• Latest
  • Trending
  • All
  • News
  • Business
  • Politics
  • Science
  • World
  • Lifestyle
  • Tech
Cisco, Google, Microsoft Lead Chorus of New Security Initiatives

Azure WAF Custom Rule Samples and Use Cases

March 29, 2021
Juniper Networks extends connected security with two new updates

5 channel partner program and MSP News update 21 April . 2021

April 22, 2021
Automate Evidence Collection With Hypersync

CyberSheath Enhances Its CMMC Managed Services with CMMCEnclave, the Most Comprehensive CMMC Compliance Platform

April 22, 2021
Microsoft To Build New Azure Cloud Data Centers In Greece

Device Connectivity and Edge Intelligence in Resource-Constrained Situations

April 22, 2021
8×8 makes raft of updates to platform

Sysinno Introduces First Available Air Quality Monitor Running on Microsoft Azure Sphere

April 22, 2021
Microsoft renames and unifies more products under Microsoft Defender brand

UK government signs new three-year Memorandum of Understanding with Microsoft

April 22, 2021
Azure Stack, AWS Outposts Poised to Impact Colocation

Aruba accelerates digital transformation from edge to cloud on Microsoft Azure.

April 22, 2021
How to set up Microsoft Cloud App Security

Eurotech Collaborates with Infineon Technologies, Microsoft, and Globalsign for ’Chain of Trust’ Security Solution for the IoT Device Identities

April 22, 2021
GHD accelerates digital transformation to ensure business continuity

ONUG to Address Enterprise Cloud, Cloud Native DevOps, Security & Automation at Biannual Spring 2021 Event

April 22, 2021
Microsoft To Build New Azure Cloud Data Centers In Greece

Infosec Teams Expand Use of Security Tools to Address Cloud Complexity, Survey Finds

April 22, 2021
Microsoft continues to extend security for all with mobile protection for Android

HVR Launches Agent as a Service for Microsoft Azure, Establishes Highly Available, Secure and Performant Real-Time Replication Environment for Enterprise Modernization

April 22, 2021
Hackers Cryptojack Microsoft Azure ML Clusters

6clicks partners with Microsoft to bring greater security to Aus Government

April 22, 2021
Seattle Seahawks Shift From Microsoft Azure to Amazon Web Services

Security should start in software engineering

April 21, 2021
  • About
  • Advertise
  • Privacy & Policy
  • Contact
Thursday, April 22, 2021
  • Login
Azure Security News
  • Home
  • News
    • All
    • Business
    • Politics
    • Science
    • World
    Juniper Networks extends connected security with two new updates

    5 channel partner program and MSP News update 21 April . 2021

    Automate Evidence Collection With Hypersync

    CyberSheath Enhances Its CMMC Managed Services with CMMCEnclave, the Most Comprehensive CMMC Compliance Platform

    Microsoft To Build New Azure Cloud Data Centers In Greece

    Device Connectivity and Edge Intelligence in Resource-Constrained Situations

    8×8 makes raft of updates to platform

    Sysinno Introduces First Available Air Quality Monitor Running on Microsoft Azure Sphere

    Microsoft renames and unifies more products under Microsoft Defender brand

    UK government signs new three-year Memorandum of Understanding with Microsoft

    Azure Stack, AWS Outposts Poised to Impact Colocation

    Aruba accelerates digital transformation from edge to cloud on Microsoft Azure.

    How to set up Microsoft Cloud App Security

    Eurotech Collaborates with Infineon Technologies, Microsoft, and Globalsign for ’Chain of Trust’ Security Solution for the IoT Device Identities

    GHD accelerates digital transformation to ensure business continuity

    ONUG to Address Enterprise Cloud, Cloud Native DevOps, Security & Automation at Biannual Spring 2021 Event

    Microsoft To Build New Azure Cloud Data Centers In Greece

    Infosec Teams Expand Use of Security Tools to Address Cloud Complexity, Survey Finds

    Microsoft continues to extend security for all with mobile protection for Android

    HVR Launches Agent as a Service for Microsoft Azure, Establishes Highly Available, Secure and Performant Real-Time Replication Environment for Enterprise Modernization

    Trending Tags

    • Donald Trump
    • Future of News
    • Climate Change
    • Market Stories
    • Election Results
    • Flat Earth
  • Tech
    • All
    • Apps
    • Gear
    • Mobile
    • Startup
    Cisco, Google, Microsoft Lead Chorus of New Security Initiatives

    Windows 10 21H1: A small but significant update, with bigger changes to come in 21H2

