Despite the enhanced application performance, health checks, and traffic management that load balancers offer, they are not the most efficient web application security tools; which is why Azure offers a Web Application Firewall (WAF) feature in both Azure Front Door and Azure Application Gateway.
For context, Azure Front Door and Azure Application Gateway are both load balancers that distribute network and application traffic across many servers to enhance app performance and reliability. One major difference between them is that Azure Front Door offers its load balancing function at a global level while Azure Application Gateway functions as a regional load balancer.
This article compares the function of Azure WAF on these two load balancers against open-appsec WAF, which is a contemporary and standalone WAF.
Difference Between WAF on Azure Front Door, Azure Application Gateway, and open-appsec WAF: A Tabular Comparison
Factors | Azure WAF on Front Door | Azure WAF on Azure Application Gateway | open-appsec WAF |
Machine-Learning App Security Approach | Not Available | Not Available | Uses machine learning techniques to protect web applications and APIs |
Type of System Configuration Used | Allows its users to use one WAF policy at a time to configure app security features | Allows the use of WAF policies for system configuration | Uses declarative configuration and WebUI (SaaS) for system configuration |
System Maintenance Complexity | Complex system maintenance due to its use of rules and exceptions | Complex system maintenance due to the need for fine-tuning caused by policies, rules, and exceptions | Simple maintenance due to the absence of rules, policies, and exceptions |
Intrusion Prevention System | Not Available | Not Available | Uses an open-source Snort 3.0 engine and an NSS-certified intrusion prevention system |
Free Version and Pricing | No free version, but offers a free trial Pricing depends on the following factors: - Base fees - Outbound data from the edge to the client or the origin - Incoming requests from your network edge - Free data transfer from an Azure data center | No free version, but offers a free trial Offers two pricing plans:
| Offers a free, open-source version Its pricing plan consists of two paid versions:
|
Open-Source | Not open-sourced | Not open-sourced | Open-sourced |
Malicious Bot Prevention | Uses bot signatures to identify and protect against bot attacks | Uses managed and custom rules to protect against bad bot traffic | Uses machine learning models and app behavioral analysis to identify malicious bot traffic |
Web Latency | Some instances of increased web latency | Some instances of increased web latency | Uses agents to deploy open-appsec on existing web servers, enabling minimal latency and maximum control |
Zero-Day Detection | Doesn’t effectively protect against zero-day attacks | Doesn’t effectively protect against zero-day attacks | Uses offline and online machine learning models and advanced threat prevention techniques to protect web apps against zero-day attacks |
False Positives | Doesn’t detect a lot of false positives | Doesn’t detect a lot of false positives | Second online and unsupervised machine learning model is dedicated to eliminating false positives |
Azure WAF on Azure Front Door
Azure WAF on Azure Front Door offers a security perimeter at the network edge, actively screens incoming traffic, and protects apps against common threats and exploits. A combination of these two Azure services ensures app reliability, security, and seamless access to its legitimate users. It also helps you adhere to industry compliance requirements.
Furthermore, Azure Front Door offers two distinct tiers, Standard and Premium, with Azure WAF integrated into both tiers. While the two tiers share many common features, Azure Front Door Premium exclusively supports WAF custom rules allowing you to create security tailored to your app’s specific needs.
Features of Azure WAF on Azure Front Door
Policy and Rules On Azure Front Door, Azure WAF provides unified security across all Azure edge locations using its multiple front-ends linked policies. These policies consist of custom rules defined by the user and pre-configured managed rules handled by Azure. These rules are processed in a priority sequence, with custom rules processed before managed rules, and the order of custom rules can be changed if required. Once a rule matches a request, the predefined action (allow, block, log, or redirect) is carried out, and lower-priority rules are dismissed.
