Wednesday, June 16, 2021

Protect your Azure hosted applications with Front Door, WAF and OWASP

You can have your applications hosted in Azure. How can you ensure that they are protected from various attacks?

We are safe if we can use an intelligent Firewall in front of our applications and ensure common attacks are addressed with the guidance of well recognized body, Isn't it.

We can use Azure Front Door and Open Web Application Security Project (OWASP) rules to achieve the above.

Let me explain how to do it.

We can implement a custom WAF policy and apply it to frontends in Azure Front Door.

Step 1: Create a WAF policy

Step 2: Navigate to Manage rules section. OWASP rules are enabled by default. You can disable certain rules if you don't need them

Step 3: You can apply the policy to Frontends in Azure Front Door easily by navigating to Azure Front Door instance

That's it. For any attacks the firewall will provide 403 response now.

Azure Bastian - Safer way to access your Virtual Machines

Remember the way we used to login to VMs hosted in our cloud platforms. 

We open RDP ports (3389) from the interface and indefinitely allow users to RDP. 

We might limit the source of the IP, but we have directly opened connectivity to our VMs over the internet.

What are the risks associated with the traditional approach?

  • Malicious parties can get access to VMs as RDP ports and protocol is well known
  • There is no audit of the activity users are performing
  • VM is directly opened to the internet
So, what were the work arounds we have being using so far?
  • Change the RDP port to a custom port
  • RDP jump box (Users RDP to jump box server and again RDP to desired VM)
Is there any permanent solution? Azure Bastion is the way to go

What is Azure Bastion?

Azure Bastion is a managed service provided by Microsoft Azure. We can add Bastion to our Virtual Network. Then it will work as a Network Virtual Appliance (NVA). 

This solution allows users to RDP or SSH to virtual machines without exposing those VMs to the internet. So they will not require public IPs.

Azure Bastian will provide RDP or SSH sessions within the Azure Portal itself over HTTPS.

How it works?

When you create a Azure Bastian service, it will create a Virtual Machine Scale Set (VMSS) in a predefined subnet (AzureBastianSubnet). Since we have a VMSS, it can scale itself based on the RDP requests it needs to cater.

When a user selects to connect to a VM using Azure Bastian
  • It will receive the request over HTTPS
  • Bastian will create RDP/SSH session internally to the desired VM (uses Private IP of the VM)
  • Response is sent over HTTPS to the user