    Microsoft Touts Secured-Core PCs To Block Driver Exploits

    KDDI Taps Cato SASE for Secure Remote Access

    Juniper Networks inspires overarching approach to connected security

    Going serverless? Rethink your data security approach

    Juniper Networks inspires overarching approach to connected security

    Introducing the Azure Network Security Tech Community and Github Repo

    Cisco, Google, Microsoft Lead Chorus of New Security Initiatives

    Azure WAF Custom Rule Samples and Use Cases

    Aruba ClearPass Policy Manager Integrates with Microsoft

    How Microsoft Is Powering Digital Transformation From the Cloud

    Part 4 – Data Disclosure and Exfiltration Playbook: Azure WAF Security Protection and Detection Lab

    The Mountain Of A Manager

    Microsoft offers startups free cloud tech

    Microsoft Launches Host of Security Products in Time for RSA

    The 14 Best Cloud Security Courses on Pluralsight

    Microsoft Adds Anti-Phishing ‘Campaign Views’ to Office 365 ATP

    How 4 cities are modernizing their IT infrastructure through the cloud

    Trending Tags

    • Flat Earth
    • Sillicon Valley
    • Mr. Robot
    • MotoGP 2017
    • Golden Globes
    • Future of News
  • Entertainment
    • All
    • Gaming
    • Movie
    • Music
    • Sports
    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Meet the woman who’s making consumer boycotts great again

    New campaign wants you to raise funds for abuse victims by ditching the razor

    Twitter tweaks video again, adding view counts for some users

    A beginner’s guide to the legendary Tim Tam biscuit, now available in America

    People are handing out badges at Tube stations to tackle loneliness

    Trump’s H-1B Visa Bill spooks India’s IT companies

    Magical fish basically has the power to conjure its own Patronus

    This Filipino guy channels his inner Miss Universe by strutting in six-inch heels and speedos

    Oil spill off India’s southern coast leaves fisherman stranded, marine life impacted

  • Lifestyle
    • All
    • Fashion
    • Food
    • Health
    • Travel
    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Offers More ‘Solorigate’ Advice Using Microsoft 365 Defender Tools

    A moment of reckoning: the need for a strong and global cybersecurity response

    Solar Winds, Office 365 & Shipbuilding…

    Aruba ClearPass Policy Manager Integrates with Microsoft

    Imprivata Expands Collaboration with Microsoft on New Digital Identity Innovations

    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Canada’s 10 biggest stories of 2020

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    AMD breaks revenue records for 2019 and 4Q

    AMD breaks revenue records for 2019 and 4Q

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft is killing off insecure Cloud App Security cipher suites

    Microsoft is killing off insecure Cloud App Security cipher suites

    Rap group call out publication for using their image in place of ‘gang’

    Meet the woman who’s making consumer boycotts great again

    Trending Tags

    • Golden Globes
    • Mr. Robot
    • MotoGP 2017
    • Climate Change
    • Flat Earth
No Result
View All Result
Azure Security News
No Result
View All Result
Home Tech Apps

Azure WAF Custom Rule Samples and Use Cases

by AZURE SECURITY NEWS EDITOR
March 29, 2021
in Apps
0
Cisco, Google, Microsoft Lead Chorus of New Security Initiatives
491
SHARES
1.4k
VIEWS
Share on FacebookShare on Twitter

By Anthony_Roman and Azure Security News

This post will detail how to use Custom Rules on Azure WAF, including some examples of common use cases fulfilled by this rule type. Custom Rules provide a versatile way to build controls that fulfill security requirements and protect applications from attacks that are unique to your applications.

WAF Rule Types and Processing

Azure WAF currently offers 3 rule types, which are processed in the following order:

  1. Custom Rules – custom rules are processed first, and function according to the logic you select. This makes them very powerful as the first line of defense for web applications.
  2. Managed OWASP Rules – OWASP rulesets are based on the SpiderLabs Core Ruleset (CRS), and can detect common web attacks like SQL injection, cross-site scripting, and command injection. These rules cannot be modified, but the ruleset can be tuned by using exclusions and by modifying rule actions (a topic for another post).
  3. Managed Bot Rules – these rules identify potential bot activity by matching sources against our internal Threat Intelligence feeds. If traffic is coming from a known source of bot activity, the traffic can be blocked.

This post focuses on Custom Rules, but it is important to understand how the managed rulesets work. For more information on these, look for future blog posts here or consult the Azure WAF documentation.

Important Custom Rule Concepts

Custom Rules can be viewed and built using the Azure Portal by navigating to Web Application Firewall Policies (WAF), selecting your policy, and clicking on the Custom Rules blade. Creating a custom rule is as simple as clicking Add Custom Rule and entering a few required fields. However, there are some important concepts to understand before you create your own rules.

