Click here to load reader
Upload
phungkhanh
View
213
Download
0
Embed Size (px)
Citation preview
© 2016 Barracuda. All rights reserved. | www.barracuda.com/azure
Securing Business Applications
Best Practices
Barracuda Web Application Firewall: Securing Azure App Service
Competitive landscapes and fast time-to-market pressures demand expedited rollouts for mobile and cloud-based applications. Microsoft Azure App Service enables developers to choose the platforms with which they are most comfortable so they are able to quickly develop applications that work smoothly with the data stores used in their organizations. Securing these applications is essential, as they can leak critical or sensitive data from the information stores with which they interface with if hacked.
Vulnerabilities can arise from both the custom code and the infrastructure used in developing these applications. Consider these best practices:
Deploy into an isolated Azure App Service Environment (ASE) behind a Barracuda Web Application Firewall cluster
An ASE typically consists of an isolated virtual network with compute resources. The Barracuda Web Application Firewall enhances the security of an ASE deployment by bringing in industry leading security features including protection against application layer attacks (i.e. OWASP Top 10), protection for mobile applications and web services, and Data Loss Prevention.
When deploying into an ASE is not an option, deploy behind a Barracuda Web Application Firewall cluster and utilize NSGs to only allow traffic from behind the Barracuda WAF cluster
Protecting an Azure App Service Environment
WAFBarracudaWeb Application Firewall
WAFBarracudaWeb Application Firewall
WAFBarracudaWeb Application Firewall
Private IP Address
Azure Load Balancer(Public IP Address)
Azure Traffic Manager(Optional)
Azure VNetNetwork ACL
(only allows traffic from WAF)
West US
Web MobileApp
API
North Europe
Web MobileApp
API
Public IP Public IP
DMZ
App Service Environment
© 2016 Barracuda. All rights reserved. | www.barracuda.com/azure
Learn More
Deploying WAF in the App Service Environment
The Barracuda Web Application Firewall secures the entire attack surface of mobile applications and REST APIs. It filters malicious inputs in the JSON and XML payloads. With the Rate-Control and Bruteforce features on the WAF, you can ensure API SLA’s to business partners.
Why Barracuda
Benefits
Barracuda Web Application Firewall:Securing Azure App Service
The Barracuda Web Application Firewall can be deployed by first bringing up the WAF instances on Azure. Once this is done, the Barracuda WAF is connected to the App Service Environment. This connection can be further secured by using a Network ACL that only allows connections from the Barracuda WAF. In case you want to load balance traffic from multiple regions across the WAF cluster, an Azure Traffic Manager instance can be deployed upstream of the Barracuda WAF cluster.
The Barracuda WAF supports SAML v2.0 for web authentication and single sign-on (SSO). This facilitates SSO between the cloud and on-premises web applications, as well as interoperability with Azure Active Directory.
www.barracuda.com/azure
www.barracuda.com/programs/azure/application-security
www.barracuda.com/products/webapplicationfirewall
Comprehensive Protection
Sensitive information is protected from being exposed at the server
and access can be controlled based on location
Data Loss Prevention
Create custom patterns to prevent the loss of sensitive data, such as
social security and credit card numbers
Proactive Defense Mechanism
With Geo-IP control, admins are able to either deny or provide access
to specific geographies
Transparent Authentication
Single sign-on to multiple applications improves employee
productivity by eliminating multiple authentication sessions
Azure Load Balancer(Internal)
WAFBarracudaWeb Application Firewall
WAFBarracudaWeb Application Firewall
WAFBarracudaWeb Application Firewall
Private IP Address
App Service Environment
Web MobileAPI App
Azure VNet
Azure Load Balancer(Public IP Address)
Azure Traffic Manager(Optional)