Advanced Application Protection with Azure WAF
Download as PPTX, PDF0 likes98 views
The document discusses Azure Web Application Firewall (WAF), a cloud-based security service that protects web applications from common vulnerabilities like SQL injection and XSS. It covers its functionalities, deployment scenarios, integration with other Azure services, and advantages such as customizable rules and real-time monitoring. Additionally, it highlights the risks associated with allowing Tor traffic and how to query logs for insights.
Advanced Application Protection with Azure WAF
- 1. Advanced Application Protection with Azure WAF Udaiappa Ramachandran ( Udai ) https://udai.io
- 2. About me • Udaiappa Ramachandran ( Udai ) • CTO/CSO-Akumina, Inc. • Microsoft Azure MVP • Cloud Expert • Microsoft Azure, Amazon Web Services, and Google • New Hampshire Cloud User Group (http://www.meetup.com/nashuaug ) • https://udai.io
- 3. Agenda • WAF Overview • How Azure WAF works • Deployment Scenario • Key Benefits • Querying and Understanding Logs • Demo • WAF Policy Settings • WAF Managed Rules • WAF Custom Rules • TOR Protection • Automation Custom Rules
- 4. What is Azure WAF • A cloud-based security service that helps protect web applications from common web vulnerabilities • Key Features: • Modes: Prevention and Detection • Comprehensive Protection: Defends against top threats listed by OWASP • SQL injection protection • Cross-Site scripting (XSS) prevention • DDoS mitigation • Pre-Configured Policies: Quick setup with built-in rules and policies • Custom rules: Define custom rules to address specific requirements • Integration with other Azure Services: Seamlessly integrates with Azure Front Door, Application Gateway, and CDN • Real-Time monitoring and Analytics: Provides insights with real-time monitoring and logging capabilities
- 5. How Azure WAF Works Process: • Incoming traffic is inspected for malicious patterns • If a threat is detected, it is blocked or mitigated • Clen traffic is allowed to reach your application
- 6. Deployment Scenarios • Application Gateway WAF: For single region deployments • Front Door WAF: Ideal for global, multi-region applications with low latency needs • CDN Integrations: Protects static content delivery
- 7. Key Benefits of Using Azure WAF • Customizable Rules • Thread Intelligence Feeds • Granular Control and Flexibility • Integration with Azure Sentinel for Advanced Thread Detection • Protection against Evolving Attack Techniques • Scalable and Cost-Effective Solution • Automation and Regular Updates
- 8. The Onion Router (TOR) • What is TOR?
- 9. Misuse of TOR • DDoS Attacks • Scraping and Brute-Force Attacks • Dark Web and Illicit Markets • Data Exfiltration • Phishing and Malware Distribution
- 10. Risks of Allowing TOR Traffic • Increased Attack Surface • Difficulty in Monitoring and Enforcement • Negative Impact on Business Reputation
- 11. TOR Browser for TOR Network • Download platform exe from https://www.torproject.org/download/ • Run Tor browser installer • Open Tor browser • Click configure connection • Where it says Tor network click connect • Confirm connection by navigating to check.torproject.org
- 12. Querying the Log • Pre-Requisites: Diagnostics option must be enabled let ref = "20240828T024356Z-184f65f8b747zmr68c1r2gcra400000003ng00000000pauz"; AzureDiagnostics | where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog" and trackingReference_s ==ref let ref = "20240828T024356Z-184f65f8b747zmr68c1r2gcra400000003ng00000000pauz"; AzureDiagnostics | where httpStatusCode_d!="200" and trackingReference_s ==ref
- 13. Reference • https ://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-9 49-BLOCKING-EVALUATION.conf • https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-d oor-drs?tabs=drs21#anomaly-scoring-mode • https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/web-application- firewall/afds/waf-front-door-monitor.md#waf-logs • https://learn.microsoft.com/en-us/training/modules/introduction-azure-web-appli cation-firewall
- 14. Thanks for your time and trust! Nashua CLOUD .NET Usergroup
Editor's Notes
- #7: Customizable Rules for TOR Blocking and Monitoring: Azure WAF allows you to set up rules that either block TOR traffic outright or monitor it without blocking. You can create custom policies tailored to your needs, allowing flexibility between blocking harmful traffic while still allowing legitimate users access. Leveraging Azure Threat Intelligence Feeds: Azure WAF can integrate with threat intelligence feeds that automatically update your policies based on known malicious IPs, including TOR exit nodes. This keeps your protection current without manual effort. Granular Control and Flexibility: Azure WAF offers detailed controls over how you manage traffic. You can create rules that specifically target TOR traffic based on headers, IPs, and behavior patterns, allowing you to fine-tune your security measures while minimizing false positives. Integration with Azure Sentinel for Advanced Threat Detection: Azure WAF can work with Azure Sentinel to monitor and respond automatically to TOR traffic. You can set up alerts, block suspicious IPs, and analyze incidents in real time, ensuring deeper security management. Protection Against Evolving Attack Techniques: Azure WAF is continuously updated to counter new threats. As attackers adapt, Azure WAF’s rule sets also improve, ensuring you stay protected against emerging methods. Scalable and Cost-Effective Solution: Whether you’re a small business or a large enterprise, Azure WAF scales with your needs. Its pay-as-you-go model and auto-scaling features ensure you have protection without unnecessary costs. Automation and Regular Updates for TOR Exit Node Lists: Managing TOR exit node lists is made easy with Azure WAF’s automation capabilities. You can set up automatic updates using Azure Logic Apps or Azure Functions, keeping your blocklists current with minimal manual work.
- #8: IMPERVA WAF
- #9: DDoS Attacks: Malicious users can leverage TOR’s anonymity to launch Distributed Denial of Service (DDoS) attacks against websites. Since the real IP address is hidden behind several layers, it becomes difficult to trace or block the origin of the attack. Scraping and Brute-Force Attacks: Attackers often use TOR to automate scraping of content or execute brute-force login attempts. The use of rotating IP addresses makes it challenging to implement traditional rate-limiting or IP-blocking mechanisms against such activities. Dark Web and Illicit Markets: TOR is closely associated with the dark web, where illegal markets, forums, and activities take place. Criminal activities like drug trafficking, weapon sales, and identity theft often rely on TOR’s anonymity for secure transactions. Data Exfiltration: In the event of a data breach, attackers may use TOR to securely transfer stolen data, making it difficult for defenders to track or stop the exfiltration process. The anonymity provided by TOR exit nodes shields the attacker from detection. Phishing and Malware Distribution: TOR can be used as a vector for distributing phishing attacks or hosting malicious websites. Because the network is designed to be resistant to censorship and takedown attempts, these sites can remain operational longer, spreading malware or stealing credentials.
- #10: Increased Attack Surface: TOR users can easily mask their IP addresses, making it easier for them to probe your infrastructure, search for vulnerabilities, and launch attacks without being identified. Difficulty in Monitoring and Enforcement: Traditional security controls, such as IP blocking and geofencing, are rendered ineffective against TOR traffic. This limits your ability to enforce location-based rules or identify malicious actors. Negative Impact on Business Reputation: If your services are abused through TOR, such as hosting illegal content or facilitating data exfiltration, it can damage your business’s reputation, potentially leading to legal liabilities.
- #12: Open Logs from the Front Door
- #13: https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-waf-custom-rule-samples-and-use-cases/ba-p/2033020 azure-docs/articles/web-application-firewall/afds/waf-front-door-monitor.md at main · MicrosoftDocs/azure-docs (github.com)