Bot Protection Azure WAF uses a set of bot signatures updated by Azure's security team to protect web apps against bot attacks. These bots are categorized into three: good bots (like search engines), bad (possibly from malicious IP addresses or falsified identities), and unknown bots (self-identified bots with uncertain categories such as market analyzers). This bot protection feature is integrated with Microsoft's Threat Intelligence feed, which compares incoming bot requests against a constantly updated malicious bot IP database. It enables it to match malicious bot requests successfully and in real-time.
Rate Limiting Rate-limiting feature is used by Azure WAF to provide custom controls for incoming request rates. This feature helps to detect and block abnormally high traffic levels from any socket IP address which initiates TCP connection to Azure Front Door. This functionality mitigates DoS attacks and safeguards against misconfigured clients that may send excessive request volumes.
Pros and Cons of Azure WAF on Azure Front Door
Pros | Cons |
Has a large support platform and community | Cannot use more than one WAF policy at a time |
Offers an effective CDN feature | Doesn’t provide sufficient protection against unknown attacks |
Has readily available guides and easy-to-understand documentation | Works only on Azure-based applications |
Offers customizable options to personalize your app's security | It is costly |
Azure WAF on Azure Application Gateway
Azure WAF on Azure Application Gateway provides web applications and APIs with centralized and tailored security against known attacks and vulnerabilities. It works by comparing incoming requests against OWASP Top 10 Core Rule Sets (CRS) to provide strict, industry-recognized security protocols and compliance.
With this CRS approach, Azure WAF enables the creation of policies, each of which can be individually tied to a specific Application Gateway. This innovative feature allows the development of unique security controls for each web application behind an organization's Azure Application Gateway, enhancing granular and targeted security.
Moreover, Azure Application Gateway offers two versions of WAF – Application Gateway WAF_v1 and Application Gateway WAF_v2. However, it's crucial to note that policy associations exclusively support the more advanced Application Gateway WAF_v2.
Features of Azure WAF on Azure Application Gateway
WAF Policy and Rules On Azure Application Gateway, Azure WAF allows users to create a WAF policy to monitor, identify, and block malicious requests. This policy contains managed and custom rules, exclusions, and other specific customizations like file upload limits. Each policy can protect multiple application gateways and be associated with a web app at various levels – globally, per site, or URL. Note that, like in Azure Front Door, custom rules take precedence over managed rules, and when a request matches a rule, it can be allowed, blocked, or logged, depending on the pre-configured action.
CRS Azure WAF uses CRS on Azure Application Gateway to guard against common web vulnerabilities and exploits, including Java injections, protocol anomalies, and app misconfigurations. By default, CRS 3.2 is activated on Azure Application Gateway, but users can employ other versions like 2.2.9, 3.0, or 3.1. Note that CRS 3.2 operates in detection mode, but you can change this default setting and customize individual rules or set specific actions per rule to fit your application's unique security needs.
Azure and WAF Monitor Azure Monitor and Microsoft Defender are used for Cloud to track the health and performance of the gateway, WAF, and protected applications. This feature provides comprehensive oversight, enabling users to monitor WAF logs, alerts, access, and activity within the application environment. It offers a unified view of an application's behavior, ensuring optimal performance and rapid response to security concerns.
Pros and Cons of Azure WAF on Azure Application Gateway
Pros | Cons |
Has a large support platform and community | Not easy to configure |
Easy to use | It is sometimes slow and buggy and increases web latency |
Offers effective load balancing and traffic management | Takes time to change certificates and update the solution |
Offers effective backend health checks | Doesn't integrate with a lot of third party tools |
open-appsec WAF
Are you looking to block attacks on your web application before they happen? Look no further, as open-appsec uses machine learning to continuously detect and preemptively block threats before they can do any damage. Its code has also been published on GitHub, and the effectiveness of its WAF has been successfully proven in numerous tests by third parties. Try open-appsec in the Playground today.
open-appsec is an open-source WAF designed for app security, ease of configuration, management, and scalability. As highlighted earlier, this WAF uses machine learning to proactively prevent OWASP Top 10, common web app, API, and zero-day attacks. This web application security approach ensures precise attack mitigation results and returns a low rate of false positives.
