Azure 应用程序网关的 Web 应用程序防火墙Web application firewall for Azure Application Gateway

Azure 应用程序网关提供一个 Web 应用程序防火墙 (WAF) 用于集中保护 Web 应用程序,使其免受常见攻击和漏洞的侵害。Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities. Web 应用程序正逐渐成为利用常见已知漏洞的恶意攻击的目标。Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. 最常见的攻击包括 SQL 注入和跨站点脚本。SQL injection and cross-site scripting are among the most common attacks.

防止应用程序代码遭受此类攻击颇具挑战性。Preventing such attacks in application code is challenging. 这可能需要对应用程序拓扑的多个层进行严格的维护、修补和监视。It can require rigorous maintenance, patching, and monitoring at multiple layers of the application topology. 集中式 Web 应用程序防火墙有助于大幅简化安全管理。A centralized web application firewall helps make security management much simpler. WAF 还能为抵卸威胁和入侵的应用程序管理员提供更好的保障。A WAF also gives application administrators better assurance of protection against threats and intrusions.

相较保护每个单独的 Web 应用程序,WAF 解决方案可以通过集中修补已知漏洞,更快地对安全威胁做出反应。A WAF solution can react to a security threat faster by centrally patching a known vulnerability, instead of securing each individual web application. 可将现有应用程序网关轻松转换为支持防火墙的应用程序网关。Existing application gateways can easily be converted into fire wall-enabled application gateways.

应用程序网关 WAF 基于 开放 Web 应用程序安全项目 (OWASP) 中的核心规则集 (CRS) 3.0 或 2.2.9。The Application Gateway WAF is based on Core Rule Set (CRS) 3.0 or 2.2.9 from the Open Web Application Security Project (OWASP). WAF 会自动更新以包含针对新漏洞的保护,而无需其他配置。The WAF automatically updates to include protection against new vulnerabilities, with no additional configuration needed.

应用程序网关 WAF 示意图

应用程序网关以应用程序传送控制器 (ADC) 的形式运行。Application Gateway operates as an application delivery controller (ADC). 它提供安全套接字层 (SSL) 终止、基于 Cookie 的会话相关性、轮循负载分配、基于内容的路由,以及托管多个网站和安全增强功能的能力。It offers Secure Sockets Layer (SSL) termination, cookie-based session affinity, round-robin load distribution, content-based routing, ability to host multiple websites, and security enhancements.

应用程序网关安全增强功能包括 SSL 策略管理和端到端 SSL 支持。Application Gateway security enhancements include SSL policy management and end-to-end SSL support. WAF 与应用程序网关集成,使应用程序的安全性得到增强。Application security is strengthened by WAF integration into Application Gateway. 这种组合可使 Web 应用程序免受常见漏洞的威胁。The combination protects your web applications against common vulnerabilities. 此外,WAF 提供一个易于配置的中央位置用于管理应用程序。And it provides an easy-to-configure central location to manage.

优点Benefits

本部分介绍应用程序网关及其 WAF 提供的核心优势。This section describes the core benefits that Application Gateway and its WAF provide.

保护Protection

  • 无需修改后端代码即可保护 Web 应用程序免受 Web 漏洞和攻击的威胁。Protect your web applications from web vulnerabilities and attacks without modification to back-end code.

  • 同时保护多个 Web 应用程序。Protect multiple web applications at the same time. 应用程序网关的一个实例最多可以托管 Web 应用程序防火墙保护的 100 个网站。An instance of Application Gateway can host of up to 100 websites that are protected by a web application firewall.

监视Monitoring

  • 使用实时 WAF 日志监视 Web 应用程序受到的攻击。Monitor attacks against your web applications by using a real-time WAF log. 该日志与 Azure Monitor 集成,可用于跟踪 WAF 警报和轻松监视趋势。The log is integrated with Azure Monitor to track WAF alerts and easily monitor trends.

  • 应用程序网关 WAF 已与 Azure 安全中心集成。The Application Gateway WAF is integrated with Azure Security Center. 在安全中心可以集中查看所有 Azure 资源的安全状态。Security Center provides a central view of the security state of all your Azure resources.

自定义Customization

  • 可根据应用程序的要求自定义 WAF 规则和规则组,并消除误报。You can customize WAF rules and rule groups to suit your application requirements and eliminate false positives.

