top of page

Azure WAF, Azure Front Door WAF, or open-appsec WAF?

A load balancer is essential for distributing network and application traffic across multiple servers to ensure high performance, reliability, and responsiveness. However, without the presence of some sort of protection, your web server might be at risk of attacks – which also renders the job of a load balancer useless. This explains why Azure added a Web Application Firewall (WAF) feature to its global load balancer Azure Front Door.


The question at hand is whether using Azure WAF as an add-on feature provides enough protection against web attacks or whether DevOps and DevSecOps engineers need to utilize Azure WAF or any other standalone WAF for optimal security.


This article seeks to answer this question by highlighting Azure WAF's features, strengths, and weaknesses on Azure Front Door and as a standalone web app security tool. We'll also compare these features with open-appsec WAF, which is a standalone WAF built with contemporary web app security capabilities.


Read on to find out more!


Difference Between Azure WAF, Azure Front Door WAF, and open-appsec WAF

Factors

Azure WAF

Azure WAF on Front Door

open-appsec WAF

Zero-Day Detection

​Lacks a robust feature that safeguards your web application against unknown vulnerabilities and zero-day attacks

​Doesn’t effectively protect against zero-day attacks

Uses offline and online machine learning models and advanced threat prevention techniques to protect web apps against zero-day attacks

Machine-Learning App Security Approach

Not Available

Not Available

Uses machine learning techniques to protect web applications and APIs

Type of System Configuration Used

Allows the use of WAF policies for system configuration

Allows its users to use one WAF policy at a time to configure app security features

Uses declarative configuration and WebUI (SaaS) for system configuration

Intrusion Prevention System

Not Available

Not Available

Uses an open-source Snort 3.0 engine and an NSS-certified intrusion prevention system

Free Version and Pricing

Offers a free 30 days trial, and its pricing depends on the pricing tier you choose and the volume of traffic your web application receives

Doesn’t offer a free version, but it offers a free trial


Pricing depends on the outbound data from the edge to the client or the origin, the incoming requests from your network edge, and the free data transfer from an Azure data center


Offers a free, open-source version


Its pricing plan consists of two paid versions: Premium and Enterprise Edition

Open-Source

Not open-sourced

Not open-sourced

Open-sourced

System Maintenance Complexity

Complex system maintenance procedure because of its rules, policies, and exclusion list

Complex system maintenance due to its use of rules and exceptions

Maintenance is simple due to the absence of rules, policies, and exceptions

Web Latency

Doesn’t increase web latency

Sometimes increases web latency

Uses agents to deploy open-appsec on existing web servers, enabling minimal latency and maximum control

Malicious Bot Prevention

Uses the managed bot protection rule to prevent the evasion of malicious bots in your web apps

Uses bot signatures to identify and protect against bot attacks

Uses machine learning models and app behavioral analysis to identify malicious bot traffic

False Positives

Some false positives are alerted due to the absence of machine learning

Some false positives are alerted due to the absence of machine learning

Its second online and unsupervised machine learning model is dedicated to eliminating false positives

Azure WAF


Azure WAF is a cloud-native solution that safeguards web applications against common cyber threats and vulnerabilities. It is easy to deploy and provides comprehensive visibility into your app's environment, thereby ensuring the consistent blocking of malicious attacks.


It uses managed and preconfigured rule sets to protect web applications against attacks. It combines these rule sets with its advanced detection engine resulting in an enhanced security level and a reduction in false positives.

Furthermore, Azure WAF helps organizations meet their industry security standards and compliance regulations. It does this by integrating with Azure Policy, a governance tool designed to enforce compliance by remediation of existing resources and automatic compliance enforcement for new resources.


Unlike many security systems, Azure WAF does not require an additional software agent. This simplifies its integration process with Security Information and Event Management (SIEM) tools.


