Web Application Firewall

Securing Azure Application Gateway

gregg rodriguez / 03.27.19

Web applications are becoming frequent targets of malicious attacks that exploit common vulnerabilities, such as SQL injection attacks or cross site scripting attacks, which makes securing your Azure Application Gateway more critical than ever.

Preventing such attacks in application code can be a sizeable challenge, as it requires rigorous maintenance, patching and monitoring at multiple layers. Using a centralized web application firewall (WAF) can help you simplify security management. WAF is a feature of Azure Application Gateway that provides centralized protection of your web applications from those common threats and vulnerabilities.

A WAF can react to a security threat faster by blocking known attacks before they reach vulnerable endpoints, instead of securing each individual web application. In addition, your existing application gateway can be converted to a WAF-enabled application gateway relatively easily.

What is Azure Application Gateway?

Azure Application Gateway gives you application-level routing and load balancing services that let you build a scalable and highly available, web front end in Azure.

Benefits 

  • Control the size of the gateway and scale your deployment based on your needs
  • Get load balancing and application-level routing for building high-performing, scalable web front end
  • Manage traffic with round robin load balancing provided by Application Gateway. This is done for HTTP(S) traffic and at Layer7
  • Build a secure web front end with efficient backend servers and also streamline your certificate management by using SSL offload.

Risks to a misconfigured Azure Application Gateway

  • If your web application firewall (WAF) is not enabled, your application gateway will be vulnerable to attacks such as SQL injection, cross-site scripting, and session hijacks.
  • If your Application gateway does not have end-to-end SSL configured, you will not be able to securely transmit sensitive data to the backend encrypted, nor ensure that the application gateway only communicates with known instances.
  • If your Application Gateway does not have SSL enabled on front end, the gateway will not apply the routing rules to the traffic, nor forward the packet to the appropriate back-end server based on the routing rules you have defined.

Cloud security requires shared approach

Cloud computing is based on a new infrastructure model requiring a new approach to security. In the Azure environment, Microsoft provides a secure foundation across physical, infrastructure, and operational security, while you maintain responsibility for protecting the security of your application workloads, data, identities, on-premises resources, and all the cloud components under your control. This is referred to as the “Shared Responsibility Model.”

You can ensure the security of all your Azure resources by fulfilling your end of the shared responsibility model based on security best practices.

How Halo can help secure your Azure Application Gateway

Halo Cloud Secure can help ensure your Azure Application Gateway:

  • Includes a WAF using OWASP rules to protect your application against attacks such as SQL injection, cross-site scripting, and session hijacks
  • Includes properly configured SSL supporting end-to-end encryption of traffic by terminating the SSL connection at the application gateway, applying the routing rules, and forwarding the traffic to the appropriate back-end server.
  • Has SSL enabled on the front end to support defining custom SSL options and disabling the following protocol versions: TLSv1.0, TLSv1.1, and TLSv1.2, as well defining which cipher suites to use and the order of preference.

Read our solution brief to learn more about how Halo Cloud Secure can help reduce your cloud attack surface with security best practices.