Securing Your Web Application in Azure with a WAF Christian Folini Jason Haley September 2017 Do you have a Web Application hosting in Azure using either IaaS or PaaS?  In this talk, we’ll start with a look at what a web application firewall (WAF) is and why you would want to use one.  Then once you understand what a WAF can do for you, we’ll then look at some options you have in Azure for adding a WAF in front of your application. For demos, we’ll take a look at adding a WAF in front of an App Service Web App and then a Web Application hosted on a VM in Azure.  If we have time we can see how the site handles some malicious requests with and without a WAF.

Jason Haley Jason Haley Consulting LLC Salem, MA Azure & Angular Consultant Microsoft Azure MVP @halejason http://jasonhaley.com Organize North Boston Azure and DevBoston User Groups Jason Haley Consulting LLC

Securing Your Web Application

OWASP OWASP (Open Web Application Security Project) Foundation is a not-for-profit international organization dedicated “enabling organizations to conceive, acquire, operate, and maintain applications that can be trusted”. - https://www.owasp.org OWASP Top 10 Project - most critical web application security risks OWASP Application Security Verification Standard Project – provides developers with a list of requirements for secure development OWASP ModSecurity Core Rule Set (CRS) – pluggable set of generic attack detection rules that provide a base level of protection for any web application.

OWASP Top ten Project (2013) Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfigurations Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Known Vulnerable Components Unvalidated Redirects and Forwards

Penetration Test (Pen Test) A penetration test, colloquially known as a pen test, is an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data. – Wikipedia

Penetration Test - Outcomes Prioritized list of known vulnerabilities Steps in how to reproduce Steps in how to fix Retest to verify fixes

What Else can you do? Build security into the code from the start OWASP ASVS can help Security reviews of the code Add security layers to the application

What is a WAF? Intrusion detection system – monitors a network for malicious activity or policy violations. Firewall – monitors and controls in/out traffic based on rules Web application firewall – monitors in/out HTTP traffic of a web application based on rules WAFs are a type of reverse proxy – it monitors traffic while it retrieves resources on behalf of a client from one or more servers.

What are the options if you are in Azure? External to Azure (Akamai, CloudFlare, others) In the Azure Marketplace (Baracuda, F5, others) Azure networking product - Application gateway

What is application gateway? HTTP (layer 7) load balancer Cookie affinity for session state SSL offload Private or Public (can also use with Web Apps) WAF using ModSecurity ModSecurity is the Engine OWASP Core Rule Set (CRS) are the rules Load Balancer is Layer 4 (transport): TCP/UDP

Web Applications in Azure How can you add it to a Web App (PaaS)? Currently have to use custom ARM template or use PowerShell/CLI backendHttpSettingsCollection.pickHostNameFromBackendAddress=true Probe.pickHostNameFromBackendHttpSettings=true How can you add it to a Web App (IaaS)?