Features of Azure WAF


OWASP Core Rule Set


Azure WAF offers the OWASP core rule set feature to guard web applications against attacks like injections, protocol violations, bot crawlers, and other popular vulnerabilities. It is set to the CRS 3.2 by default, but you can switch to versions 3.2, 3.1, 3.0, or 2.2.9. It allows you to set exclusions for specific requests and uses anomaly scores to determine appropriate responses to rule violations.

Real-Time Visibility

Azure WAF is integrated with Microsoft Sentinel, providing real-time visibility into your WAF resources. This integration also ensures security alerts for activities within your application's environment. Moreover, this feature offers WAF log analytics categorized into 11 parts for app visibility. These categories include request ID filters and messages, top 50 event triggers, top 40 blocked request URL addresses, etc.

Azure WAF also offers pre-built, customizable workbooks to enhance WAF data analysis and visualization further. It offers Sentinel analytics rules to automatically detect and respond to security attacks based on preconfigured rules.


Bot Protection Rule Set

Azure WAF offers customizable bot rules set that provides protection against three bot categories: good, bad, or unknown bots. It identifies bad bots as bots from suspicious sources or IP addresses, good bots from recognized sources, and unknown bots from published user agents that need additional validation. Azure WAF allows you to block, allow, or log these bots as preferred.


Pros and Cons of the Azure WAF

Pros

Cons

Fast deployment

Exclusion list is hard to manage

User-friendly

Sometimes return false positives

Can protect multiple web applications simultaneously

Can become very costly

Doesn’t increase web latency

Azure WAF on Azure Front Door



On Azure Front Door, Azure WAF is a centralized protection mechanism providing a robust shield against common exploits and vulnerabilities. It ensures that applications remain accessible for legitimate users while meeting essential industry compliance requirements.


Furthermore, Azure WAF is located on Azure network edge locations across the globe, and with this strategic positioning, it halts and prevents malicious attacks before they can infiltrate your network. Together, they balance extensive web app protection and manage the need for fast, efficient application performance, enhancing user experience.

Azure Front Door comes in two tiers: Standard and Premium. Both tiers integrate with Azure WAF, allowing users to choose a package that best fits their security needs.


Features of Azure WAF on Azure Front Door


Policy and Rules

Azure WAF on Azure Front Door allows you to configure a WAF policy and link it to multiple front-ends for enhanced defense. It allows you to create and replicate across all Azure edge locations to ensure consistent security. This policy comprises user-created custom rules and Azure-managed preconfigured rules that allow, block, log, or redirect requests once a match is found.


Bot Protection

Azure Front Door WAF offers bot protection to help your web server differentiate between good, bad, and unknown bots. It uses a managed rule set that the Azure security team updates to customize actions based on these bot categories.


Rate Limiting

On Azure Front Door, Azure WAF offers a custom rate-limiting control to regulate access based on incoming request rates. This tool enables it to detect and block abnormally high traffic levels from any socket IP, mitigating DoS attacks and preventing disruptions from misconfigured clients.


Pros and Cons of the Azure Front Door WAF

Pros

Cons

Integrates smoothly with other Azure services

Can only use one Azure WAF policy at a time

Has easy-to-understand documentation

Sometimes has false positives

Offers an effective CDN feature

It is expensive

Offers features that help you customize your web app security

open-appsec WAF


Are you looking to block attacks on your web application before they happen? So look no further, as open-appsec uses machine learning to continuously detect and preemptively block threats before they can do any damage. Its code has also been published on GitHub, and the effectiveness of its WAF has been successfully proven in numerous tests by third parties. Try open-appsec in the Playground today.



The open-appsec WAF is one of the few open-source WAfs designed for easy configuration and management. It delivers effective web application security, keeps false positives to a minimum, and can be deployed as an add-on to an NGINX reverse proxy alongside a Kubernetes (K8s) Ingress controller or API gateways.


