A load balancer is essential for distributing network and application traffic across multiple servers to ensure high performance, reliability, and responsiveness. However, without the presence of some sort of protection, your web server might be at risk of attacks – which also renders the job of a load balancer useless. This explains why Azure added a Web Application Firewall (WAF) feature to its global load balancer Azure Front Door.
The question at hand is whether using Azure WAF as an add-on feature provides enough protection against web attacks or whether DevOps and DevSecOps engineers need to utilize Azure WAF or any other standalone WAF for optimal security.
This article seeks to answer this question by highlighting Azure WAF's features, strengths, and weaknesses on Azure Front Door and as a standalone web app security tool. We'll also compare these features with open-appsec WAF, which is a standalone WAF built with contemporary web app security capabilities.
Read on to find out more!
Difference Between Azure WAF, Azure Front Door WAF, and open-appsec WAF
Factors | Azure WAF | Azure WAF on Front Door | open-appsec WAF |
Zero-Day Detection | Lacks a robust feature that safeguards your web application against unknown vulnerabilities and zero-day attacks | Doesn’t effectively protect against zero-day attacks | Uses offline and online machine learning models and advanced threat prevention techniques to protect web apps against zero-day attacks |
Machine-Learning App Security Approach | Not Available | Not Available | Uses machine learning techniques to protect web applications and APIs |
Type of System Configuration Used | Allows the use of WAF policies for system configuration | Allows its users to use one WAF policy at a time to configure app security features | Uses declarative configuration and WebUI (SaaS) for system configuration |
Intrusion Prevention System | Not Available | Not Available | Uses an open-source Snort 3.0 engine and an NSS-certified intrusion prevention system |
Free Version and Pricing | Offers a free 30 days trial, and its pricing depends on the pricing tier you choose and the volume of traffic your web application receives | Doesn’t offer a free version, but it offers a free trial Pricing depends on the outbound data from the edge to the client or the origin, the incoming requests from your network edge, and the free data transfer from an Azure data center | Offers a free, open-source version Its pricing plan consists of two paid versions: Premium and Enterprise Edition |
Open-Source | Not open-sourced | Not open-sourced | Open-sourced |
System Maintenance Complexity | Complex system maintenance procedure because of its rules, policies, and exclusion list | Complex system maintenance due to its use of rules and exceptions | Maintenance is simple due to the absence of rules, policies, and exceptions |
Web Latency | Doesn’t increase web latency | Sometimes increases web latency | Uses agents to deploy open-appsec on existing web servers, enabling minimal latency and maximum control |
Malicious Bot Prevention | Uses the managed bot protection rule to prevent the evasion of malicious bots in your web apps | Uses bot signatures to identify and protect against bot attacks | Uses machine learning models and app behavioral analysis to identify malicious bot traffic |
False Positives | Some false positives are alerted due to the absence of machine learning | Some false positives are alerted due to the absence of machine learning | Its second online and unsupervised machine learning model is dedicated to eliminating false positives |
Azure WAF
Azure WAF is a cloud-native solution that safeguards web applications against common cyber threats and vulnerabilities. It is easy to deploy and provides comprehensive visibility into your app's environment, thereby ensuring the consistent blocking of malicious attacks.
It uses managed and preconfigured rule sets to protect web applications against attacks. It combines these rule sets with its advanced detection engine resulting in an enhanced security level and a reduction in false positives.
Furthermore, Azure WAF helps organizations meet their industry security standards and compliance regulations. It does this by integrating with Azure Policy, a governance tool designed to enforce compliance by remediation of existing resources and automatic compliance enforcement for new resources.
Unlike many security systems, Azure WAF does not require an additional software agent. This simplifies its integration process with Security Information and Event Management (SIEM) tools.
Features of Azure WAF
OWASP Core Rule Set
Azure WAF offers the OWASP core rule set feature to guard web applications against attacks like injections, protocol violations, bot crawlers, and other popular vulnerabilities. It is set to the CRS 3.2 by default, but you can switch to versions 3.2, 3.1, 3.0, or 2.2.9. It allows you to set exclusions for specific requests and uses anomaly scores to determine appropriate responses to rule violations.
Real-Time Visibility
Azure WAF is integrated with Microsoft Sentinel, providing real-time visibility into your WAF resources. This integration also ensures security alerts for activities within your application's environment. Moreover, this feature offers WAF log analytics categorized into 11 parts for app visibility. These categories include request ID filters and messages, top 50 event triggers, top 40 blocked request URL addresses, etc.
Azure WAF also offers pre-built, customizable workbooks to enhance WAF data analysis and visualization further. It offers Sentinel analytics rules to automatically detect and respond to security attacks based on preconfigured rules.
Bot Protection Rule Set
Azure WAF offers customizable bot rules set that provides protection against three bot categories: good, bad, or unknown bots. It identifies bad bots as bots from suspicious sources or IP addresses, good bots from recognized sources, and unknown bots from published user agents that need additional validation. Azure WAF allows you to block, allow, or log these bots as preferred.
Pros and Cons of the Azure WAF
Pros | Cons |
Fast deployment | Exclusion list is hard to manage |
User-friendly | Sometimes return false positives |
Can protect multiple web applications simultaneously | Can become very costly |
Doesn’t increase web latency | |
Azure WAF on Azure Front Door
On Azure Front Door, Azure WAF is a centralized protection mechanism providing a robust shield against common exploits and vulnerabilities. It ensures that applications remain accessible for legitimate users while meeting essential industry compliance requirements.
Furthermore, Azure WAF is located on Azure network edge locations across the globe, and with this strategic positioning, it halts and prevents malicious attacks before they can infiltrate your network. Together, they balance extensive web app protection and manage the need for fast, efficient application performance, enhancing user experience.
