Securing PaaS – Securing PaaS web applications with App Service Environment and Web Application Firewall

Synopsis: In this exercise, attendees will deploy a cloud web application with a web application gateway and firewall enabled.

Task 1: Deploy web application to App Service Environment

  1. Search for and select App Service Plans.In the Azure Portal search field, app service pla is typed. Under the search results, App Service plans is selected.
  2. Select +Add.
  3. For the name, enter paassecurity-[your initials].
  4. Select your resource group.
  5. Select Location, then select your paassecurity-ase-[your initials] App Service Environment.
  6. Select Pricing tier, for the pricing tier select l1 Isolated.li Isolated is selected from the Pricing tier options.
  7. Select Select.the New App Service Plan blade displays with the following settings: Subscription, Client Development; Resource Group, Use existing paassecurity; Operating System, Windows; Pricing tier, li Isolated.
  8. Select Create.
  9. Switch to your jump VM that is running inside your Azure subscription.a. NOTE: You cannot publish from outside the Azure Virtual Network to an internal ASE.
  10. Open the extracted folder \WebApp\FourthCoffeeWeb.slnb. NOTE: You will need to provide an authorized MSDN Visual Studio licensed user.c. Select Sign in, enter your username, select Next.

    d. Enter your password.

  11. Select Sign In.
  12. Right-click the project, select Publish Web App.In Solution Explorer, FourthCoffeeWeb is selected, and from its right-click Menu, Publish Web App is selected.
  13. Select Microsoft Azure App Service.On the Publish page, under Select a publish target, Microsoft Azure App Service is selected.
  14. If prompted, select Reenter your credentials such that they match the Azure Subscription you are deploying too.
  15. Select New.
  16. Select your subscription.
  17. Select your resource group.
  18. For App Service Plan, select the fourthcoffeeweb-[your initials].Fields on the Create App Service page are set to the previously defined settings.
  19. Select Create.
  • NOTE: In some versions of Visual Studio, you may need to do this twice.
  1. Take note of the URL that your app will be published too:a. Switch to the Azure Portal.b. Select App Service Environment.

    c. Select your App Service Environment.

    d. Select IP Addresses.

    e. Take note of your App Service Environment Internal Load Balancer IP Address.

    On the IP addresses page, the Internal Load Balancer IP address 10.0.4.11 is called out.

    f. On your jump VM, open Notepad as an administrator.

    g. Open the c:\windows\system32\drivers\etc\hosts file, add the following:

    The Fourthcoffeeweb host entry data to be added displays.

  2. Select Validate Connection, if prompted, select Accept for the certificate:A Certificate Error pop-up displays with the message that the security certificate was issued to a different server.
  3. The connection should validate with a green checkmark:Below the destination URL, next to the the Validation Connection button is a green checkmark, indicating that the connection was validated.
  4. Record the destination URL for later in this exercise.
  5. Select Publish.

    NOTE: If you get an error, you may be trying to publish outside of the Azure Virtual Network or you did not setup a DNS/Hosts entry for your custom internal domain.

    An error list displays with one error, zero warnings, and zero messages. The error states that a web deployment task failed.

  6. Your web application should be published successfully:The Output window text states that the build succeeded.

Task 2: Configure the Web Application Firewall

  1. Select Application Gateway.
  2. Select your application gateway.
  3. Select Overview, record the public IP address of the application gateway for later use:The Frontend public IP address displays.
  4. Select Backend pools.
  5. Select the single backend pool displayed, ensure the IP address is that of the ASE internal load balancer IP. If it is not, delete the one displayed and add the correct IP:The Backend pool IP address for appGatewayBackendPool displays.
  6. Select Health probes.
  7. Select +Add.
  8. Copy the web app DNS address into the name and host address.
  9. For the path, enter /The passsecurity-waf blade displays with the following field values: Host has the copied copied web app dns address; Protocol, HTTP; Path, /; Interval, 30 seconds; Timeout, 30 seconds; Unhealthy threshold, 3.
  10. Select OK and then wait for the web application gateway to finish updating.

    NOTE: If you do not wait, future actions may result in the following error:

    A popup displays the message that the operation was superseded by a subsequent update, and then provides the details.

  11. Select HTTP settings.
  12. Select the only backendHttpSetting.
  13. Check the Use custom probe checkbox.
  14. Select the custom probe you just added.
  • NOTE: This will make it such that the WAF knows about the host header of the incoming requests and where to route themA Dialog box displays with the following settings: Cookie-based affinity, Disabled; Request timeout, 30; Protocol, HTTP; Port, 80; Use custom probe, selected.
  1. Select Save, wait for the application gateway to finish updating.

Task 3: Enable Application Gateway logging

  1. Select Diagnostic Logs.
  2. Select Turn on diagnostics.The Turn on diagnostics link is selected.
  3. For the name, enter paassecurity-waf-logging.
  4. Check the Send to Log Analytics checkbox.
  5. For Log Analytics, select your default workspace.
  • NOTE: If you do not have a workspace create one.
  1. Check all LOG checkboxes.A dialog box displays with the previously defined settings.
  2. Select Save.

Task 4: Attack a ASE Web Application with Detection Only

  1. Switch to your jump VM.
  2. Edit the c:\windows\system32\drivers\etc\hosts file to update the web app URL to point to the WAF public IP Address:A portion of the hosts file displays.
  3. Save the file.
  4. Open a browser window, ensure that the web site opens successfully.
  5. Launch Fiddler on your jump VM, so you can observe the network traffic resulting from the following step.
  6. Open a Windows PowerShell ISE window.
  7. From the extracted folder, open the /Scripts/WebAttack.ps1.
  8. Run the script, when prompted, enter the following information:a. Web application IP address;b. Web application DNS.

    A script displays in the Windows PowerShell ISE window.

  9. The script will execute a series of attacks on the Azure web application. Although they won’t technically be successful, they will make it to the web application. In Fiddler, you will be able to see the traffic is allowed, even known bad agents:One of the attacks is selected on the left, and the User-agent stalker is called out on the right.

Task 5: Enable Web Application Firewall Prevention

  1. In the Azure portal, select Application gateway.
  2. Select your application gateway.
  3. Select Web application firewall.
  4. For Firewall mode, select the Prevention.In the Application gateway blade, under Settings, Web application firewall is selected. Prevention is selected for Firewall mode.
  5. Select Save, wait for the application gateway to be updated.

Task 6: Reattack an ASE Web Application with Prevention enabled

  1. Switch back to the Windows PowerShell ISE window.
  2. Run the WebAttack script, then when prompted, enter the following information:a. Web application gateway IP addressb. Web application gateway DNS
  3. In Fiddler, you should see that your attack is being prevented from making it to the web server. This will also generate logs that we will use to create attack assessment reports in later exercises. Again, with fiddler available you can see the denied traffic by selecting the Inspectors tab, then Headers in the top section, and Raw in the bottom section:One of the attacks is selected on the left, and a denied traffic example is called out on the right.

About engsoon

Eng Soon is a 4-time Microsoft MVP and has nearly 5 years of experience building enterprise system in the cloud.He is also a Certified Microsoft Azure.Eng Soon also have strong technical skills and analytic skill. As a developer, Besides the development task, he also involved in Project Management, Consulting, and Marketing. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive. He also took part as speaker in many nationwide technical events, such as Conference, Meetup and Workshop. Currently, looking for opportunity in Cyber Security which include Cloud Security and Application Security.

View all posts by engsoon →

Leave a Reply

Your email address will not be published. Required fields are marked *