Threat intelligence at scale!
Changes in the way we work and run our businesses have pushed every business to now be a digital business. This acceleration of digital transformation has also led to an increase in security risks. Cyber attacks are becoming more frequent and sophisticated with growing attack surfaces due to the proliferation of mobile and IoT devices and increasing cloud adoption. Basic defenses are no longer sufficient as new attack vectors have emerged and attacks have become more sophisticated with automated and large-scale attacks. To help our customers overcome these security challenges, we have evolved Azure Web Application Firewall (Azure WAF)our cloud-native, self-managed security service to protect your applications and APIs running on Azure or elsewhere – from the network edge to the cloud.
A brief introduction to Azure WAF
We offer two options – global and regional – for deploying Azure WAF for your applications and APIs.
- Global WAF: Azure WAF attaches to Azure Front Door, our native modern cloud content delivery network (CDN), to provide global application acceleration and intelligent security at scale. Azure WAF stops network edge security attacks closer to the attack source with over hundreds of edge locations around the world.
- Regional WAF: Azure WAF is attached to Azure Application Gateway, a highly scalable regional web application load balancer running in a virtual network. It manages traffic for internal and external websites and provides application protection in over 60 Azure regions worldwide.
What has changed?
We’re excited to share the latest updates and announce many new features that will bring customers better security, improved scalability, easier deployment and better management their applications.
Application and API protection
- Improved security posture with new rule sets: On March 29 we have announced The general availability of Managed Default Rule Set 2.0 (DRS 2.0) integrated with the Azure Front Door premium plan. DRS 2.0 includes the latest Microsoft proprietary rules created by Microsoft Threat Intelligence. Today we’re excited to announce the general availability of the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set 3.2 (CRS 3.2) in the regional WAF attached to Azure Application Gateway. These updated rule sets provide increased coverage for web vulnerabilities, reduce false positives, and protect against specific vulnerabilities such as: Log4J and SpringShell CVEs.
- Anomaly scoring with reduced false positives: As with the regional WAF, we have also introduced anomaly scoring with DRS 2.0 to the global WAF, which helps to drastically reduce false positives for customer applications. In anomaly scoring In Anomaly mode, when an incoming request violates the WAF rule, it is assigned an anomaly score based on the severity of the rule and takes no action unless the anomaly score reaches a threshold.
- Increased size restrictions: With CRS 3.2, the regional WAF can now support request body size verification up to 2 MB and file upload size up to 4 GB.
- API security: With DRS 2.0, the global WAF now also supports XML and JSON content types which enable on-demand validation to secure inbound traffic. Azure WAF on Azure Front Door and Azure Application Gateway seamlessly integrates with Azure API Management to provide advanced API management and security features.
- Advanced customization with exclusions per rule: As with the global WAF, we are also introducing today exceptions per rule with CRS 3.2 on regional WAF with Application Gateway. Exclusions allow you to override the behavior of the WAF engine by specifying specific request attributes to exclude from rule evaluation. Additionally, we now allow definitions of attribute exclusions by name or value of headers, cookies, and arguments. Exclusions can be applied to a rule, a rule set, a rule group, or globally to the entire rule set, providing increased flexibility to reduce false positives and meet application-specific needs. This feature is currently available through Azure Resource Manager, PowerShell, CLI, and SDK. Integration with the Azure portal will be available soon.
Bots have become an integral part of our customers’ digital footprints, helping to automate and perform key functions. However, attackers are increasingly taking advantage of this by manipulating bots to perform malicious tasks. We are continuously improving our platform capabilities to better protect against bot attacks – bot protection with Bot Manager 1.0 rule set is available through integration with Azure Front Door premium tier. Our bot detection and protection rules are powered by Microsoft Threat Intelligence and support bot classification for good, bad, and unknown bots. Malicious bots include bots from malicious IP addresses or bots with fake identities. The malicious IPs are provided by Microsoft’s threat intelligence feed, which is based on feeds from external providers and internal threat intelligence. For good bots, WAF uses reverse DNS lookups to verify that the user-agent and IP address range match what the agent claims. Bot signatures are dynamically managed and automatically updated by WAF as new threat actors are detected.
Performance and scalability with the next generation of the WAF engine
We are pleased to announce the general availability of our next generation WAF engine on Azure Application Gateway. The new WAF engine released with CRS 3.2 is a high-performance, scalable Microsoft proprietary engine and features significant improvements over the previous WAF engine.
Benefits of the new Azure WAF engine include:
- Improved performance: In our test lab, the new engine resulted in a significant reduction in WAF latencies compared to the previous engine version. We also observed a significant reduction in P99 tail latencies with up to ~8x reduction in POST request processing and ~4x reduction in GET request processing.
- Increased scale: Our next-gen engine can scale up to 8x more RPS with the same processing power and is able to handle 16x larger request sizes (now up to 2MB request size), which was previously not possible with the previous engine was.
- Better protection: New overhauled engine with efficient regex processing provides better protection against RegEx DoS attacks.
- More extensive range of functions: The new engine is available with version CRS 3.2. New features and future enhancements are only available through the new engine and later versions of CRS. Customers are strongly advised to upgrade to the CRS 3.2 release. We are in the process of phasing out CRS 2.2.9 and will stop onboarding new customers to the older CRS 2.2.9 version. Existing customers on CRS 2.2.9 will continue to be supported.
To learn more about the new engine, see WAF engine documentation.
administration and monitoring
- Native consistent experience with WAF policy: Application Gateways WAF v2 is now used natively regional WAF policy instead of config By default, Azure Application Gateway eliminates the need for the legacy WAF configuration environment. All latest features and future improvements will be available via WAF policies. Application Gateway configuration is still supported for existing deployments of v1 and v2 SKUs, but customers are strongly encouraged to migrate to Application Gateway v2 with WAF policies, which provide richer functionality and improved experiences at no additional cost. Azure policies can be shared across multiple application gateway deployments, simplifying the management experience. With Azure Policy, customers can easily automate the deployment and delivery of applications using DevOps and APIs friendly tools – Azure Resource Manager, REST API, PowerShell, CLI and Terraform.
- Advanced analysis functions: You can now access again Azure Monitor metrics for regional WAF for more effective monitoring, troubleshooting, and troubleshooting. Azure Monitor logs and metrics for WAF can be streamed to a central log platform for advanced log analysis and are further used by Microsoft Sentinel and Microsoft Defender for Cloud for security monitoring and alerting. Microsoft Sentinel integration enables security analysts to analyze and correlate data from other sources, detect threats, and automate incident response. For example, we recently released sentinel hunting queries to detect and respond to critical zero-day vulnerabilities such as:Log4J Sentinel hunt queries and SpringShell Sentinel hunt queries.
- Integrated security reports: security reports on Azure Front Door provide powerful visualization of WAF patterns, trends by action, and events by rule types and rule groups. Security threat analysts can view the top events by different dimensions like IP, Country, URL, Hostname and User Agent for threat analysis.
- Improved manageability: Azure WAF integration with Azure Firewall Manager is coming soon. With this integration, customers can manage WAF policies for applications hosted on Azure Front Door and Azure Application Gateway platforms.
Get started and share your feedback
You can try Azure WAF today with Azure Application Gateway and Azure Front Door. Visit Azure WAF documentation to learn more. As we continue to improve the Azure WAF offering, we’d love to hear your feedback. Publish your ideas and suggestions on the Network Community Page or email us firstname.lastname@example.org.