be impossible for most organizations to monitor and manage all these attack vectors. 

Let's look at how Azure Web Application Firewall can help. A Web Application Firewall goes beyond simple source and destination port and IP address information, and inspects the traffic passed between the client and web service. It checks for these known exploits and blocks malicious traffic before it gets to the service hosting the application. The Web Application Firewall uses a collection of rules and policies to protect web-based services and applications.

There are two types of rules available with the Web Application Firewall. The first is a custom rule. As the name implies, custom rules are ones we create and manage. These are helpful in some situations but with all the current and emerging threats, creating and managing all the security rules would be problematic. These custom rules are processed before the second type: managed rules. A managed rule is a collection of Azure-managed pre-configured rules. These rules include Core Rule Sets or CRS 3.1, 3.0, and 2.2.9 as well as bot mitigation and other Azure-specific rules. We'll cover core rules and bot mitigation further in this course.

These options allow us to benefit from Microsoft's threat intelligent investment. Microsoft runs one of the largest networks in the world and respond to new threats on a daily basis. Once rules are created, we have two options or modes for these rules. We can enable detection mode. Detection mode monitors and logs threats. This is a good option for initial deployment to monitor what may be blocked without stopping traffic. It can also be helpful for advanced threat detection and investigation. Prevention mode blocks attacks the rule detects. When a rule is blocked, the user will get a 403 unauthorized access error and the attempt is logged. The Web Application Firewall supports three services: Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network or CDN. Each has a features and options specific to the service. Let's take a look at each next.