One of its key strengths, as mentioned earlier, is using machine learning technology to prevent web attacks preemptively. It safeguards web applications against threats, including OWASP Top 10 attacks, web app and API attacks, and even elusive zero-day exploits. This feature makes the maintenance process streamlined and straightforward. Plus, unlike other WAFs, it doesn't rely on signatures and exceptions.


Moreover, open-appsec WAF integrates with tools like GraphQL, Terraform, and Helm. It also offers features like Anti Bot, API discovery and security, intrusion prevention, etc.


Features of open-appsec WAF


Machine-Learning WAF



Distinguishing itself from other WAFs, open-appsec WAF protects web applications using a unique machine learning threat prevention method. This innovative approach preemptively wards off common attacks like OWASP Top 10 attacks and zero-day threats, such as Log4Shell and Spring4Shell, without requiring updates or signatures.

This process relies on two machine-learning models:

  • A supervised offline model

  • A non-supervised online model

The supervised model is trained with millions of malicious and benign requests, enabling it to distinguish between legitimate and malicious requests effectively. This extensive training process minimizes the need for constant fine-tuning, exception creation, or handling, as typically seen in traditional WAFs.


The non-supervised model operates online and works in real-time to analyze HTTP/S requests in your web apps and APIs. This model uses contextual and behavioral analysis methods to examine an application's structure and user activity within the web app. It learns the everyday user interactions with your web app and uses this information to identify requests that deviate from normal operations.


When installed, all incoming requests are evaluated against these two machine learning models, which mark them as malicious or benign based on transaction user behavior, crowd behavior, and content risks.


API Discovery and Security

The open-appsec WAF uses machine learning and OpenAPI schema validation to expose all your APIs, thus minimizing the attack surface. This process enhances security by keeping API activity within safe parameters and streamlining your security team's efforts on a specified set of APIs. The narrowing of the attack surface optimizes resources and boosts the effectiveness of vulnerability management.


Infrastructure-As-Code and API

This open-appsec WAF feature helps with its easy deployment, update, and configuration in cloud-native environments. It seamlessly integrates into an application’s CI/CD process through infrastructure-as-code or API. This provides flexible management options, including configuration through declarative files, Kubernetes, cloud-native config-as-code, or WebUI-based configuration, such as GraphQL API and central status monitoring.


Pros and Cons of open-appsec WAF

Pros

Cons

Open-sourced

It is a fairly new WAF

Has a free version

Simplifies system maintenance by removing the need for managing exceptions, rules, and threat signatures

Offers preemptive protection against attacks

Conclusion


Using Azure WAF as a feature on Azure Front Door would provide you with basic WAF features, but using the standalone Azure WAF provides more robust security and in-depth visibility into the activities going on in your app's environment. On the other hand, open-appsec WAF is the best web application security solution to use if you're looking to protect against known and unknown attacks and vulnerabilities. Try open-appsec in the Playground today.

FAQ

What is the difference between Azure WAF and Azure Firewall?

Azure WAF is designed to protect web applications against common exploits and vulnerabilities at the application layer. On the other hand, Azure Firewall is a network layer (3-4) firewall service that protects Azure Virtual Network resources by filtering and analyzing incoming and outgoing traffic at the network level.


Is Azure WAF free?

No, Azure WAF is not a free service. Azure WAF pricing depends on your plan, the number of web applications you protect, and the amount of data processed by those applications.


What is the difference between Azure Application Gateway and Azure WAF?

Azure Application Gateway functions as a load balancer for web traffic and works at the application layer (Layer 7) to evenly distribute incoming traffic among multiple endpoints. On the other hand, Azure Web Application Firewall (WAF) can be used as a standalone service or as a feature that can be enabled on the Azure Application Gateway to protect against web attacks like SQL injection.

In summary, the Application Gateway is responsible for routing traffic, while Azure WAF provides additional security by inspecting and filtering the traffic.


Comments


Experiment with open-appsec for Linux, Kubernetes or Kong using a free virtual lab

bottom of page