It offers flexible deployment options as it can function as an add-on to an NGINX reverse proxy or a Kubernetes Ingress controller. Plus, it can also integrate with API gateways and Envoy.
Furthermore, open-appsec forgoes traditional signature-based web application security methods and exception handling, replacing this with the machine learning approach. This, in turn, makes it more reliable in protecting web apps and APIs against unknown and zero-day attacks. This approach also reduces the system complexity typically associated with manually updating and fine-tuning traditional WAFs.
Additionally, open-appsec supports integrations with platforms like GraphQL, Terraform, and Helm, broadening its compatibility and application security range.
Features of open-appsec WAF
Machine-Learning Threat Prevention As mentioned, open-appsec WAF uses a unique approach of deploying machine learning to preemptively shield web applications and APIs from threats such as Log4Shell and Spring4Shell. This approach doesn't require users to carry out system updates and handle exceptions, a common challenge in traditional WAF. Instead, this approach eliminates this process. Other than this, open-appsec's machine learning models are divided into supervised and unsupervised models. The supervised model operates offline and is trained on millions of malicious and benign requests. Through this extensive training, it can effectively differentiate between legitimate and known malicious attacks. Conversely, the unsupervised model operates online and in real-time, employing contextual analysis to analyze requests. By studying user activity within the application's structure, this machine learning model understands legit user behavior within an app, and it uses this knowledge to identify and block malicious requests accurately. Hence, this dual-model approach results in a Contextual Machine Learning Engine, which continuously analyzes incoming HTTP/S requests and API calls.
API Discovery and Security This open-appsec WAF feature discovers and exposes all APIs and reduces their attack surface to enhance security. It does this using machine learning and uses OpenAPI schema to block malicious content, validate APIs, and ensure their activities remain within secure boundaries. This streamlined attack surface, in turn, allows IT security teams to concentrate their resources on specific APIs, enhancing focus and vulnerability management and bolstering the app's overall security framework.
Intrusion Prevention open-appsec WAF uses NSS-certified IPS for app traffic inspection, filtering, and intrusion detection. It has been known to defend against over 2,800 Web CVEs and zero-day attacks. It also uses open-source Snort 3.0 for real-time traffic analysis and threat detection. This feature also provides protocol analysis to identify and counter abnormal activities within an application, further strengthening its intrusion-prevention capabilities.
Pros and Cons of open-appsec WAF
Pros | Cons |
Open-sourced | A fairly new WAF |
Has a free version | Has a medium-sized open-source community |
Simplifies system maintenance by removing the need for managing exceptions, rules, and threat signatures | |
Offers preemptive protection against attacks | |
Conclusion
Azure Application Gateway is primarily used as a load balancer, and in conjunction with Azure WAF, it effectively protects web apps against common exploits and vulnerabilities. The same goes with Azure Front Door; it functions as a scalable and secure entry point for the fast delivery of global applications (load balancing on a global scale). Also, when used with Azure WAF, it also protects apps from common attacks. On the other hand, open-appsec uses its two machine learning models to protect against app vulnerabilities and known, unknown, and zero-day attacks.
Frequently Asked Questions
What is Azure Application Gateway?
Azure Application Gateway is a web load balancer that manages web application traffic. It operates at the OSI network model's application layer (Layer 7), offering functionalities like URL routing, cookie-based session affinity, and SSL termination.
What is the difference between Azure APIM and Azure Application Gateway?
Azure APIM helps organizations manage the full APIs lifecycle, including publishing APIs, enforcing usage policies, controlling access, caching responses, and collecting insights through analytics. On the other hand, Azure Application Gateway is a web traffic load balancer operating at the application layer and providing capabilities like routing, SSL offload, and Web Application Firewall.
Can Azure Front Door replace Application Gateway?
While they offer overlapping functionalities, Azure Front Door and Application Gateway cannot replace each other due to their unique features and use cases.