功能Features

  • SQL 注入防护。SQL-injection protection.
  • 跨站点脚本防护。Cross-site scripting protection.
  • 防范其他常见 Web 攻击,例如命令注入、HTTP 请求走私、HTTP 响应拆分和远程文件包含。Protection against other common web attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion.
  • 防范 HTTP 协议违规。Protection against HTTP protocol violations.
  • 防范 HTTP 协议异常,例如缺少主机用户代理和接受标头。Protection against HTTP protocol anomalies, such as missing host user-agent and accept headers.
  • 防范机器人、爬网程序和扫描程序。Protection against bots, crawlers, and scanners.
  • 检测常见应用程序错误配置(例如 Apache 和 IIS)。Detection of common application misconfigurations (for example, Apache and IIS).
  • 可配置请求大小的下限和上限。Configurable request size limits with lower and upper bounds.
  • 使用排除列表可以忽略 WAF 评估中的某些请求属性。Exclusion lists let you omit certain request attributes from a WAF evaluation. 常见示例是 Active Directory 插入的令牌,这些令牌用于身份验证或密码字段。A common example is Active Directory-inserted tokens that are used for authentication or password fields.

核心规则集Core rule sets

应用程序网关支持两个规则集:CRS 3.0 和 CRS 2.2.9。Application Gateway supports two rule sets, CRS 3.0 and CRS 2.2.9. 这些规则可以防范 Web 应用程序中出现恶意活动。These rules protect your web applications from malicious activity.

应用程序网关 WAF 中默认已预先配置 CRS 3.0。The Application Gateway WAF comes preconfigured with CRS 3.0 by default. 但你可以选择改用 CRS 2.2.9。But you can choose to use CRS 2.2.9 instead. 与 CRS 2.2.9 相比,CRS 3.0 的误报数更少。CRS 3.0 offers reduced false positives compared with CRS 2.2.9. 还可以根据需求自定义规则You can also customize rules to suit your needs.

WAF 可针对以下 Web 漏洞提供保护:The WAF protects against the following web vulnerabilities:

  • SQL 注入攻击SQL-injection attacks
  • 跨站点脚本攻击Cross-site scripting attacks
  • 其他常见攻击,例如命令注入、HTTP 请求走私、HTTP 响应拆分和远程文件包含Other common attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion
  • HTTP 协议违规HTTP protocol violations
  • HTTP 协议异常,例如缺少主机用户代理和接受标头HTTP protocol anomalies, such as missing host user-agent and accept headers
  • 机器人、爬网程序和扫描程序Bots, crawlers, and scanners
  • 常见应用程序错误配置(例如 Apache 和 IIS)Common application misconfigurations (for example, Apache and IIS)

OWASP CRS 3.0OWASP CRS 3.0

CRS 3.0 包含下表中所示的 13 个规则组。CRS 3.0 includes 13 rule groups, as shown in the following table. 每个组包含多个可以禁用的规则。Each group contains multiple rules, which can be disabled.

规则组Rule group 说明Description
REQUEST-911-METHOD-ENFORCEMENTREQUEST-911-METHOD-ENFORCEMENT 锁定方法(PUT、PATCH)Lock-down methods (PUT, PATCH)
REQUEST-913-SCANNER-DETECTIONREQUEST-913-SCANNER-DETECTION 防范端口和环境扫描程序Protect against port and environment scanners
REQUEST-920-PROTOCOL-ENFORCEMENTREQUEST-920-PROTOCOL-ENFORCEMENT 防范协议和编码问题Protect against protocol and encoding issues
REQUEST-921-PROTOCOL-ATTACKREQUEST-921-PROTOCOL-ATTACK 防范标头注入、请求走私和响应拆分Protect against header injection, request smuggling, and response splitting
REQUEST-930-APPLICATION-ATTACK-LFIREQUEST-930-APPLICATION-ATTACK-LFI 防范文件和路径攻击Protect against file and path attacks
REQUEST-931-APPLICATION-ATTACK-RFIREQUEST-931-APPLICATION-ATTACK-RFI 防范远程文件包含 (RFI) 攻击Protect against remote file inclusion (RFI) attacks
REQUEST-932-APPLICATION-ATTACK-RCEREQUEST-932-APPLICATION-ATTACK-RCE 防范远程代码执行攻击Protect again remote code execution attacks
REQUEST-933-APPLICATION-ATTACK-PHPREQUEST-933-APPLICATION-ATTACK-PHP 防范 PHP 注入攻击Protect against PHP-injection attacks
REQUEST-941-APPLICATION-ATTACK-XSSREQUEST-941-APPLICATION-ATTACK-XSS 防范跨站点脚本攻击Protect against cross-site scripting attacks
REQUEST-942-APPLICATION-ATTACK-SQLIREQUEST-942-APPLICATION-ATTACK-SQLI 防范 SQL 注入攻击Protect against SQL-injection attacks
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATIONREQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION 防范会话固定攻击Protect against session-fixation attacks

OWASP CRS 2.2.9OWASP CRS 2.2.9

CRS 2.2.9 包含下表中所示的 10 个规则组。CRS 2.2.9 includes 10 rule groups, as shown in the following table. 每个组包含多个可以禁用的规则。Each group contains multiple rules, which can be disabled.

