Microsoft announces general availability of Web Application Firewall in Azure.

Web application firewall (WAF) available in the WAF SKU of Application Gateway provides protection to web applications from common web vulnerabilities and exploits like SQL injection attacks, cross-site scripting attacks, etc. It is difficult to prevent these attacks as they require rigorous maintenance, patching and monitoring at multiple layers of the application topology. A centralized web application firewall like this will help application administrators to tackle these threats with much less effort.

Protection

  • Protect your application from web vulnerabilities and attacks without modifying backend code. WAF addresses various attack categories including:
    • SQL injection
    • Cross site scripting
    • Common attacks such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion attack
    • HTTP protocol violations
    • HTTP protocol anomalies
    • Bots, crawlers, and scanners
    • Common application misconfigurations (e.g. Apache, IIS, etc.)
    • HTTP Denial of Service
  • Protect multiple web applications simultaneously. Application Gateway supports hosting up to 20 websites behind a single gateway that can all be protected against web attacks.

Ease of use

  • Application Gateway WAF is simple to configure, deploy, and manage via the Azure Portal and REST APIs. PowerShell and CLI will soon be available.
  • Administrators can centrally manage WAF rules.
  • Existing Application Gateways can be simply upgraded to include WAF. WAF retains all standard Application Gateway features in addition to Web Application Firewall.

Monitoring

  • Application Gateway WAF provides the ability to monitor web applications against attacks using a real-time WAF log that is integrated with Azure Monitor to track WAF alerts and easily monitor trends. The JSON formatted log goes directly to the customer’s storage account. Customers have full control over these logs and can apply their own retention policies. Customers can also ingest these logs into their own analytics system. WAF logs are also integrated with Operations Management Suite (OMS) so customers can use OMS log analytics to execute sophisticated fine grained queries.

  • Application Gateway WAF will shortly be integrated with Azure Security Center to provide a centralized security view of all your Azure resources. Azure Security Center scans your subscriptions for vulnerabilities and recommends mitigation steps for detected issues. One such vulnerability is the presence of web applications that are not protected by a WAF.

Customization

  • Application Gateway WAF can be run in detection or prevention mode. A common use case is for administrators to run in detection mode to observe traffic for malicious patterns. Once potential exploits are detected, turning to prevention mode blocks suspicious incoming traffic.
  • Customers can customize WAF RuleGroups to enable/disable broad categories or sub-categories of attacks. Therefore, an administrator can enable or disable RuleGroups for SQL Injection or Cross Site Scripting (XSS). Customers can also enable/disable specific rules within a RuleGroup. For example, the Protocol Anomaly RuleGroup is a collection of many rules that can be selectively enabled/disabled.

Embracing Open Source

Application Gateway WAF uses one of the most popular WAF deployments –  OWASP ModSecurity Core Rule Set to protect against the most common web vulnerabilities. These rules, which conform to rigorous standards, are managed and maintained by the open source community. Customers can choose between rule set CRS 2.2.9 and CRS 3.0. Since CRS 3.0 offers a dramatic reduction in false positives, we recommend using CRS 3.0.