Forum Discussion
Do I need a Firewall and WAF for Website HTTPS traffic only
Hi Abhishek,
Yes that was my thinking as well, however one my clients seems determined to add FW into the mix as well. Perhaps once I tell them how much it will cost, they may change their minds.
So it sounds like neither you nor Darrick see the need for additional FW?
After more research, I understand the differences between Azure Firewall and NSGs: I wrongly assumed they were one in the same.
NSGs are good for network layer traffic filtering to resources within VNETs in each subscription.
A firewall is stateful and provides centralized service that can be applied to both network and application layer protection across subscriptions and networks: https://docs.microsoft.com/en-us/azure/firewall/firewall-faq
The Azure Firewall complements NSGs, providing defense-in-depth protection.
Question: Does your web service warrant the more granular protections provided by Azure Firewall?
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq
Hi Darrick,
Sure no worries. Yes, NSGs provide network layer protection which helps but additional security is needed for sure from a web application perspective.
So yes, I could use a FW however from my investigation, FW provide protection from layer 3-7 however they still fall short re: the latest security attacks such sql injection and cross-site scripting. So Microsoft and other vendors have been deploying "Application Gateway with Web App Firewall" aka WAFs to address this higher layer 7 traffic. WAFs only deal with HTTP/S and Websockets (both over HTTP using ports 80/443)
So if we only allow layer 7 protocols do I really need the FW when the WAF handles that? I believe WAFs also provide that defense in depth and work in conjunction with the NSGs I have setup for front end and back end subnets.
Re: your final question, if we're only dealing with HTTP traffic and the WAF is handling that, does the FW actually provide any other value re: protection.
I'm just trying to find anyone out there who has a web application that is implementing both a FW and WAF. Seems to be one or the other but it seems WAFs have been developed to specifically address layer 7 traffic only.