Part 1 - Lab Setup: Azure WAF Security Protection and Detection Lab
Published Jan 14 2021 04:35 PM 20.8K Views
Microsoft

Tutorial: Setup an Azure WAF Security Protection and Detection Lab

 

The purpose of the Azure WAF security protection and detection lab tutorial is to demonstrate Azure Web Application Firewall (WAF) capabilities in identifying, detecting, and protecting against suspicious activities and potential attacks against your Web Applications.  This first tutorial in a four-part series walks you through creating a lab environment for testing against Azure WAF's protections.  This lab focuses on the OWASP protection ruleset and logging capabilities of Azure WAF.  The lab does not include advanced application security concepts and is not intended to be a reference for application security testing as these areas are broader than the use cases demonstrated herein.  For more information about each tutorial in this series, refer to the previous section, Tutorial Overview.

 

In this tutorial you will:

  1. Deploy a demo test environment in Azure
  2. Deploy Azure Monitor Workbook for WAF
  3. Enable desktop environment on Linux VM
  4. Create host file entries to resolve host names

Prerequisites

  1. An Azure subscription to deploy the Azure WAF Attack Testing Lab Environment Deployment Template
  2. A Log Analytics workspace to send all diagnostic logs
    • Azure Monitor Workbook for WAF deployed to the same workspace
  3. Familiarity with Azure Application Gateway WAF

 

Deployment Steps

 

  1. Click here to deploy the lab environment to your Azure subscription
  2. Click here to deploy the Azure Monitor Workbook for WAF to your Azure subscription
  • Tip:  For more information, refer to the detailed deployment instructions here - Deploying Network security demo environment
    • Please refer to the above document for deployment instructions only and do not use the deployment template linked in it.  The deployment template used in these lab tutorials is different from the one used in the deployment instructions document

 

Recommendations

We recommend using the Azure WAF Attack Testing Lab Environment Deployment Template as it already contains all the components needed for this lab including a customized version of the OWASP Juice Shop application.  The closer your lab is to the suggested lab setup, the easier it will be to follow the Azure WAF testing procedures.  After deployment and minimum configuration steps, you will be ready to perform actions with the suggested hacking research tools and review Azure WAF's protections against those malicious actions. 

 

When using the Azure WAF Attack Testing Lab Environment Deployment Template, additional resources such as VMs and Azure Front Door will be deployed.  The below diagram represents resources in the environment which are utilized in this lab.  The resources which are not used in this lab have been grayed out (VMs, Azure Front Door, DDoS Protection).

 

! IMPORTANT:  This environment will be used as the baseline for the remainder of this document and the tutorial

Mohit_Kumar_1-1609788007370.png

 

In this setup, traffic from the attacker machine (Kali VM) will be routed to the internet through the Azure Firewall.  Successful attack path is one where malicious data is sent directly by the attacker to the OWASP Juice Shop web application leading to successful exploitation.  Attack path defended by WAF represents the path where malicious data is inspected by Azure WAF (on Azure Application Gateway) and blocked with its out of the box ruleset before it reaches the web application.

 

You can also use a preexisting environment for this lab.  For completing these tutorials, your environment must have the following key components:

 

  1. An instance of the customized OWASP Juice Shop web application with an internet accessible endpoint
  2. An instance of Application Gateway with Azure WAF which publishes the OWASP Juice Shop web application to the internet
  3. An attacker machine (VM) with common hacking tools and internet connectivity.  We use Kali Linux as the attacker VM

 

If manually deploying the components required for this tutorial, your complete lab setup should look as similar as possible to the following diagram:

 

Mohit_Kumar_0-1609788486015.png

 

Resources

The below table details the resources needed from all resources deployed with the Azure WAF Attack Testing Lab Environment Deployment Template

 

Resource

Name

IP Address Type

Purpose

Virtual Machine

VM-Kali

Private only

Attacker VM (Kali Linux) with preinstalled vulnerability and penetration testing tools

Firewall

SOC-NS-FW

Private & Public

Azure Firewall for outbound and inbound traffic restrictions and inspection

Azure WAF on Application Gateway

SOC-NS-AG-WAFv2

Private & Public

Azure Web Application Firewall preventing threats to the OWASP web application published through Application Gateway

