Detections
Analytics

Ensure communications with known malicious IP addresses are denied via Azure Web Application Firewall Policy

MEDIUM

Description

Azure Web Application Firewall has the capability to block known malicious IP addresses, which is a function that has become a standard common practice with almost every web application or next-generation firewall deployed in enterprise environments. A policy should be configured to match on known malicious IPs and block them.

Remediation

Web Application Firewall policies are often created to block lists of known malicious IP addresses. These lists can be curated by individual organizations as needed, but are typically purchased from vendors that maintain the lists continuously. Once a list of malicious IP addresses is prepared, follow the steps below to create a WAF policy to block them.

In Azure Console -

  1. Open the Azure Portal and go to Web Application Firewall policies.
  2. Select the WAF policy that you wish to edit.
  3. Under Settings, select Custom rules.
  4. Create a custom rule with Match Type set to IP Address set for a range of IPs and to Deny traffic.

In Terraform -

  1. In the azurerm_web_application_firewall_policy resource, create a custom_rules block.
  2. Configure this section to block based on match_conditions.operator of ipmatch.

References:
https://learn.microsoft.com/en-us/azure/web-application-firewall/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/web_application_firewall_policy#custom_rules
https://www.maxmind.com/en/high-risk-ip-sample-list

Policy Details

Rule Reference ID: AC_AZURE_0352
CSP: Azure
Remediation Available: No
Domain: Infrastructure Security
Resource: azurerm_web_application_firewall_policy
Resource Category: Virtual Network
Resource Type: Security Group

Frameworks