规则组Rule group 说明Description
crs_20_protocol_violationscrs_20_protocol_violations 防范协议违规(例如无效字符,或使用请求正文执行 GET)Protect against protocol violations (such as invalid characters or a GET with a request body)
crs_21_protocol_anomaliescrs_21_protocol_anomalies 防范错误的标头信息Protect against incorrect header information
crs_23_request_limitscrs_23_request_limits 防范参数或文件超出限制Protect against arguments or files that exceed limitations
crs_30_http_policycrs_30_http_policy 防范受限的方法、标头和文件类型Protect against restricted methods, headers, and file types
crs_35_bad_robotscrs_35_bad_robots 防范 Web 爬网程序和扫描程序Protect against web crawlers and scanners
crs_40_generic_attackscrs_40_generic_attacks 防范常规攻击(例如会话固定、远程文件包含和 PHP 注入)Protect against generic attacks (such as session fixation, remote file inclusion, and PHP injection)
crs_41_sql_injection_attackscrs_41_sql_injection_attacks 防范 SQL 注入攻击Protect against SQL-injection attacks
crs_41_xss_attackscrs_41_xss_attacks 防范跨站点脚本攻击Protect against cross-site scripting attacks
crs_42_tight_securitycrs_42_tight_security 防范路径遍历攻击Protect against path-traversal attacks
crs_45_trojanscrs_45_trojans 防范后门特洛伊木马Protect against backdoor trojans

WAF 模式WAF modes

应用程序网关 WAF 可配置为在以下两种模式中运行:The Application Gateway WAF can be configured to run in the following two modes:

  • 检测模式:监视并记录所有威胁警报。Detection mode: Monitors and logs all threat alerts. 在“诊断”部分为应用程序网关启用日志记录诊断。 You turn on logging diagnostics for Application Gateway in the Diagnostics section. 另外,必须确保已选择并启用 WAF 日志。You must also make sure that the WAF log is selected and turned on. 在检测模式下运行时,Web 应用程序防火墙不会阻止传入的请求。Web application firewall doesn't block incoming requests when it's operating in Detection mode.
  • 防护模式:阻止规则检测到的入侵和攻击。Prevention mode: Blocks intrusions and attacks that the rules detect. 攻击者会收到“403 未授权的访问”异常,且连接会终止。The attacker receives a "403 unauthorized access" exception, and the connection is terminated. 防护模式会在 WAF 日志中记录此类攻击。Prevention mode records such attacks in the WAF logs.

异常评分模式Anomaly Scoring mode

OWASP 使用两种模式来确定是否阻止流量:传统模式和异常评分模式。OWASP has two modes for deciding whether to block traffic: Traditional mode and Anomaly Scoring mode.

在传统模式下,将独立评估与任何规则匹配的流量,无论是否也匹配其他规则。In Traditional mode, traffic that matches any rule is considered independently of any other rule matches. 此模式很容易理解。This mode is easy to understand. 但是,它也存在一种限制:不知道有多少个规则与特定的请求相匹配。But the lack of information about how many rules match a specific request is a limitation. 因此,我们引入了异常评分模式。So, Anomaly Scoring mode was introduced. 这是 OWASP 3.x 中的默认模式。It's the default for OWASP 3.x.

在异常评分模式下,当防火墙处于防护模式时,不会立即阻止与任何规则匹配的流量。In Anomaly Scoring mode, traffic that matches any rule isn't immediately blocked when the firewall is in Prevention mode. 规则采用特定的严重性:“严重”、“错误”、“警告”或“通知”。 Rules have a certain severity: Critical, Error, Warning, or Notice. 该严重性会影响请求的数值(称为“异常评分”)。That severity affects a numeric value for the request, which is called the Anomaly Score. 例如,出现一个“警告”规则匹配项会生成评分值 3。 For example, one Warning rule match contributes 3 to the score. 出现一个“严重”规则匹配项会生成评分值 5。 One Critical rule match contributes 5.

