Do I need a Firewall and WAF for Website HTTPS traffic only

%3CLINGO-SUB%20id%3D%22lingo-sub-482805%22%20slang%3D%22en-US%22%3EDo%20I%20need%20a%20Firewall%20and%20WAF%20for%20Website%20HTTPS%20traffic%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482805%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Azure%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20looking%20for%20some%20advice%20or%20feedback%20around%20the%20need%20to%20deploy%20a%20Firewall%20and%20WAF%20for%20Website%20only%20solution%20that%20uses%20HTTPS%20and%20Websockets%20on%20a%20IaaS%20platform%20leveraging%20Windows%20Server%2C%20IIS%20and%20SQL%20Server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20had%20a%20couple%20of%20comments%2Fsuggestions%20that%20I%20should%20be%20deploying%20a%20Firewall%20as%20well%2C%20suggesting%20that%20a%20WAF%20isn't%20sufficient%20enough%20to%20prevent%20attacks%20such%20as%20sql%20injection.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGiven%20that%20adding%20a%20firewall%20to%20the%20solution%20adds%20substantial%20dollars%20to%20the%20monthly%20bill%20%2C%20I'm%20looking%20for%20any%20other%20feedback%20in%20terms%20of%20how%20secure%20a%20WAF%20is%20for%20layer%207%20traffic%20or%20what%20others%20are%20deploying%20for%20website%20only%20traffic.%20i.e.%2C%20WAF%20only%20or%20FW%20and%20WAF%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20be%20clear%2C%20this%20isn't%20necessarily%20about%20the%20dollars%20but%20rather%20is%20a%20client%20throwing%20money%20out%20the%20door%20with%20the%20addition%20of%20the%20FW%20when%20a%20WAF%20will%20do%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%2C%3C%2FP%3E%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-482805%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EProtection%20%26amp%3B%20Recovery%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20%26amp%3B%20Compliance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-483003%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20I%20need%20a%20Firewall%20and%20WAF%20for%20Website%20HTTPS%20traffic%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-483003%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F327637%22%20target%3D%22_blank%22%3E%40Abhishek_srivastava%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Abhishek%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20that%20was%20my%20thinking%20as%20well%2C%20however%20one%20my%20clients%20seems%20determined%20to%20add%20FW%20into%20the%20mix%20as%20well.%26nbsp%3B%20Perhaps%20once%20I%20tell%20them%20how%20much%20it%20will%20cost%2C%20they%20may%20change%20their%20minds.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20it%20sounds%20like%20neither%20you%20nor%20Darrick%20see%20the%20need%20for%20additional%20FW%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-482998%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20I%20need%20a%20Firewall%20and%20WAF%20for%20Website%20HTTPS%20traffic%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482998%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F256377%22%20target%3D%22_blank%22%3E%40Darrick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20there%20Darrick%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Firewall%20appears%20to%20be%20just%20over%20%24900%20US%20converted%20to%20Canadian%20that's%20close%20to%20%241%2C200%20per%20month.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%202%20WAF%20costs%20%24280%20CDN%20per%20month%20(have%20to%20deploy%202).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20rest%20of%20the%20solution%20uses%20a%20couple%20of%20front%20end%20and%20back%20ends%20subnets%20(with%20NSGs)%20and%20couple%20of%26nbsp%3B%20burstable%20VMs%20in%20each%20subnet%20which%20are%20also%20quite%20cheap.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooks%20like%20the%20FW%20alone%20costs%20more%20per%20month%20then%20rest%20of%20this%20light%20weight%202-tiered%20web%20app%20total%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20if%20WAF%20does%20the%20job%2C%20seems%20like%20adding%20the%20FW%20will%20more%20than%20double%20the%20costs%20but%20not%20sure%20it's%20adding%20equivalent%20value%20(as%20we're%20only%20using%20HTTPS).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-482940%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20I%20need%20a%20Firewall%20and%20WAF%20for%20Website%20HTTPS%20traffic%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482940%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20helped%20deploy%20a%20similar%20solution.%20If%20you%20apply%20IP%20restrictions%20for%20the%20use%20of%20the%20site%20just%20to%20your%20customer's%20IP%20sets%20and%20other%20other%20protocol%20restrictions%20at%20the%20NSG%20level%20then%20along%20with%20WAF%20and%20SSL%20it%20works%20pretty%20nicely.