Azure WAF on Azure Content Delivery Network
Azure WAF on Azure CDN
WAF on CDN provides centralized protection from your web content, but currently it is in public Review and is provided with a preview service level agreement.
WAF on CDN is deployed on all edge locations around globe. WAF stops all malicious attacks very close to attack source before they reach your region, due to which you get the global protection at scale without sacrificing any performance.
WAF Policies and Rules:
In Order to enable WAF on Application Gateway, we must have to create a WAF Policy. WAF Policy is used to manage rules, custom rules, exclusion, and another customization such as File upload limit.
Once WAF policy is created and then is associated to one or more application gateway for protection. A Waf policy consist of two types of security rules:
- Custom Rule that you create
- Azure Pre-Configured Managed Rule sets
When both rules are in force, Custom rule are processed first. A Rule is made of a match Condition, a Priority, and an action (ALLOW, BLOCK, and LOG). Rules are processed as per Priority order. Smaller Value has higher Priority are evaluated first. Once Rule is matched, corresponding action are being taken as defined. Once match is done and rule is processed, rest of the rules are not evaluated then.
A WAF Policy consist of two type of security rules:
- Custom Rule: That is created by admin or yourself.
- Managed Rule set: Azure Preconfigured rule sets.
Custom Rule set: below are some custom rule sets that can be configured.
- IP Allow list and blocklist: Source IP can be allowed or blocked to your web applications based on list of clients Ip address or their ranges.
- Geographic based access control: Control access to your web applications based on the country code that associated with client IP address.
- HTTP parameter-based access control: You can create rules on string matches in HTTP/HTTPS request parameter. Example: Query, Strings, POST args, Request URI, Request Header, and Request Body.
- Request method-based access control: You can create rule based on HTTP request method of the request like GET, PUT or HEAD.
- Size Constraint: You can create rule based on lengths of specific parts of the request such as query string, URI, or Request Body.
Azure Managed Rule set: These Rules provide easy way to deploy protection against a common set of Security threats. These rules are managed by Azure and are updated as needed to protect against new attacks signatures. These Azure managed default rule set includes rules against following threat categories:
- Cross-Site Scripting
- Java Attacks
- Local File inclusion
- PHP injection attacks
- Remote command execution
- Remote File inclusion
- Session fixation
- SQL injection protection
- Protocol attackers.
As soon as new attacks signature are added to rule set , default rule set version number increases. Default rule set is enabled by default in Detection mode in WAF policies. You can also enable or disable individual rule with in Default rule set , in order to meet your application requirement.