question

Ashuclouddev-1743 avatar image
0 Votes"
Ashuclouddev-1743 asked MalleswarReddy answered

WAF related questions and Compliance

Hi,

My questions on Azure WAF support on below -

1) Does WAF support TACACS, SAML, AAD, LDAP , Kerberos, RADIUS ?
2) Compliance GDPR, Sarbanes-Oxley, HIPAA, PCI-DSS, SOC2
3) Is there any to test WAF with in the Azure with all the imposed rules such OWASP. Third party tools such as Burpsuite can be used but want to check if there are any internal solutions
4) NGE encryption, cipher suites, DH groups, hashing,  SHA-2, AES,x.509 certificates
5) Does it support connection pooling
6) Ability to install signatures
7) Ability to configure/enforce IETF

azure-application-gatewayazure-cdnazure-web-application-firewall
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please let me know the answers at least for the things you are aware or you came across.

I guess, few of them are limitations. Can you please share documentation links where it states they are limitations or they are in roadmap?

0 Votes 0 ·

Hi,

Does any one have answers or documents for this?

0 Votes 0 ·
MalleswarReddy avatar image
3 Votes"
MalleswarReddy answered

Hi,

Please find my answers below -

1) Does WAF support TACACS, SAML, AAD, LDAP , Kerberos, RADIUS ?
AFAIK, SAML is not yet supported by Azure WAF and the rest are regular Firewall /Appliance Firewall based requirement. If you are particular about them, Have look at Cloudflare or Barracuda.


2) Compliance GDPR, Sarbanes-Oxley, HIPAA, PCI-DSS, SOC2
Not all, GDPR, PCI-DSS and HIPPA --- Please take a look on this document -- https://azure.microsoft.com/en-us/resources/microsoft-azure-compliance-offerings/

3) Is there any to test WAF with in the Azure with all the imposed rules such OWASP. Third party tools such as Burpsuite can be used but want to check if there are any internal solutions
Not sure about this, plz post it as different question

4) NGE encryption, cipher suites, DH groups, hashing, SHA-2, AES,x.509 certificates
There are limitations on this. But there is a provision through keyvault. -- This explains - https://docs.microsoft.com/en-us/azure/application-gateway/key-vault-certs

5) Does it support connection pooling
Yes, if you are talking about back end pooling

6) Ability to install signatures
Same as 4th answer

7) Ability to configure/enforce IETF
This is big subject, usually, WAF enforces the same which is app following. But you need to checkpoint to point of rules.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TravisCragg-MSFT avatar image
1 Vote"
TravisCragg-MSFT answered Ashuclouddev-1743 commented

Azure WAF is currently an add-on to existing Azure services like Application Gateway, Front Door, and CDN. The answer to your question might be different depending upon what service you are trying to use it for. Can you give some more information about your scenario?

Azure WAF typically only handles a portion of your question. For example. Application Gateway allows you to create a custom TLS policy that lets you specify what ciphers and minimum TLS version you use. Azure WAF is also typically only for HTTPS traffic, and will likely not support other protocols.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your reply. I will go through the links your provide.

0 Votes 0 ·