OWASP WebApp

owaspdirect-<deployment guid>.azurewebsites.net

Public only

OWASP Juice Shop Application.  An open source web application with built in security vulnerabilities and CFT challenges

! IMPORTANT:  For the scenarios demonstrated in this document, OWASP Juice Shop application was running on HTTP port 3000.  This is not the case when you use the Azure WAF Attack Testing Lab Environment Deployment Template as it configures the application to run on port 80, 443 and assigns it a URL.  For the lab tutorials, you will connect to the application on HTTP port 80 only.  The URL for the application will be http://owaspdirect-<deployment guid>.azurewebsites.net.  

 

  • Tip: As it is a security best practice, we strongly recommend that you change the default lab password after deployment

 

Configuration

Additional configuration is required on the Kali Linux VM before getting started on the lab exercises.  The Kali VM in this lab environment needs remote desktop environment installed and configured.  Please complete the steps in the order outlined below.

 

Updating Kali Linux and Installing Desktop Environment

 

  1. Launch PowerShell on your local machine and run the following command to connect to the Kali VM

 

ssh svradmin@<Public IP Address of Azure Firewall> 

<Type your password when prompted to login>

 

  • Tips:
    • You can find the public IP of Azure Firewall in the Azure Portal under Resource Group --> SOC-NS-FW --> Public IP configuration
    • You can also use Putty client on your local machine to connect to the Kali VM

 

  1. Once connected to the Kali VM with SSH, run the following command to update the Kali Linux distro

 

sudo apt-get update

<Type your password when prompted>

 

  • Tip:
    • If you get an error about Kali Signatures being invalid upon running the above command, run the following commands to update the keys as root user and then run the abovementioned update command again

      Change user to root:  sudo su root
      Update the keys:  wget -q -O - archive.kali.org/archive-key.asc | apt-key add

 

  1. Once the Kali Linux distro is updated, run the following command to install and configure the remote desktop server on the Kali VM

 

a. sudo apt-get install -y kali-desktop-xfce xorg xrdp

b. sudo systemctl enable xrdp

c. echo xfce4-session >~/.xsession

d. sudo service xrdp restart

 

 

  1. Upon completing the abovementioned steps, you should be able to connect to the Kali VM over RDP on port 33892 

 

a. Connect to the Kali VM over RDP by using the following IP address and port combination

 

<Public IP Address of Azure Firewall>:33892 

 

b. When prompted to choose the setup for the first startup, click to select “Use default config”

 

Mohit_Kumar_0-1609793055165.png


c. You can now close your SSH session to the Kali VM by typing “exit” in the SSH session running in PowerShell

 

  1. Create an entry in the HOSTS file on Kali VM to map a name to the Public IP address of the OWASP Juice Shop site published on Application Gateway

 

a. Launch Terminal and run the following command

 

sudo nano /etc/hosts

<Type your password when prompted>

 

b. Create the following entry

 

Mohit_Kumar_0-1609794465822.png

 

c. Save the hosts file and exit

 

Use Ctrl+S to save and Ctrl+X to exit

 

  • Tip:  You can find public IP of the Application Gateway in the Azure Portal under Resource Group --> SOC-NS-AG-WAFv2 --> Frontend Public IP address

 

Next Steps

Before proceeding to the next tutorial, take a few mins to review the following

 

  1. OWASP Juice Shop publishing rule on Application Gateway
  2. Web Application Firewall configuration on Application Gateway
  3. Test connectivity to the OWASP Juice Shop website when accessing the application directly and when going to it through the Application Gateway

 

  • Tip:  You can find the public URL of the deployed Juice Shop app in the Azure Portal under Resource Group -->  owaspdirect-<guid> --> URL

 

Previous: Tutorial Overview

Next: Reconnaissance Playbook

 

 

Note: The lab deployment template has been updated with new Operating Systems and SKUs. The Kali Linux images are running on the latest version available in the Marketplace. The Windows 10 Virtual Machines have been updated to Windows 11 and the VM SKUs have been updated to Standard D2s v3 from Standard_B2s.

 

11 Comments
Co-Authors
Version history
Last update:
‎Oct 11 2022 05:58 AM
Updated by: