0

I have set up Azure CDN in front of Storage account to host static website and also added Content Delivery Network WAF policy to safeguard against common threats. The Content Delivery Network WAF policy only allows the use of DefaultRuleSet_1.0 which seems fine but following are some of the secure practices requirements I need to fulfil which I am not sure if it is covered by DefaultRuleSet_1.0.

- Protection against crawlers and scanners.
- Detection of common application misconfigurations (for example, Apache and IIS).
- Protect applications from bots with the bot mitigation ruleset. 
- Inspect JSON and XML in the request body

My questions:

  1. Does DefaultRuleSet_1.0 protect against the attacks mentioned in above list?
  2. If DefaultRuleSet_1.0 doesn't then how can I add protection against this attacks? There is possibility of adding custom rules but is it meant for this level of protection?
James Z
  • 12,209
  • 10
  • 24
  • 44
Tech Learner
  • 55
  • 7

1 Answers1

0
  1. Bots/crawlers/scanners attacks are not covered in Default Rule set. There is separate bot manager ruleset which is available in Azure Front Door Premium SKU but is not available for Azure CDN. WAF on Azure CDN from Microsoft is currently in public preview and is provided with a preview service level agreement. Certain features may not be supported or may have constrained capabilities. The Azure managed Default Rule Set includes rules against a few threat categories as mentioned in the below link: https://learn.microsoft.com/en-us/azure/web-application-firewall/cdn/cdn-overview#azure-managed-rule-sets The version number of the Default Rule Set increments when new attack signatures are added to the rule set.
  2. There is possibility of adding custom rules but it won't help in getting this level of protection since they only include match rules and rate control rules with capabilities mentioned in the below link: https://learn.microsoft.com/en-us/azure/web-application-firewall/cdn/cdn-overview#custom-rules. Since WAF on Azure CDN from Microsoft is currently in public preview, the features for Bot ruleset and added custom rule capabilities may be added once it goes GA. Please feel free to share your feedback in the below forum requesting this feature. https://feedback.azure.com/forums/217313-networking?category_id=345019
JayakrishnaGunnam-MT
  • 1,548
  • 1
  • 5
  • 9