AZ-700 Microsoft Azure Networking Solutions – Web Application Firewalls (WAF)

1. Overview of Web Application Firewalls (WAF)

Specifically about the Web Application Firewall within Azure Front Door and within Azure application gateway, and how to create a policy and associate that policy with one of these two services. Now, we did mention previously what the benefits of a Web Application Firewall were. Web Application Firewall is based on industry standards in terms of the common types of attacks that websites have seen over the years. Those standards are defined by an open web application security project. Now, the Oasp, as it’s called, publishes a top ten list of the most common types of security attacks for websites and certainly well worth reading if you’re interested in security.

As we can see, the Web Application Firewall is based on what’s called the core rule set. And you have the choice between 3. 13. 0 and 2. 29. So we can see a list of the common features including SQL injection, attack protection, cross site scripting, other common web attacks such as command injection, Http protocol violations, and anomalies protections against crawlers and scanners configurable request size limits. And one of the things we’re going to talk about in this course is how to create your own custom rules. So certainly having this core Rule set is valuable, but can you create your own rules?

And you certainly can. And so what we’re going to have to do is we’re going to go back and recreate an application gateway so that we can get this web Application Firewall running again. And so in the next video, we’ll get back into the portal, we’ll create this one more time, and then we’ll start to play with the Web Application Firewall components of an application gateway. Now, the same is also true for Azure Front Door service, which has the same feature. And I believe the Azure CDN may be adding this in the future. It’s in preview mode, but we won’t be talking about that because preview mode features are not on the exam.

2. WAF Policies

Switching back to the portal, we can see that I have actually created an application gateway for the purposes of this demo. Earlier in this course, I went through the steps of creating an application gateway using the portal. And if you need to, I would refer back to that video for you to create your own application gateway. But I don’t want to repeat myself here.

So I created an application gateway. I haven’t yet assigned any virtual machines to it and we have some more work to do, but this is a running application gateway for now. When it comes to the front end configuration, I have a public IP that has been set up. This is the public IP we are using an Http listener over port 80, all basic application gateway stuff. Now, Web Application firewall specifically uses a policy, an external policy similar to the Azure Firewall. And so we can see this web application firewall policy has been created already.

In actual fact, if I go into the resource group, I can see scrolling down that the policy exists as a resource inside of the resource group. What Microsoft has done recently is extracted the policies from the resources that implement them. So if we go into the global policy, we can see it as a thing. It’s got one associated application gateway and we know what that is. Now, the managed rules are the ones that come with the core set, right, the OWASP categories, and we can see that it’s set to the 3. 0 set. We could choose 3. 21, 2. 29, it’s set to 3. 0 in this example. And all of the ones that are part of the 3. 0 set are enabled. So I haven’t gone and went to disable any of these particular rules. We’re also taking advantage of what are called custom rules in this particular case.

So I’ve added two custom rules that are going to allow us to override the default rules in this rule. The first rule that I’ve created, it’s basically looking at the request Uri. So the URL that’s used to make the request and it’s looking for the text string global allow as part of the Uri. And if that is in there, then that traffic is just going to be allowed.

It has a very low priority number and so just using this term inside of your text is going to basically override the request and allow the traffic through the web application firewall. So you may want to have some kind of secret string that you have for testing purposes. If you want to test your firewall or if you need to get around your firewall for specific requests, I’ll cancel that. The other one that we’re adding for the purposes of testing is having a block URL.

So regardless of the request, if the URL contains the word global block, then all traffic is denied. So based on the contents of the URL, I’m able to implement these custom rules that custom rule is obviously a pretty important part of implementing a web location firewall and will be on the exam. Now, the last part here is the associated gateway. I only have the gateway, and so we could have the same policy implemented against multiple gateways.

We saw this on the gateway side where it mentioned this policy. We’re also seeing it on the policy side mentioning the gateway that it’s associated with. But for now, we have a web application firewall. Like I said, I haven’t created the back end for it yet. If we go back to the Web application firewall application gateway eight in terms of the backend pools, the backend pools are empty, so I haven’t put any servers behind it yet. But the web location firewall is set up, like I said, to either allow traffic with the allow global string or deny traffic, and that’s a good start for setting up our web location firewall. We’ll continue on.

3. Test WAF Custom Policies

So here we have now I’ve created the virtual machine scale set called my VMSs as my back end pool. If I was to go up to the top level screen, I was to grab the IP address, paste the IP address into a browser. I am being given some default text and index HTML from this. Now there’s two virtual machines in the scale set it and I have session affinity turned on. So it’s always just going to return me the same one. So let’s go back to the gateway. So we have the gateway set up, we have the back end pool set up. The interesting thing that we have here is again, we have this web application firewall we talked about in the last video that’s going to block traffic based on the contents of the URL.

Let’s go back to our browser window and what we would expect that if the word global block, remember we were doing a string based block or allow. If the word global block appears in the URL at any point, web application firewall should block it. And so just by adding global block, I have now triggered this web application firewall policy which is looking for that string. If we remember, the global allow was the string that allowed it. Now we don’t have on the server a directory called global allow. I could probably put this as a question mark, right? So we don’t have the directory. So we’re getting that completely passed through but anywhere we basically now are able to create custom rules based on the contents of the URL, either block or allow traffic to go through using a web application firewall policy.

• Category: Uncategorized