Securing Web Applications with Azure Web Application Firewall (WAF)

Securing Web Applications with Azure Web Application Firewall (WAF)

01/14/2025

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in implementing and configuring Azure Web Application Firewall (WAF) to protect web applications against common attacks. In a digital landscape where web applications are the gateway to many businesses, they have become frequent targets of a variety of cyberattacks, such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities. Azure WAF provides an essential layer of protection to mitigate these risks, ensuring data availability, integrity, and confidentiality [1].

Introduction

Web applications are critical components of the IT infrastructure of virtually all organizations. However, their exposure to the internet makes them vulnerable to attacks that can compromise data, interrupt services and damage the company's reputation. A Web Application Firewall (WAF) acts as a reverse proxy, inspecting HTTP/HTTPS traffic arriving and leaving the web application, identifying and blocking malicious requests before they reach the application server. Azure WAF, available as a feature of Azure Application Gateway or Azure Front Door, provides centralized and scalable protection for your web applications hosted in Azure or even in hybrid environments [2].

This practical guide will cover the fundamental concepts of Azure WAF, its modes of operation (Detection and Prevention), the configuration of WAF policies with managed rule sets (OWASP Core Rule Set - CRS) and custom rules. Step-by-step instructions will be provided for deploying WAF with Azure Application Gateway, testing its effectiveness against common attacks and validating the results, as well as discussing best practices and troubleshooting tips. The objective is to enable the reader to configure and manage Azure WAF autonomously, professionally and reliably, protecting their web applications against the most prevalent threats.

Why is Azure WAF crucial for web application protection?

  • Comprehensive Protection: Defends against common web attacks, including SQL injection, cross-site scripting (XSS), file inclusion, bot attacks, and other OWASP Top 10 vulnerabilities [3].
  • Managed Rules: Uses managed rule sets (such as OWASP CRS) that are automatically updated by Microsoft, ensuring protection against the latest threats without manual intervention.
  • Custom Rules: Allows the creation of custom rules to meet application-specific security requirements, blocking specific traffic patterns or protecting against vulnerabilities not covered by managed rules.
  • Flexible Operation Modes: Operates in Detection mode (only monitors and records attacks) or Prevention (actively blocks attacks), allowing gradual control of implementation.
  • Native Integration with Azure: Seamlessly integrates with Azure Application Gateway (for internal applications) and Azure Front Door (for global applications), offering a complete application delivery solution with embedded security.
  • Scalability and High Availability: Benefit from the scalability and high availability of Azure application delivery services, ensuring that protection is always active and performant.
  • Compliance: Helps organizations meet regulatory requirements and security standards that require protection of web applications.

Prerequisites

To implement Azure WAF, you will need the following items:

  1. Active Azure Subscription: An Azure subscription to create and manage resources.
  2. Administrative Access: An account with the necessary permissions to create and manage resources such as Application Gateways, Front Doors and WAF policies (e.g. Collaborator or Network Administrator).
  3. Existing Web Application: A web application (hosted in Azure or elsewhere) that you want to protect. For this guide, we will assume a simple web application that will be accessed via Application Gateway.
  4. Virtual Network (VNet) and Subnets: A virtual network and subnets configured for the Application Gateway and the web application.

Step by Step: Implementing Azure WAF with Application Gateway

Let's configure Azure WAF to protect aweb application using Azure Application Gateway.

1. Creating an Azure Application Gateway with WAF

  1. Open your browser and navigate to the Azure portal: https://portal.azure.com.
  2. Log in with an account that has the necessary permissions.
  3. In the top search field, type Application Gateway and select it from the results.

  4. Click + Create.

  5. Basics:

    • Subscription: Select your subscription.
    • Resource group: Create a new resource group (e.g. rg-waf-appgw) or select an existing one.
    • Application Gateway Name: Give a name (ex: appgw-waf-01).
    • Region: Select the region.
    • Tier: Select Standard v2 (WAF is only available in tier v2).
    • Enable WAF: Select Yes.
    • WAF policy name: Give the WAF policy a name (e.g. wafpolicy-appgw-01).
    • WAF Mode: Start with Detection to monitor and adjust rules before moving to Prevention.

  6. Click Next: Frontends.

  7. Frontends:

    • Frontend IP Address Type: Select Public.
    • Public IP address: Click +Add New and give the public IP a name (ex: pip-appgw-waf).

  8. Click Next: Backends.

  9. Backends:

    • Click +Add backend pool.
    • Backend pool name: Give it a name (e.g. app-backend-pool).
    • Add backend pool without targets: Select No.
    • Destination Type: Select IP Address or FQDN.
    • IP Address/FQDN: Enter the IP address or FQDN of your web application (ex: 10.0.0.4 for a VM in the VNet, or the FQDN of an App Service).
    • Click Add.

