Protect your web apps in the cloud with Web Application Firewall

Protect your web apps in the cloud with Web Application Firewall
Image generated using DALL-E

Introduction

Web Application Firewall (WAF) is something we have touched on briefly before on Lindbergtech but it is time to write a bit more in-depth into this topic. WAF is a service within Azure that you can add ontop of your Application Gateway or Frontdoor deployments to provide a centralized platform to protect your web applications from common exploits such as SQL-injection or cross-site scripting.

This is very important as when you are exposing your services publicly on the internet you do not know who will attempt to take advantage of your content or platform, anyone can access your website.

In this post we will explore some of the cornerstone services that WAF provides for you out of the box or with little configuration on your end.

Managed rules sets, rules and rule group overrides

  • Managed rule sets & rules

One of the cornerstone services in WAF are the managed rule sets. These are pre-packaged rules you can toss on to your WAF and instantly gain benefits from with extra protection from known exploits on the internet.

I can build my own or use existing rule sets for my WAF policy such as the Open Web Application Security Project or "OWASP" managed rule set. The "OWASP" managed rule set in your WAF resource refers to a set of rules provided by the OWASP innitiative. These rules are designed to protect your application from a wide range of security threats.

OWASP includes protections against threats like SQL injection, cross-site scripting (XSS), and many others. By including this managed rule set in your WAF policy, you're instructing the WAF to apply these rules when inspecting incoming traffic to your application.

What is more exciting is that I can get all of this very much out of the box by applying my WAF policy "as-is". If I do want to make changes and make it more custom to my deployment I can do so using rule group overrides which lets me change the rules in the managed rule set.

  • Rule group overrides

Here is an example where I am deploying WAF with the OWASP managed rule set however I want to disable some of the rules. I can achieve this in Terraform for example by running the below configuration:

resource "azurerm_web_application_firewall_policy" "waf_policy" {
  name                = "waf-prod-weu-owasp"
  resource_group_name = data.azurerm_resource_group.rg.name
  location            = data.azurerm_resource_group.rg.location

  managed_rules {
    managed_rule_set {
      type    = "OWASP"
      version = "3.2"

      rule_group_override {
        rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
        disabled_rules = [
          "920300",
          "920310",
        ]
      }
    }
  }
}

I am using the managed rule set but I am disbling the rule 920300 and 920310

Best practices

It is recommended that whenever you implement a new policy and associate it with an Application Gateway or Frontdoor instance that you run it in Detection mode and not in Prevention mode - you can think of it like this

  • Detection mode: WAF tells you which connections it would deny without actually denying the request and logging this
  • Prevention mode: Protection is active and requests will be actively blocked

This is helpful so you can catch false-positives and take action to prevent those requests from being blocked before going live with your new WAF policy.

To review this you can set your WAF policy in detection mode and configure diagnostics logging to send these logs to a Log Analytics Workspace for you to review the traffic:

az monitor diagnostic-settings create --name myWAFLog \
  --resource /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/ApplicationGateway/{applicationGatewayName} \
  --logs '[{"category": "ApplicationGatewayFirewallLog", "enabled": true}]' \
  --workspace /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}

Conclusion

  • Purpose of Web Application Firewall: Protects against common exploits like SQL-injection and cross-site scripting, essential for publicly exposed web services.
  • Managed Rule Sets and Rules: WAF includes pre-packaged rule sets for immediate protection against known internet exploits.
  • Customization and Rule Group Overrides: You can customize WAF by using rule group overrides.
  • Best Practices: I recommend using Detection mode (alerts on potential denials without actual denial) rather than Prevention mode (actively blocks requests) initially to catch false positives and use diagnostics logging to review traffic in a Log Analytics Workspace.

References

Introduction to Azure Web Application Firewall
This article provides an overview of Azure Web Application Firewall (WAF)
OWASP Foundation, the Open Source Foundation for Application Security | OWASP Foundation
OWASP Foundation, the Open Source Foundation for Application Security on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.

About the Author

About me
If you have landed on my page you will have already understood my passion for tech, but obviously there is more to life than that. Here I will try and outline a few of my other hobbies. Strength training I am a person who loves to move around and challenge