Share via

Can Azure CDN protect against known vulnerabilities?

Steve 66 Reputation points
2020-08-13T01:51:36.797+00:00

We have a website https://ourwebsite.web.core.windows.net/ which needs to be made public(available on Internet for anyone) and did a Qualys scan using an external scanner on it which found 40 vulnerabilities.

The website has static HTML, CSS is inside a Azure storage account which is inside a Virtual machine enclosed by a subnet which is protected by a Network Security
Group rule so that traffic from Azure Application Gateway subnet comes to the subnet having the storage account to ports 443 only. The Application Gateway has its own subnet, has a public IP and gets traffic from the Internet, which then applies Layer 7 filtering as a web application firewall and whatever other protection Application Gateway provides, then passes it to the subnet having the storage account via port 443

Since the project was delayed, the business analyst working with the customer(marketing team)
wanted a quick way to fix it. He spoke to a server admin who advised using a Azure CDN and creating an endpoint using Azure CDN like https://ourwebsite.azureedge.net then running a Qualys scan which found only 1 vulnerability that
too of slow HTTP attack vulnerability.

  1. From a security perspective, are we really safe if we use a Azure CDN endpoint so that just like the Qualys scan did not find any vulnerability, we are safe if any potential attackers scans our public website which is open
    to the world?
  2. If we are not safe, what needs to be done to secure the website for our use case?
  3. I see Azure CDN has lot of features, but how does it mask path-relative stylesheet import(PRSSI) vulnerabilities in an application so that they don't show up?
  4. Can having a Azure firewall help for our use case? If so, should it be in front of Azure App Gateway which filters telnet probes, layer 3-4 attacks, then passes
    valid traffic to Azure App Gateway which then applies Layer 7 filtering as a web application firewall, then passes it to the subnet having the storage account via port 443?
  5. Any other suggestions on how we can keep the website secure?

I know the business analyst wants quick fixes but I don't want to skimp on security and later find out we got breached.

Azure Content Delivery Network
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,216 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 44,081 Reputation points Microsoft Employee
    2020-08-14T04:54:16.273+00:00

    @Steve Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused. I would like to work closer on this query and for quicker resolution I would recommend you to contact support, so If you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support. In this case, could you send an email to AzCommunity[at]Microsoft[dot]com referencing this thread as well as your subscription ID. Please mention "ATTN subm" in the subject field. Thank you for your cooperation on this matter and look forward to your reply.

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.