  10. Click Next: Configuration.

  11. Setup:

    • Routing Settings: Click +Add Routing Rule.
    • Rule name: Give it a name (ex: rule-http).
    • Priority: Leave the default.
    • Listener:
      • Listener name: Give a name (ex: listener-http).
      • Frontend IP Address: Select the public IP created.
      • Protocol: Select HTTP (to start, you can add HTTPS later).
      • Port: 80.
    • Backend targets:
      • Target Type: Select Backend Pool.
      • Backend pool: Select app-backend-pool.
      • Backend configuration: Click +Add New.
        • Backend setting name: Give it a name (e.g. http-setting).
        • Backend protocol: HTTP.
        • Backend port: 80 (or your web application port).
        • Use custom probe: Select No (for this simple example).
        • Click Add.
    • Click Add in the routing rule.

  12. Click Next: Tags.

  13. Click Next: Review + create.

  14. Review the settings and click Create.

    • Explanation: This process creates an Application Gateway with an associated WAF. The WAF will begin inspecting traffic in Detection mode.

2. Configuring Managed and Custom WAF Rules

After deployment, you can adjust the WAF policy.

  1. In the Azure portal, navigate to your Application Gateway (appgw-waf-01).
  2. In the left navigation pane, under Settings, select Web Application Firewall.

  3. Click the name of your WAF policy (wafpolicy-appgw-01).

  4. Policy Mode: In the Overview section, you can change the Mode from Detection to Prevention when you are confident that your rules are not blocking legitimate traffic.

  5. Managed Rules:

    • In the WAF policy left navigation pane, select Managed Rules.
    • Make sure the OWASP Default Rule Set (e.g. OWASP_CRS/3.2) is Enabled.
    • You can disable specific rules within the managed set if they cause false positives, but do so with caution and only after careful consideration.

  6. Custom Rules:

    • In the WAF policy left navigation pane, select Custom Rules.
    • Click on +Add custom rule.
    • Rule name: Give it a name (ex: BloquearIPMalicioso).
    • Priority: Set a priority (smaller numbers have higher priority).
    • Typerule: Match.
    • Condition:
      • Variable type: RemoteAddress.
      • Operator: IPMatch.
      • Value: Enter the IP address or CIDR range you want to block (ex: 192.168.1.10/32).

    • Action: Select Block.

    • Explanation: Custom rules allow you to define blocking logic based on specific criteria such as IP addresses, HTTP headers, query strings, etc.

  7. Click Add and then Save to the WAF policy.

3. Monitoring the WAF and Reviewing Logs

Monitoring is essential to understand WAF effectiveness and adjust policies.

  1. In the Azure portal, navigate to your Application Gateway (appgw-waf-01).
  2. In the left navigation pane, under Monitoring, select Diagnostic Logs.
  3. Click +Add diagnostic configuration.
  4. Diagnostic configuration name: Give it a name (ex: diag-waf).
  5. Log Categories: Check ApplicationGatewayAccessLog and ApplicationGatewayFirewallLog.
  6. Destination Details: Select Send to Log Analytics workspace and choose your workspace.

  7. Click Save.

  8. After a few minutes, navigate to your Log Analytics workspace.

  9. In the left navigation pane, select Logs.
  10. Use KQL (Kusto Query Language) queries to analyze WAF logs:
    • To see all WAF events: kusto AzureDiagnostics | where ResourceProvider == "MICROSOFT.NETWORK" | where Category == "ApplicationGatewayFirewallLog" | project TimeGenerated, hostname_s, requestUri_s, Message, action_s, policy_s | order by TimeGenerated desc
    • To view blocked attacks (if WAF is in Prevention mode): kusto AzureDiagnostics | where ResourceProvider == "MICROSOFT.NETWORK" | where Category == "ApplicationGatewayFirewallLog" | where action_s == "Blocked" | project TimeGenerated, hostname_s, requestUri_s, Message, ruleId_s | order by TimeGenerated desc

Validation and Testing

Testing the WAF is crucial to ensure it is blocking expected attacks and is not blocking legitimate traffic (false positives).

1. Testing Common Attacks (SQL Injection, XSS)

  1. Scenario: Try to access your web application through the Application Gateway (using the public IP or FQDN) and simulate a SQL injection attack on the URL or a form parameter.

    • Example URL with SQL injection attempt (do not run in production without authorization): http://<seu_ip_publico_appgw>/index.php?id=1' OR '1'='1
    • Example URL with XSS attempt: http://<seu_ip_publico_appgw>/search?query=<script>alert('XSS')</script>

  2. Expected Action (Detection Mode): If the WAF is in Detection mode, the request must be allowed, but the WAF logs in Log Analytics must record the attack and the rule that detected it.

  3. Expected Action (Prevention Mode): If the WAF is in Prevention mode, the request should be blocked, and the browser should display a WAF error page (usually an HTTP 403 Forbidden error).