Azure Front Door comes in two tiers: Standard and Premium. Both tiers integrate with Azure WAF, allowing users to choose a package that best fits their security needs.
Features of Azure WAF on Azure Front Door
Policy and Rules
Azure WAF on Azure Front Door allows you to configure a WAF policy and link it to multiple front-ends for enhanced defense. It allows you to create and replicate across all Azure edge locations to ensure consistent security. This policy comprises user-created custom rules and Azure-managed preconfigured rules that allow, block, log, or redirect requests once a match is found.
Bot Protection
Azure Front Door WAF offers bot protection to help your web server differentiate between good, bad, and unknown bots. It uses a managed rule set that the Azure security team updates to customize actions based on these bot categories.
Rate Limiting
On Azure Front Door, Azure WAF offers a custom rate-limiting control to regulate access based on incoming request rates. This tool enables it to detect and block abnormally high traffic levels from any socket IP, mitigating DoS attacks and preventing disruptions from misconfigured clients.
Pros and Cons of the Azure Front Door WAF
Pros | Cons |
Integrates smoothly with other Azure services | Can only use one Azure WAF policy at a time |
Has easy-to-understand documentation | Sometimes has false positives |
Offers an effective CDN feature | It is expensive |
Offers features that help you customize your web app security | |
open-appsec WAF
Are you looking to block attacks on your web application before they happen? So look no further, as open-appsec uses machine learning to continuously detect and preemptively block threats before they can do any damage. Its code has also been published on GitHub, and the effectiveness of its WAF has been successfully proven in numerous tests by third parties. Try open-appsec in the Playground today.
The open-appsec WAF is one of the few open-source WAfs designed for easy configuration and management. It delivers effective web application security, keeps false positives to a minimum, and can be deployed as an add-on to an NGINX reverse proxy alongside a Kubernetes (K8s) Ingress controller or API gateways.
One of its key strengths, as mentioned earlier, is using machine learning technology to prevent web attacks preemptively. It safeguards web applications against threats, including OWASP Top 10 attacks, web app and API attacks, and even elusive zero-day exploits. This feature makes the maintenance process streamlined and straightforward. Plus, unlike other WAFs, it doesn't rely on signatures and exceptions.
Moreover, open-appsec WAF integrates with tools like GraphQL, Terraform, and Helm. It also offers features like Anti Bot, API discovery and security, intrusion prevention, etc.
Features of open-appsec WAF
Machine-Learning WAF
Distinguishing itself from other WAFs, open-appsec WAF protects web applications using a unique machine learning threat prevention method. This innovative approach preemptively wards off common attacks like OWASP Top 10 attacks and zero-day threats, such as Log4Shell and Spring4Shell, without requiring updates or signatures.
This process relies on two machine-learning models:
A supervised offline model
A non-supervised online model
The supervised model is trained with millions of malicious and benign requests, enabling it to distinguish between legitimate and malicious requests effectively. This extensive training process minimizes the need for constant fine-tuning, exception creation, or handling, as typically seen in traditional WAFs.
The non-supervised model operates online and works in real-time to analyze HTTP/S requests in your web apps and APIs. This model uses contextual and behavioral analysis methods to examine an application's structure and user activity within the web app. It learns the everyday user interactions with your web app and uses this information to identify requests that deviate from normal operations.
When installed, all incoming requests are evaluated against these two machine learning models, which mark them as malicious or benign based on transaction user behavior, crowd behavior, and content risks.
API Discovery and Security
The open-appsec WAF uses machine learning and OpenAPI schema validation to expose all your APIs, thus minimizing the attack surface. This process enhances security by keeping API activity within safe parameters and streamlining your security team's efforts on a specified set of APIs. The narrowing of the attack surface optimizes resources and boosts the effectiveness of vulnerability management.
Infrastructure-As-Code and API
This open-appsec WAF feature helps with its easy deployment, update, and configuration in cloud-native environments. It seamlessly integrates into an application’s CI/CD process through infrastructure-as-code or API. This provides flexible management options, including configuration through declarative files, Kubernetes, cloud-native config-as-code, or WebUI-based configuration, such as GraphQL API and central status monitoring.
Pros and Cons of open-appsec WAF
Pros | Cons |
Open-sourced | It is a fairly new WAF |
Has a free version | |
Simplifies system maintenance by removing the need for managing exceptions, rules, and threat signatures | |
Offers preemptive protection against attacks | |
Conclusion
Using Azure WAF as a feature on Azure Front Door would provide you with basic WAF features, but using the standalone Azure WAF provides more robust security and in-depth visibility into the activities going on in your app's environment. On the other hand, open-appsec WAF is the best web application security solution to use if you're looking to protect against known and unknown attacks and vulnerabilities. Try open-appsec in the Playground today.
FAQ
What is the difference between Azure WAF and Azure Firewall?
Azure WAF is designed to protect web applications against common exploits and vulnerabilities at the application layer. On the other hand, Azure Firewall is a network layer (3-4) firewall service that protects Azure Virtual Network resources by filtering and analyzing incoming and outgoing traffic at the network level.
Is Azure WAF free?
No, Azure WAF is not a free service. Azure WAF pricing depends on your plan, the number of web applications you protect, and the amount of data processed by those applications.
What is the difference between Azure Application Gateway and Azure WAF?
Azure Application Gateway functions as a load balancer for web traffic and works at the application layer (Layer 7) to evenly distribute incoming traffic among multiple endpoints. On the other hand, Azure Web Application Firewall (WAF) can be used as a standalone service or as a feature that can be enabled on the Azure Application Gateway to protect against web attacks like SQL injection.
In summary, the Application Gateway is responsible for routing traffic, while Azure WAF provides additional security by inspecting and filtering the traffic.