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-482926%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20I%20need%20a%20Firewall%20and%20WAF%20for%20Website%20HTTPS%20traffic%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482926%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F327426%22%20target%3D%22_blank%22%3E%40PDorenberg%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20would%20adding%20a%20firewall%20add%20significantly%20to%20your%20monthly%20bill%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20think%20adding%20strategically%20placed%20Network%20Security%20Groups%20to%20your%20solution%20would%20give%20you%20additional%20adequate%20protection%20without%20significant%20cost.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-485528%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20I%20need%20a%20Firewall%20and%20WAF%20for%20Website%20HTTPS%20traffic%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-485528%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F327426%22%20target%3D%22_blank%22%3E%40PDorenberg%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20more%20research%2C%20I%20understand%20the%20differences%20between%20Azure%20Firewall%20and%20NSGs%3A%20I%20wrongly%20assumed%20they%20were%20one%20in%20the%20same.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENSGs%20are%20good%20for%20network%20layer%20traffic%20filtering%20to%20resources%20within%20VNETs%20in%20each%20subscription.%3C%2FP%3E%3CP%3EA%20firewall%20is%20stateful%20and%20provides%20centralized%20service%20that%20can%20be%20applied%20to%20both%20network%20and%20application%20layer%20protection%20across%20subscriptions%20and%20networks%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Ffirewall-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Ffirewall-faq%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Azure%20Firewall%20complements%20NSGs%2C%20providing%20defense-in-depth%20protection.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestion%3A%20Does%20your%20web%20service%20warrant%20the%20more%20granular%20protections%20provided%20by%20Azure%20Firewall%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Ffirewall-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Ffirewall-faq%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-485611%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20I%20need%20a%20Firewall%20and%20WAF%20for%20Website%20HTTPS%20traffic%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-485611%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F256377%22%20target%3D%22_blank%22%3E%40Darrick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Darrick%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESure%20no%20worries.%26nbsp%3B%20Yes%2C%20NSGs%20provide%20network%20layer%20protection%20which%20helps%20but%20additional%20security%20is%20needed%20for%20sure%20from%20a%20web%20application%20perspective.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20yes%2C%20I%20could%20use%20a%20FW%20however%20from%20my%20investigation%2C%20FW%20provide%20protection%20from%20layer%203-7%20however%20they%20still%20fall%20short%20re%3A%20the%20latest%20security%20attacks%20such%20sql%20injection%20and%20cross-site%20scripting.%26nbsp%3B%20So%20Microsoft%20and%20other%20vendors%20have%20been%20deploying%20%22Application%20Gateway%20with%20Web%20App%20Firewall%22%20aka%20WAFs%20to%20address%20this%20higher%20layer%207%20traffic.%26nbsp%3B%20WAFs%20only%20deal%20with%20HTTP%2FS%20and%20Websockets%20(both%26nbsp%3Bover%20HTTP%20using%20ports%2080%2F443)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20if%20we%20only%20allow%20layer%207%20protocols%20do%20I%20really%20need%20the%20FW%20when%20the%20WAF%20handles%20that%3F%26nbsp%3B%20I%20believe%20WAFs%20also%20provide%20that%20defense%20in%20depth%20and%20work%20in%20conjunction%20with%20the%20NSGs%20I%20have%20setup%20for%20front%20end%20and%20back%20end%20subnets.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERe%3A%20your%20final%20question%2C%20if%20we're%20only%20dealing%20with%20HTTP%20traffic%20and%20the%20WAF%20is%20handling%20that%2C%20does%20the%20FW%20actually%20provide%20any%20other%20value%20re%3A%20protection.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20just%20trying%20to%20find%20anyone%20out%20there%20who%20has%20a%20web%20application%20that%20is%20implementing%20both%20a%20FW%20and%20WAF.%26nbsp%3B%20Seems%20to%20be%20one%20or%20the%20other%20but%20it%20seems%20WAFs%20have%20been%20developed%20to%20specifically%20address%20layer%207%20traffic%20only.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello Azure Community,

 

I'm looking for some advice or feedback around the need to deploy a Firewall and WAF for Website only solution that uses HTTPS and Websockets on a IaaS platform leveraging Windows Server, IIS and SQL Server.