The most important thing to mention about Custom Rules is that they are terminating. This means that if the logic of the rule is matched, all other rules stop processing, including the lower priority (higher number) Custom Rules, and both OWASP and Bot managed rulesets. This is the case regardless of the action of the rule; even if traffic is allowed, no further rules are processed. This can have positive or negative implications.

The Allow action should be used sparingly in Custom Rules, because since the rule terminates, it means that all other inspection provided by WAF will be skipped. Understanding this, you can use Allow rules when the intent is to skip the other checks, such as in tuning situations. If certain requests tend to trigger false positives, you can use a Custom Rule to allow the traffic at a more granular level than it would be possible by using exclusions or disabling rules.

In most scenarios, it is best to use Custom Rules with the Deny action, as a terminating Deny rule is entirely expected and without unanticipated consequences. For instance, if you wanted to use a WAF Custom Rule to create an IP Address allow list, it is better to Deny traffic that is not from the IP addresses in the list rather than Allow traffic from those IPs. Using the Deny action avoids causing traffic allowed by this rule to bypass the OWASP and Bot rulesets.

Another concept to make use of in constructing effective Custom Rules is compound conditions. Rules can be created with a single condition, or you can add multiple conditions that must be satisfied to constitute a match. When adding multiple conditions, they are added as an AND statement, so all conditions must be met for the Action to take place. If you need to construct a rule with OR logic, it is best to create multiple rules with the same Action.

Custom Rule Example Templates and Use Cases

We have created 2 ARM templates, which will create both WAF Policy types, one for WAF on Application Gateway and one for WAF on Front Door. These policies are intended to give you a starting point for creating your own Custom Rules. To deploy, simply click the Deploy to Azure buttons from the repository, select a Resource Group, and create your policies.

These example policies must be modified to fit your requirements before associating with any Front Door or Application Gateway resources, and the following sections will provide guidance on how to do so.

Block Lists

Some customers have the requirement to block certain sources of traffic based on IP address or country of origin. In these scenarios, block lists can be used, which you must create and keep up to date. The examples included in the templates are GeoBlockList and IPBlockList. The behavior of these basic rules can be modified to add conditions if necessary. For example, you may want to block a certain part of a site from a geographic region, as pictured:

Notice that there is a second condition in the “And if” box, which defines a specific request URI. This additional condition creates an AND expression, meaning that both the first condition about geolocation and the second condition about the request URI must be matched in order for the Deny action to trigger.

These block lists can be added manually via the Portal or managed programmatically using ARM, API, or CLI. One example of adding to a block list automatically using Azure Sentinel Playbooks can be found in a previous post.

Allow Lists

IP address or geographic restrictions can be accomplished effectively using allow lists. This method is preferable if you only do business in certain countries, or if you have an internal website you would like to be available only to trusted IP addresses, such as corporate IP blocks.

The following example shows the IPAllowList rule found in the template:

Notice that the allow list uses the “Does not contain” operator. This allows our logic to use the Deny action to block only the traffic that does not originate from the trusted range. This means that the trusted IP addresses or ranges will continue to be inspected by the other applicable WAF rules. Using this approach, we can avoid creating a rule using the “Does contain” operation along with the Allow action, which would result in a rule termination scenario that would exempt the trusted traffic from further WAF inspection.

Controlling Allowed HTTP Methods

HTTP method enforcement can be done in a dynamic way using WAF Custom Rules. Consider the scenario where you have an API that should be available publicly for customers to GET and POST, but you want to reserve PUT and DELETE actions for traffic originating from trusted locations as an extra layer of security beyond authentication. The following modification of the MethodAllowList rule can be used to accomplish this.

Blocking User Agents

Some of the OWASP managed rules will detect well known malicious user agents, but if you find the need to block a specific set, a Custom Rule is a way to accomplish this. Of course, user agent is not a difficult element for an attacker to change, but this type of rule can help deflect unsophisticated attackers. The logic of the UserAgentBlock rule is represented in the template pictured below.

Rate Limiting with WAF for Front Door

WAF on Azure Front Door has the added capability of Custom Rules with a Rate Limit type, as distinct from Match type rules. Rate Limit rules will keep track of the number of requests from a particular IP address and block requests made after a threshold is reached.

These rules can be part of an effective layer 7 DDoS protection strategy. Azure DDoS Protection, both at the platform level (free) and using the Standard tier (paid) will protect against high volume attacks, but there are application attacks that do not necessarily rely on high volume. Some of these attacks can be mitigated by using source rate limiting in Custom Rules. The idea is that a legitimate user of a site will make a predictable number of requests to the site over a given time period, but an attacker trying to disrupt the site’s availability would likely make more requests. A threshold can be set to limit the volume of traffic to a particular path from a source, as pictured below.

In the above rate limiting rule, 100 requests from the same IP address would be allowed within any 1 minute time period, but after the threshold is met, additional requests from that IP would be dropped for 1 minute. After the rate limiting period expires, traffic is allowed and the counter to 100 starts again.

Using WAF on Application Gateway to only Allow Traffic from your Front Door

A common architectural design is to use Azure Front Door to provide global load balancing and content distribution in front of Application Gateways hosted in 2 or more regions. NSGs can be used on the Application Gateway subnet to only allow traffic from the Front Door service, but the remaining security concern here is that Front Door is a shared service. You probably want to allow traffic only from your Front Door service specifically to prevent an attacker from setting up a “rogue” Front Door instance without WAF in order to circumvent inspection.

Fortunately, Front Door adds a header (X-Azure-FDID) to all traffic it processes, which identifies it as your instance of Front Door. Pictured below is a WAF Custom Rule, AllowFrontDoor in the template, that will only allow traffic that contains this specific header value. This guarantees that traffic sourcing from unapproved Front Door instances will not connect to your service.

Summary

The preceding example use cases are not very complex in nature, yet they provide considerable results to improve the security of your applications. We hope these samples help you understand how flexible Custom Rules can be, and that you can use this as a starting point to build more advanced rule logic in your environment. There are many possibilities to add complexity and effectiveness to these examples, including using Regex to look for patterns in the request body. If you come up with any particularly useful rules, please feel free to share in the comments here or add a sample to our GitHub repository.

Source : https://techcommunity.microsoft.com/t5/azure-network-security/azure-waf-custom-rule-samples-and-use-cases/ba-p/2033020

Share196Tweet123Share49
AZURE SECURITY NEWS EDITOR

AZURE SECURITY NEWS EDITOR

Related Posts

Microsoft Touts Secured-Core PCs To Block Driver Exploits

KDDI Taps Cato SASE for Secure Remote Access

by AZURE SECURITY NEWS EDITOR
April 15, 2021
0

By Tobias Mann and Azure Security News Networking and security vendor Cato today announced a partnership with Japan-based service provider KDDI to...

Juniper Networks inspires overarching approach to connected security

Going serverless? Rethink your data security approach

by AZURE SECURITY NEWS EDITOR
April 14, 2021
0

By Sid Dutta and Azure Security News What is serverless? Serverless is a cloud-native development model that enables enterprises to...

Part 4 – Data Disclosure and Exfiltration Playbook: Azure WAF Security Protection and Detection Lab

by AZURE SECURITY NEWS EDITOR
March 26, 2021
0

Tutorial: Data Disclosure and Exfiltration Playbook The last tutorial in this four-part series for Azure WAF protection is the data...

Microsoft Launches Host of Security Products in Time for RSA

The 14 Best Cloud Security Courses on Pluralsight

by AZURE SECURITY NEWS EDITOR
March 22, 2021
0

Solutions Review compiled the top cloud security courses on Pluralsight for cloud and cybersecurity engineers of all skill levels. Cloud...

  • Trending
  • Comments
  • Latest
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

AZURE DEFAULT RESOURCE GROUP AND DEFAULT WORKSPACE: WHAT ARE THEY?

December 14, 2020
Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

Analyzing Azure Active Directory Sign-In Data with PowerShell

December 18, 2020
Microsoft Seriously Beefs Up Security in Windows Server 2019

TCS Launches Cloud Exponence on Microsoft Azure

January 21, 2021

Lady Gaga Pulled Off One of the Best Halftime Shows Ever

0

Barack Obama’s Now Mainly Focusing on Wearing This Casual Backwards Hat

0

Watch Justin Timberlake’s ‘Cry Me a River’ Come to Life in Mesmerizing Dance

0
Juniper Networks extends connected security with two new updates

5 channel partner program and MSP News update 21 April . 2021

April 22, 2021
Automate Evidence Collection With Hypersync

CyberSheath Enhances Its CMMC Managed Services with CMMCEnclave, the Most Comprehensive CMMC Compliance Platform

April 22, 2021
Microsoft To Build New Azure Cloud Data Centers In Greece

Device Connectivity and Edge Intelligence in Resource-Constrained Situations

April 22, 2021
Azure Security News

Copyright © 2020 - Azure Security

Navigate Site

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Follow Us

No Result
View All Result
  • Home
  • News
    • Politics
    • Business
    • World
    • Science
  • Entertainment
    • Gaming
    • Music
    • Movie
    • Sports
  • Tech
    • Apps
    • Gear
    • Mobile
    • Startup
  • Lifestyle
    • Food
    • Fashion
    • Health
    • Travel

Copyright © 2020 - Azure Security

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In