I want to monitor any suspicious traffic into our Azure web application. I want to know the IP addresses and what they are probing with a view to blocking those IP addresses. I am mindful of trying to protect the application via secure coding practices, but also I feel a little blind to what is hitting our site at present.
I have looked at what Azure provides, but cannot see anything obvious in terms of some form of dashboard. I may be looking in the wrong place.
It may be that I need a proper Web Application Firewall to do this, and Azure does not provide this ?? The only one I am sort of familiar with is Cloudflare, but for other reasons, we cannot use it at present, although these could be surmontable.
So how are folks monitoring their "attack interfaces"?
Thanks.
2 Answers
Answers 1
If you're referring to Azure Web Apps there is a log that displays very detailed information about the requests made to your website. The logs are the Web Server logs which are in the W3C extended log file format and may contain the information you're looking for. You have to enable these logs under diagnostics for the web app.
You can view these logs by downloading them or streaming them via PowerShell or azure CLI. You may also find the Kudu site that comes with web apps helpful. It can be found at https://your-web-app.scm.azurewebsites.net
Answers 2
You are correct, Azure web apps by itself does not offer extensive security monitoring. While ApplicationInsights and ApplicationInsights Analytics can give you a lot of data for monitoring, it does not target security specifically. It will tell you which IP address is probing what and with which result, so I would start there and see if it fits your requirements.
If you want to do security monitoring, packet inspection, etc., your best bet is to use a virtual appliance in Azure. The Azure marketplace offers security/WAF appliances from Checkpoint, Barracuda, Cisco, F5, etc. that might fit your needs. These virtual devices run on virtual machines in Azure and have a public IP address on the outside for incoming traffic which they can route to internal (vnet) or external (webapp) resources. While these are generally very powerful solutions, they come at a cost.
A possible set up might be to use an appliance like this to offload SSL, inspect traffic on the appliance and then forward traffic to the web app (over http, within the same datacenter). If the appliance of your choosing does not allow SSL offloading, you might place an Azure Application Gateway in front.
Again, start with Application Insights and see if it works for you. If not, do a price/feature comparison on the various virtual firewalls/security devices.
0 comments:
Post a Comment