严重性Severity ValueValue
关键Critical 55
错误Error 44
警告Warning 33
通知Notice 22

异常评分的阈值为 5,超过该阈值的流量将被阻止。There's a threshold of 5 for the Anomaly Score to block traffic. 因此,出现一个“严重”规则匹配项就足以让应用程序网关 WAF 阻止请求,即使 WAF 处于防护模式。 So, a single Critical rule match is enough for the Application Gateway WAF to block a request, even in Prevention mode. 但是,出现一个“警告”规则匹配项只会将异常评分增加 3,这并不足以阻止流量。 But one Warning rule match only increases the Anomaly Score by 3, which isn't enough by itself to block the traffic.

Note

当 WAF 规则与流量匹配时记录的消息包含操作值“Blocked”。The message that's logged when a WAF rule matches traffic includes the action value "Blocked." 但实际上只阻止了异常评分已达到或超过 5 的流量。But the traffic is actually only blocked for an Anomaly Score of 5 or higher.

WAF 监视WAF monitoring

监视应用程序网关的运行状况非常重要。Monitoring the health of your application gateway is important. 将 WAF 与 Azure 安全中心、Azure Monitor 和 Azure Monitor 日志集成后,可以监视 WAF 及其保护的应用程序的运行状况。Monitoring the health of your WAF and the applications that it protects is supported by integration with Azure Security Center, Azure Monitor, and Azure Monitor logs.

应用程序网关 WAF 诊断示意图

Azure MonitorAzure Monitor

应用程序网关日志与 Azure Monitor 集成。Application Gateway logs are integrated with Azure Monitor. 这样,便可以跟踪包括 WAF 警报和日志在内的诊断信息。This allows you to track diagnostic information, including WAF alerts and logs. 可以在门户上的应用程序网关资源中的“诊断”选项卡上访问此功能,或者直接通过 Azure Monitor 访问。 You can access this capability on the Diagnostics tab in the Application Gateway resource in the portal or directly through Azure Monitor. 有关如何启用日志的详细信息,请参阅应用程序网关诊断To learn more about enabling logs, see Application Gateway diagnostics.

日志记录Logging

应用程序网关 WAF 提供有关检测到的每个威胁的详细报告。Application Gateway WAF provides detailed reporting on each threat that it detects. 日志记录与 Azure 诊断日志相集成。Logging is integrated with Azure Diagnostics logs. 警报是以 .json 格式记录的。Alerts are recorded in the .json format.

应用程序网关诊断日志窗口

{
  "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupId}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{appGatewayName}",
  "operationName": "ApplicationGatewayFirewall",
  "time": "2017-03-20T15:52:09.1494499Z",
  "category": "ApplicationGatewayFirewallLog",
  "properties": {
    "instanceId": "ApplicationGatewayRole_IN_0",
    "clientIp": "104.210.252.3",
    "clientPort": "4835",
    "requestUri": "/?a=%3Cscript%3Ealert(%22Hello%22);%3C/script%3E",
    "ruleSetType": "OWASP",
    "ruleSetVersion": "3.0",
    "ruleId": "941320",
    "message": "Possible XSS Attack Detected - HTML Tag Handler",
    "action": "Blocked",
    "site": "Global",
    "details": {
      "message": "Warning. Pattern match \"<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ...\" at ARGS:a.",
      "data": "Matched Data: <script> found within ARGS:a: <script>alert(\\x22hello\\x22);</script>",
      "file": "rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf",
      "line": "865"
    }
  }
} 

应用程序网关 WAF SKU 定价Application Gateway WAF SKU pricing

应用程序网关 WAF 在新的 SKU 下提供。The Application Gateway WAF is available under a new a SKU. 此 SKU 仅在 Azure 资源管理器预配模型中可用,在经典部署模型中不可用。This SKU is available only in the Azure Resource Manager provisioning model, not in the classic deployment model. 此外,WAF SKU 仅提供中型和大型应用程序网关实例大小。Additionally, the WAF SKU comes only in medium and large Application Gateway instance sizes. 应用程序网关的所有限制同样适用于 WAF SKU。All the limits for Application Gateway also apply to the WAF SKU.

定价基于每小时网关实例费用和数据处理费用。Pricing is based on an hourly gateway instance charge and a data-processing charge. WAF SKU 的应用程序网关定价不同于标准 SKU 费用。Application Gateway pricing for the WAF SKU differs from standard SKU charges. 数据处理费用相同。Data-processing charges are the same. 不会按规则或规则组收费。There are no per-rule or rule-group charges. 可以保护同一个 Web 应用程序防火墙后面的多个 Web 应用程序。You can protect multiple web applications behind the same web application firewall. 为多个应用程序提供支持不会产生费用。You aren't charged for supporting multiple applications.

后续步骤Next steps

参阅如何在应用程序网关上配置 Web 应用程序防火墙See How to configure web application firewall on Application Gateway.