A web application firewall (WAF) is a security solution that protects web applications from attacks such as cross-site scripting, SQL injection, and other common forms of malicious activity. A WAF is typically deployed on a webserver to inspect incoming requests and block those which do not match its rules.
Azure Web Application Firewall is a web security service that provides real-time protection against various threats. Although Azure WAF works well within its intended scope, the solution comes with various limitations. Ultimately, it does not provide (and isn’t intended to provide) full holistic security.
In this article, we discuss:
- What is Azure WAF?
- How to deploy and configure it
- Azure WAF’s limitations
- How to convert it into a full-featured web security solution
What Is Azure Web Application Firewall?
Azure Web Application Firewall (WAF) is a centralized, cloud-native security platform to protect web applications from known vulnerabilities and attacks. Acting as an application delivery controller (ADC), the platform allows teams to create custom and managed rule sets to implement security hardening at the edge.
You can deploy the WAF service as part of the Azure cloud or on-premises in your own data center. Below, we’ll briefly list its primary features.
Azure WAF offers preconfigured rule sets that enable security teams to implement instant application protection. It is probably best known for its OWASP core rule sets, designed to protect applications from common attack techniques. It also includes a detection engine to provide enhanced threat detection with reduced false positives.
Azure Web Application Firewall integrates seamlessly with Azure security information event management (SIEM) tools for improved visibility. The WAF generates various logs that can be sent to Azure Monitor logs for tracking of firewall alerts and trends, plus it can integrate with Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender) to display the state of all Azure resources in a single pane of glass.
Azure WAF enables cloud security teams to create custom rules and rule groups for special application requirements. These are used to associate a WAF security policy for each site protected by the firewall, enabling site-specific configurations.
WAF Policy and Rules
Azure WAF policy supports various rules, exclusions, and other customizations required to enable the firewall on an application gateway. Once you configure a WAF policy, you can associate it with a single or multiple application gateways for administering security.
Azure WAF policies are primarily configured based on the OWASP core rule groups and can be categorized as:
- Managed rules from a collection of preconfigured Azure rule sets, or
- Custom rules developed for specific use cases
Besides managed and custom rules, the WAF also supports bot mitigation rules to block requests from known malicious IP addresses.
How to Deploy and Configure Azure Web Application Firewall
Depending on your use case, you can set up Azure WAF for a web application by following one of three ways. In this article, we’ll demonstrate:
- Creating a basic WAF policy and applying it to a frontend at Azure Front Door
The other two options are:
- Creating an Application Gateway with a WAF
- Creating a WAF policy then applying it to an endpoint on Azure Content Delivery Network (CDN)
Adding Azure WAF to Azure Front Door
To follow along with this walkthrough, you will need an existing MS Azure account with an active Standard/Premium Front Door service. To learn more about configuring a Front Door that connects Azure WAF’s associated frontend with an application backend, follow these steps.
The workflow for this method involves:
- Creating the WAF policy
- Associating the policy with a frontend host
- Configuring WAF rules
Step 1: Creating the WAF Policy
First, log in to the Azure portal. On the top left of the screen, click on Create a new resource.
In the search bar, type WAF, select Web Application Firewall, and then select Create.
This redirects you to a Create a WAF policy page. In the Basics tab, select the Global WAF (Front Door) option under the Policy for dropdown menu. Enter a unique name for your WAF policy, and select the appropriate subscription and resource group name as selected for Front Door. Set the policy state to Enabled.
Step 2: Associating the Policy with a Frontend Host
In the Associations tab, select + Add frontend host to configure the WAF policy to associate with a Frontdoor. This enables the protection of one or more of the selected frontend hosts.
On the Add frontend host popup, add the hosts to be associated with the WAF’s Frontdoor policy, then click Add.
Step 3: Configuring WAF rules
Once the policy is associated with a frontend, it is possible to assign managed and custom rules. The Managed rules tab allows cloud administrators to modify Azure’s preconfigured default rule set, which protects applications against OWASP risks. For this demo, we’ll stick to the default set.
However, if using the default rule set does not support your use case, the WAF platform also allows for the creation of custom rules to manage specific cases. You can do this by clicking on the Custom rules tab, then click on + Add custom rule to create a bespoke policy rule.
Fill out the relevant fields in the Add custom rule popup, creating one or more conditions followed by an appropriate action. Click Add to implement the rule in the WAF policy.
Once the settings are successfully added, click Review + create to activate the WAF policy. You’ll need to give the service some time to validate and generate the WAF resource. Once the deployment is complete, the portal displays a confirmation notification.
As the last step to validate the setup, click on Go to resource to review the frontends associated with the policy, as well as check the custom and managed rules it implements.
This completes our walkthrough of adding Azure Web Application Firewall to Azure Front Door. As mentioned (and linked to) earlier, you can also use the WAF with Azure Application Gateway and Azure CDN.
Limitations of Azure WAF
Although Azure offers a straightforward approach to deploying a WAF that offers basic security for your cluster, comprehensive cluster security requires far more. The WAF has some significant limitations, including these discussed below.
Lack of global rate limiting
Rate limiting is a crucial component of defending against brute-force attacks. Azure’s web application firewall does not implement a unified incoming request rate limit for all resources. As a result, administrators are required to set a limit for each client IP address manually, thereby leaving the cluster vulnerable as an easy target for hackers to carry out brute-force attacks.
Also, Azure WAF’s rate limits are only counted and enforced on a per-IP basis. Thus, attackers can easily evade detection merely by rotating IP addresses (which is straightforward, and a popular tactic today). This means Azure WAF offers only minimal protection against a large number of attacks, including:
- ATOs (Account Takeovers) via credential stuffing
- Enumeration attacks
- Input fuzzing
- Inventory denial
- Payment card validation
Lack of self-learning
Azure WAF does not use mechanisms such as machine learning to learn from, and adapt to, changing threat conditions.
Logging and monitoring
Azure WAF’s log actions (Block, Allow, Log and Redirect) are not considered primary actions, so they are not displayed through Azure’s default monitoring dashboard (Azure Monitor, Defender for Cloud, etc.).
Also, Azure WAF does not provide traffic and attack data itself. Instead, users must pull and combine data from Azure Monitor and Log Analytics, which can be complicated. This data is not available in real time: pre-defined Metric Alerts are “near real-time” at best, while the SLA for Log Analytics only promises data availability within six hours.
Limitations on fine-tuning of alerts
The web application firewall does not allow for the configuration of alerts and notifications on a per-application or attack basis. As a result, alerts for mission-critical apps or specific forms of attacks that require immediate action mostly require integrations with other tools for custom notifications.
Limited protection against hostile bots
To identify bots, Azure WAF relies upon a list of IP addresses published in the Microsoft Threat Intelligence feed. This is only effective against attackers that consistently operate bots on the same IPs.
How to convert Azure WAF into a full-featured web security solution
Reblaze provides automated, robust web security for Microsoft Azure. It extends and completes Azure’s WAF, providing comprehensive protection for sites, web applications & APIs.
Reblaze is a complete web security solution, including a next-gen WAF, multi-layer DoS/DDoS protection, advanced bot management, precise ACL, API security, real time reporting, full traffic transparency, ATO prevention, and more, all fully integrated with Azure. The platform is fully managed, always up-to-date, and includes continual machine learning for accurate, adaptive threat recognition.
Reblaze deploys in minutes, and runs on your choice of Microsoft Azure and/or other clouds. For more information or to get a demo, contact us here.