Azure Application Gateway Web Application Firewall Preview
This post will describe a new network security feature, the Web Application Firewall, for web applications that was launched in preview at Microsoft Ignite 2016.
You can run a pretty complex web hosting service in Azure. Load balancing (for multi-region scale-out and failover) can be done at the DNS-level using Traffic Manager, layer 4 load balancing can be done within a virtual network (VNet) using the ARM load balancer, and a year ago, Microsoft added layer 7 functionality in the Application Gateway.
- HTTP load balancing: Layer 7 load balancing of HTTP(S) traffic.
- Cookie-based session affinity: Allow application layer session affinity between a client and a HTTP(S) server.
- Secure Sockets Layer (SSL) offload: Offload CPU-intensive encryption work from the web/application servers to the application gateway. Traffic is encrypted between the client and the application gateway, but in clear between the gateway and the servers over the trusted internal VNet.
- End-to-End SSL: A twist on SSL offload; traffic is re-encrypted between the application gateway and the web/application server.
- URL-based content routing: You can have farms of site content, for example a virtual directory is hosted by one set of servers. Or you can host multiple domains behind one gateway. The application sees the requested URL and forwards it to one of the web servers that hosts that content.
- Multi-site routing: You can have up to 20 websites configured for URL-based content routing.
- WebSocket support: There is native support of WebSocket; full-duplex communication channels over a single TCP connection. In other words, data can be sent to/from client/server within a mutually agreed session without a request.
- Health monitoring: Servers are monitored for load balancing, and probes can be used for deeper monitoring.
Microsoft announced a preview of a new feature for application gateway, the Web Application Firewall, an additional SKU that we will have to pay for after GA if we choose to deploy it.
Web Application Firewall
There have been 2 ways to implement security for web applications in Azure:
- Network security groups: Simple layer 4 filtering of protocol/port based on source/destination rules.
- Network virtual appliance (NVA): A virtual machine appliance, supplied via a third party in the Azure Marketplace, that offers layer 7 security.
And now, in preview, we can add Web Application Firewall (WAF) functionality to the Application Gateway. This provides you with a Microsoft-managed, centrally run security solution that can integrate into Azure security center, and operates at layer 7, meaning that it can perform application layer inspection. This is the sort of security that protects you against modern threats such as SQL injection attacks.
At this time, the WAF does not allow user-defined rules — this is something Microsoft intends to add at a later point. The WAF is currently pre-configured with ModSecurity (is that more open source love from Microsoft?) and OWASP Core Rule Set, described as:
… an easily “pluggable” set of generic attack detection rules that provide a base level of protection for any web application
Some of the vulnerabilities that WAF currently protects you against are:
- SQL injection
- Cross-site scripting
- Common web attacks, including command injection, remote file inclusion attack, and more.
- HTTP protocol violations
- HTTP protocol anomalies
- Denial of service (DoS), including HTTP flooding and slow HTTP DoS
- Bots, crawlers, and scanners
- Common IIS and Apache misconfigurations
Modes of Operation
Microsoft allows you to operate WAF in two different modes:
- Detection: The WAF does not intervene at all; issues and alerts are logged and that is all. You can use this mode to diagnose issues/alerts or to build up trust in WAF before turning it on in a production environment (after GA).
- Prevention: WAF will use the rule set to intervene with unwanted traffic and intrusions.
WAF looks like a nice new way to implement security for web applications that are hosted in Azure. I don’t think anyone will rely solely on WAF until they can create their own rule sets, but WAF with network security groups (NSGs) could offer quite a security solution at the L4 and L7 layers.
More in Cloud Computing
Build 2022: Microsoft Introduces New Dev Box Cloud PC Service for Developers
May 24, 2022 | Rabia Noureen
Amazon EC2 Now Supports NitroTPM and UEFI Secure Boot
May 24, 2022 | Michael Otey
AWS Snow Family Now Supports Remote Monitoring and Operations
May 9, 2022 | Michael Otey
Use Azure ExpressRoute Private Peering & Azure Virtual WAN to Connect Privately to Microsoft 365
Apr 21, 2022 | Flo Fox
Microsoft to Make Changes to Cloud Licensing Restrictions after Customer Complaints
Apr 18, 2022 | Rabia Noureen
Reviewing Your Backup Checklist
Apr 8, 2022 | Michael Otey
Most popular on petri