 

I've had a couple of comments/suggestions that I should be deploying a Firewall as well, suggesting that a WAF isn't sufficient enough to prevent attacks such as sql injection.

 

Given that adding a firewall to the solution adds substantial dollars to the monthly bill , I'm looking for any other feedback in terms of how secure a WAF is for layer 7 traffic or what others are deploying for website only traffic. i.e., WAF only or FW and WAF?

 

To be clear, this isn't necessarily about the dollars but rather is a client throwing money out the door with the addition of the FW when a WAF will do?

 

Thanks in advance,

Paul

6 Replies

@PDorenberg

 

How would adding a firewall add significantly to your monthly bill?

 

I would think adding strategically placed Network Security Groups to your solution would give you additional adequate protection without significant cost.

I have a helped deploy a similar solution. If you apply IP restrictions for the use of the site just to your customer's IP sets and other other protocol restrictions at the NSG level then along with WAF and SSL it works pretty nicely. 

@Darrick 

 

Hi there Darrick,

 

Thanks for your response.

 

The Firewall appears to be just over $900 US converted to Canadian that's close to $1,200 per month.

 

The 2 WAF costs $280 CDN per month (have to deploy 2).

 

The rest of the solution uses a couple of front end and back ends subnets (with NSGs) and couple of  burstable VMs in each subnet which are also quite cheap. 

 

Looks like the FW alone costs more per month then rest of this light weight 2-tiered web app total solution.

 

So if WAF does the job, seems like adding the FW will more than double the costs but not sure it's adding equivalent value (as we're only using HTTPS).

 

@Abhishek_srivastava 

 

Hi Abhishek,

 

Yes that was my thinking as well, however one my clients seems determined to add FW into the mix as well.  Perhaps once I tell them how much it will cost, they may change their minds.

 

So it sounds like neither you nor Darrick see the need for additional FW?

 

 

@PDorenberg 

 

After more research, I understand the differences between Azure Firewall and NSGs: I wrongly assumed they were one in the same.

 

NSGs are good for network layer traffic filtering to resources within VNETs in each subscription.

A firewall is stateful and provides centralized service that can be applied to both network and application layer protection across subscriptions and networks: https://docs.microsoft.com/en-us/azure/firewall/firewall-faq

 

The Azure Firewall complements NSGs, providing defense-in-depth protection.

 

Question: Does your web service warrant the more granular protections provided by Azure Firewall?

 

 

 

 

 

https://docs.microsoft.com/en-us/azure/firewall/firewall-faq

@Darrick 

 

Hi Darrick,

 

Sure no worries.  Yes, NSGs provide network layer protection which helps but additional security is needed for sure from a web application perspective.

 

So yes, I could use a FW however from my investigation, FW provide protection from layer 3-7 however they still fall short re: the latest security attacks such sql injection and cross-site scripting.  So Microsoft and other vendors have been deploying "Application Gateway with Web App Firewall" aka WAFs to address this higher layer 7 traffic.  WAFs only deal with HTTP/S and Websockets (both over HTTP using ports 80/443)

 

So if we only allow layer 7 protocols do I really need the FW when the WAF handles that?  I believe WAFs also provide that defense in depth and work in conjunction with the NSGs I have setup for front end and back end subnets.

 

Re: your final question, if we're only dealing with HTTP traffic and the WAF is handling that, does the FW actually provide any other value re: protection.

 

I'm just trying to find anyone out there who has a web application that is implementing both a FW and WAF.  Seems to be one or the other but it seems WAFs have been developed to specifically address layer 7 traffic only.