Azure Web Application Firewalls: Are they Effective Security Controls?
As always, the answer, from any cyber security consultant, will be: ‘that depends’.
In the ever-evolving landscape of cybersecurity, Web Application Firewalls (WAFs) play a pivotal role in safeguarding web applications from a multitude of online threats. Azure WAF, offered by Microsoft’s cloud platform, empowers businesses to fortify their applications against a range of attacks. One of the intriguing features of Azure WAF is the ability to implement custom rules, allowing organizations to tailor their security measures. However, while custom rules offer flexibility, they also introduce a set of risks, particularly the possibility of overriding existing rules. In this blog, we will delve into the potential dangers of implementing custom rules in Azure WAF and explore strategies to mitigate these risks.
The blurb about the Azure WAF
Let’s start with how Microsoft market their Azure WAF as a security control. The following is taken from their WAF solution web pages, click here.
Azure Web Application Firewall is a cloud-native service that protects web apps from common web-hacking techniques such as SQL injection and security vulnerabilities such as cross-site scripting. Deploy the service in minutes to get complete visibility into your environment and block malicious attacks.
Protect web apps with managed rule sets
Protect your web applications in just a few minutes with the latest managed and preconfigured rule sets. The Azure Web Application Firewall detection engine combined with updated rule sets increases security, reduces false positives, and improves performance.
Meet security requirements with agentless deployment
Easily deploy Azure Web Application Firewall security with no additional software agent required. Centrally define and customise rules to meet your security requirements, then apply them to protect all your web apps.
Improve visibility into security and analytics
Experience seamless integration with security information event management (SIEM) tools in Azure. Access prebuilt workbooks with Azure Sentinel and modify them to fit your organisation’s needs.
Achieve organizational compliance fast
Use Azure Policy to help enforce organisational standards and assess compliance at scale for Web Application Firewall resources. Get an aggregated view to evaluate the overall state of your environment.
Improve security and optimize performance at the edge
Deploy Azure Web Application Firewall in Azure Front Door for advanced security, scalability, and accelerated delivery of apps to global users.
Monitor security alerts and logs
Use Azure Monitor to track diagnostic information including security alerts and logs that provide detailed reporting on detected threats.
Managing the Azure WAF in the Real World
In theory, if we take all the above statements about the WAF at face value then we should expect an improvement in the security of any applications that are protected by the web application firewall.
From engagements where we were asked to look into the Azure WAF implementation we found that there are pitfalls that could snare the unwary. These pitfalls would leave you thinking you have WAF protections for your application, when you actually don’t. We found these pitfalls are mainly around the custom rules that can be used with the Azure WAF.
Custom rules in Azure WAF provide organisations with the ability to define specific security rules that suit their unique application requirements. These rules can be crafted to identify and mitigate application-specific threats that might not be covered by default rules. This flexibility empowers businesses to enforce granular security measures, aligning with their specific use cases.
While the allure of custom rules is strong, the dangers they pose are equally significant. One of the most critical risks associated with implementing custom rules is the potential to override existing rules. Azure WAF comes with a comprehensive set of pre-configured rules that address common vulnerabilities and threats (the managed rules). These rules are carefully curated and tested to provide a baseline level of protection. Overriding these rules inadvertently can lead to weakening the security posture and exposing applications to potential exploits.
Understanding the Risks of Custom Rules
Unintended Vulnerabilities: When custom rules are implemented without due diligence, they might inadvertently introduce vulnerabilities or create loopholes in the security framework. Without proper review and testing, attackers could exploit these weak points to breach the application. Unfortunately the Azure WAF has some operational gotchas:
a) Custom rules have two options if they match a request. The rule can allow the request or the rule can block the request. Blocking is the normal behaviour. Unfortunately it is common to tune a WAF when first placed in front of an application. The initial set up is to place the WAF in monitoring mode. In this mode it simply logs what it would have done with the requests that it sees. This is to ensure the availability of the protected application is not affected once the WAF is placed in blocking mode. Operators can tune the WAF rules to ensure innocent requests that happen to have similar characteristics to a genuine attacking request are not blocked. Operators tend to create ‘Allow’ custom rules for these types of requests.
b) The Azure WAF has a number of built in rules (for example OWASP top ten based rules to prevent OWASP top ten type attacks). These are called managed rules. Unfortunately Custom rules always are checked before the managed rules are checked.
c) In the Azure WAF, the first rule to match prevents further rules from being checked. This means if a Custom rule is created, it matches a request and that rule is set to allow the request, no further rules are checked. No security checking by the WAF will be performed.
False Positives/Negatives: Misconfigured custom rules can trigger false positives (blocking legitimate traffic) or false negatives (allowing malicious traffic). Such inaccuracies can disrupt normal application functionality or provide attackers with an avenue to infiltrate the system.
a) Operators creating rules may not realise the security importance of making their custom rules match on very specific conditions. They will be more concerned in making sure their user base can still access the applications behind the WAF. Application availability is the major concern.
b) Therefore the custom rules they create to allow access, tend (from our experience) to be very wide ranging. Hostile requests are now very unlikely to be stopped by the WAF. This is a very common way for WAFs to err on the side of caution and handle requests in a false negative way – allowing malicious requests.
Maintenance Overhead: As the application evolves, so do the threats it faces. Custom rules require continuous monitoring, updating, and refining to stay effective. Failing to keep up with these demands can lead to rule obsolescence, leaving the application vulnerable.
a) When a user reports their innocent request has been blocked, it is common in the interests of expediency, to create allow rules to give the user access.
Complexity: Overriding existing rules can lead to a convoluted rule set, making it harder to manage and troubleshoot. This complexity can obscure the actual security landscape and hamper incident response efforts.
a) It takes a skilled operator to create a rule that matches a specific condition. Knowledge of Boolean logic and complex Regular Expressions are a required skill. We have found few WAF administrators have these skills.
b) Custom rules created for the Azure WAF need the utmost care and attention. This level of scrutiny is a lifetime commitment. For some types of application – for example, WIKIs and ticketing applications, the range of innocent requests make using a WAF in blocking mode infeasible.
We propose several mitigation strategies to deal with the points raised above.
- Thorough Testing: Rigorously test custom rules in a controlled environment before deploying them to production. This testing should encompass different scenarios to ensure that the rules accurately distinguish between legitimate and malicious traffic.
- No Custom Allow Rules are Allowed: Unless the match expression is exceedingly specific. If not any one of these types of rules can completely negate the security control benefit of the WAF.
- Gradual Implementation: Instead of replacing existing rules entirely, consider gradually integrating custom rules alongside default ones. This approach allows for a smoother transition and minimises the risk of sudden vulnerabilities, or more likely, a loss of availability of the applications.
- Regular Auditing: Conduct regular security audits to assess the effectiveness of both default and custom rules. This helps in identifying misconfigurations, false positives, false negatives, and the overall health of your security posture.
- Collaboration and Expertise: Involve cybersecurity experts who specialise in WAF configurations. Their insights can help design, implement, and maintain effective custom rules while safeguarding against unintended consequences.
- Monitor Mode: There will be times when monitoring of the requests is the most a WAF can be allowed to do. The applications simply take too wide a range of valid input that would trigger the WAF to block. In this instance, set the WAF to monitor mode and send the WAF logs to a SIEM. Allow the SOC to create mode fine tuned alerting based on behaviour, logs from other security controls etc. SOCs using their increased intelligence, behaviour analytics and automation can go a long way to removing noisy WAFs log entries.
Custom rules in Azure WAF hold immense potential for enhancing application security, but their implementation should be approached with caution. The risk of overriding existing rules and inadvertently weakening the security framework underscores the need for a strategic and well-informed approach. By comprehensively testing, carefully planning, and continuously auditing custom rules, organisations can navigate the perils and harness the benefits of this powerful feature without compromising their application’s security.