  4. Verification: Check the WAF logs in Log Analytics to confirm that attacks were detected (in Detection mode) or blocked (in Prevention mode).

2. Testing Custom Rules (IP Blocking)

  1. Scenario: Try to access your web application from the IP address that you configured in the IP blocking custom rule.
  2. Expected Action: Access should be blocked, and the browser should display a WAF error page.
  3. Verification: Check the WAF logs in Log Analytics to confirm that the IP was blocked by the custom rule.

Security Tips and Best Practices

  • Start in Detection Mode: Always deploy the WAF in Detection mode initially. Monitor logs carefully to identify false positives and adjust rules before switching to Prevention mode.
  • WAF Tuning: Fine-tuning is crucial. Disable specific rules that generate false positives (blocking legitimate traffic) or add exclusion rules for specific parameters. Avoid disabling entire rulesets.
  • Custom Rules: Use custom rules to handle the specific security requirements of your applicationo or to mitigate newly discovered vulnerabilities before managed rules are updated.
  • CRS Updates: Keep your managed ruleset (OWASP CRS) up to date to ensure protection against the latest threats. Azure WAF usually updates automatically, but check the version.
  • Integration with Azure Front Door: For global web applications or those that require performance optimization and advanced routing, consider deploying WAF on Azure Front Door. This provides protection at the edge of Microsoft's global network.
  • Monitoring and Alerting: Configure alerts in Azure Monitor for WAF security events, such as blocked attacks or anomalies. Integrate WAF logs with your SIEM (e.g. Microsoft Sentinel) for a centralized view.
  • Regular Security Testing: Regularly perform penetration tests and vulnerability scans on your web applications to identify new vulnerabilities and validate the effectiveness of the WAF.
  • Principle of Least Privilege: Ensure that only authorized users have permissions to configure and manage WAF policies.

Common Troubleshooting

  • WAF is not blocking expected attacks:
    • Check that the WAF is in Prevention mode and not in Detection mode.
    • Make sure the managed rule set (OWASP CRS) is enabled.
    • Review WAF logs in Log Analytics to see if the attack was detected and which rule was triggered. You may need to adjust the CRS sensitivity or add a custom rule.
    • Make sure there are no exclusion rules or whitelists that are allowing malicious traffic.
  • WAF is blocking legitimate traffic (False Positives):
    • Start by analyzing your WAF logs in Log Analytics to identify which rule is blocking legitimate traffic.
    • For the identified rule, you can:
      • Disable specific rule (last resort).
      • Add an exclusion rule for the specific parameter or header that is causing the false positive.
      • Adjust anomaly scoring threshold (if using CRS in anomaly scoring mode).
    • Consider returning to Detection mode temporarily to adjust the rules.
  • Application performance degraded after enabling WAF:
    • WAF adds a small amount of latency due to traffic inspection. Make sure the Application Gateway or Front Door is sized appropriately.
    • Check Application Gateway performance logs in Azure Monitor.
  • WAF is not associated with the correct application:
    • Verify that the WAF policy is associated with the correct Application Gateway or Front Door.
    • Make sure traffic to your web application is actually passing through the Application Gateway/Front Door with WAF enabled.

Conclusion

Azure Web Application Firewall (WAF) is an essential defense for protecting web applications against a myriad of cyberattacks. By providing a layer of traffic inspection and filtering at the network edge, WAF acts as a shield, protecting against known vulnerabilities and zero-day threats. The flexibility of using managed and custom rule sets, along with native integration with Azure application delivery services, makes Azure WAF a robust and scalable solution for any organization. With careful implementation, fine-tuning of policies, and continuous monitoring, security professionals can ensure that their web applications remain secure, available, and compliant, strengthening the organization's overall security posture against the constantly evolving threat landscape.

References:

[1] Microsoft Learn. What is Azure Web Application Firewall?. Available at: https://learn.microsoft.com/pt-br/azure/web-application-firewall/overview [2] Microsoft Learn. Web Application Firewall (WAF) on Azure Application Gateway. Available at: https://learn.microsoft.com/pt-br/azure/web-application-firewall/ag/ag-overview [3] OWASP Foundation. OWASP Top 10. Available at: https://owasp.org/www-project-top-ten/ [4] Microsoft Learn. Create firewall policiesl Web Application Gateway (WAF) for Azure Application Gateway. Available at: https://learn.microsoft.com/pt-br/azure/web-application-firewall/ag/create-waf-policy-ag [5] Microsoft Learn. WAF CRS rules and rule groups. Available at: https://learn.microsoft.com/pt-br/azure/web-application-firewall/ag/application-gateway-waf-collection-rules [6] Microsoft Learn. WAF monitoring and logging. Available at: https://learn.microsoft.com/pt-br/azure/web-application-firewall/ag/waf-diagnostics