News

Microsoft Makes Azure Web Application Firewall Generally Available

• By Jeffrey Schwartz
• April 03, 2017

Microsoft's new Web Application Firewall (WAF) option for its Azure Application Gateway is now out of preview.

Microsoft first announced the centralized WAF service, which is designed to protect Web apps running in the Azure public cloud from common exploits like SQL injection and cross-site scripting attacks, at its Ignite conference last fall.

Preventing layer-7 app-level attacks is difficult, requiring laborious maintenance, patching and monitoring throughout the application tiers, according to Yousef Khalidi, Microsoft corporate vice president for Azure Networking. "A centralized Web application firewall (WAF) protects against Web attacks and simplifies security management without requiring any application changes," Khalidi said in a blog post last week announcing the release of the Azure WAF service. "Application and compliance administrators get better assurance against threats and intrusions."

Microsoft's Azure Application Gateway is the company's application delivery controller (ADC) layer-7 network service, which includes SSL termination, load distribution and URL path-based routing, and can host multiple sites, according to Khalidi. The new ADC service in Azure also offers SSL policy control and end-to-end SSL encryption and logging.

"Web Application Firewall integrated with Application Gateway's core offerings further strengthens the security portfolio and posture of applications protecting them from many of the most common Web vulnerabilities, as identified by Open Web Application Security Project's (OWASP) top 10 vulnerabilities," Khalidi noted. The WAF comes with OWASP ModSecurity Core Rule Set (3.0 or 2.2.9), designed to protect against these common threats, he added.

Besides SQL injection and cross-site scripting, Khalidi noted that WAF protects against command injection, HTTP request smuggling, HTTP response splitting and remote file inclusion attacks. It also addresses HTTP protocol violations, bots, crawlers, scanners and common misconfiguration of application infrastructures, notably in IIS and Apache.

As one would expect from a WAF, Microsoft's new services is designed to fend off denial-of-service attacks occurring simultaneously against multiple Web apps. The Azure Application Gateway can currently host up to 20 sites behind each gateway, all of which can defend against such attacks. The service is offered with the medium and large Azure Application Gateway types, which cost $94 and $333 per month, respectively.

Microsoft said it intends to add the new WAF service through its Azure Security Service, which scans cloud-based subscriptions for vulnerabilities and recommends ways to remediate issues that are discovered. That service currently didn't include protection of Web apps that aren't scanned by a WAF, though it does offer third-party firewalls from Barracuda Networks Inc., Check Point Software Technologies Inc., Cisco, CloudFlare, F5, Fortinet Inc., Imperva Inc. and Trend Micro, among others.