Azion Edge Firewall is a security product that protects from the network layer to the application layer. Your security team finds the most advanced features to protect your applications from all types of attacks in a single place.
With Edge Firewall, you can extend your security perimeter to the network edge, since your access control rules are processed directly through the Azion Edge Network, closer to users, preventing unwanted requests from reaching your origin or accessing your applications.
Because it is a programmable, modular and extendible firewall, it allows you to choose the modules that suit your needs.
You can make your own protection source code available and run it directly on the Azion distributed network. This benefits both the end-user and the application itself, as the user has access to a protected application with low latency. Protect against complex attacks by extending the protection perimeter to the edge.
With the Edge Firewall you can:
- create allowed rules, blocklists and greylists based on either the IP/CIDR address or the ASN or location of the user;
- protect your applications from the Tor network and other malicious traffic sources, such as botnets, malwares, proxies, etc;
- limit the access rate to an application using complex criteria and multiple buckets;
- mitigate Denial of Service attacks (DoS and DDoS);
- protect applications from OWASP Top 10 threats;
- implement bot mitigation techniques, including blocklists, fingerprints, tampering protection, brute force prevention, advanced rate limiting, human challenge, etc;
- add your own source code protection or content access controls, to be run from Edge Firewall;
- seamlessly integrate Azion curated Functions or third-party software to be run in Edge Firewall, extending native platform functionalities with out-of-the-box solutions to IP reputation, fingerprint, JWT tokening, credential stuffing, account takeover, price scraping, contact scraping, etc.
1. How it works
By using Azion as your edge computing platform, you can create security settings on Edge Firewall to protect your applications.
Edge Firewall settings, called Rule Sets, are sets of security rules that must be applied to a group of domains.
You can share the same Rule Set among all applications that adopt the same security policy.
An Edge Firewall Rule Set consists of a selection of domains where it should be applied, modules that must be applied and the security rules configured in Rules Engine.
Network Layer Protection
Web Application Firewall
You need at least one activated module to use the product and, to ensure the security of your applications at all layers, we recommend that you activate them all.
After activating the modules you want, you must configure your security rules in Rules Engine. The rules you configure will run sequentially until the request is blocked or restricted or until all your rules are processed, at which point the request is released. The request’s data stream only passes into your edge application if none of your Edge Firewall rules block or reject the request, ensuring that malicious requests don’t reach your application.
Each rule is made of conditions - Criteria - and Behaviors. The Behaviors setup will run if the conditions are met. For example, you can set up rules to block requests that come from IPs that are in a blocklist or even make up rules to exclude IPs that are in the allowed rules list. In this example, “block” is the Behavior, while the IP of the request is in the blacklist and not present in the allowed rules is the condition - Criteria.
The criteria and behaviors available in the Edge Firewall depend on the modules you have enabled in the Rule Set.
2. Edge Firewall Modules
Azion Edge Firewall has the following modules so that you can build high-performance, scalable, safe edge applications, much more simply and without the heavy maintenance.
The DDoS Protection module protects your content and applications against attacks of the Distributed Denial of Service (DDoS) type, as it detects attacks using advanced algorithms that run on Azion’s distributed network. This distributed network is connected to several mitigation centers to guarantee mitigation during large-scale attacks, both at the network and application levels.
Through a modern approach to detect and mitigate attacks from the network, transport, and application layers, we reduce downtime without impacting your service’s performance.
Edge Functions are components of Azion’s Edge Computing Platform, which enable serverless functions to be added to your applications, relieving your infrastructure, performing functions closer to the user, ensuring the necessary agility and scalability to meet your business objectives.
You can benefit from a microservice-based architecture, easily creating functions that run close to users.
You can also write your own security source code and deploy it to run at the Edge of the Network close to the user or choose from ready-to-use solutions, thus making it easy to implement in a few steps.
You can still use security solutions to protect sensitive data detection, identification and management of bots (botnets), covering the protection of websites, applications, APIs, and mobile applications against attacks at the edge of the network.
You can also use Edge Functions to configure an IP reputation service that covers website protection, applications, APIs and mobile apps, as well as web parameter tampering and cookie tampering.
Network Layer Protection
This module allows the creation of filters by IP / CIDR, ASN addresses or by countries (geolocation), through the configuration of Network Lists and the definition of business rules that will validate blocking or release criteria, according to your need, specified on your Edge Firewall’s Rules Engine.
Operating within layers 3 and 4 of the OSI model, Network Layer Protection is a powerful tool that is a safe and efficient option to protect your business against attacks and unwanted user access. It extends the protection period from the edge network, closer to the end-user.
Origin Shield Add-on
With this Azion Edge Firewall add-on, you can create a security perimeter for your origin infrastructure, be it a cloud provider, hosting, or even your own datacenter. With this service, your origin can restrict access only from specific IP addresses on our network and block any other access to your origin.
It allows that access can only be made through Azion edge nodes because they will bring the application closer to the end user with full performance and security.
Web Application Firewall
Web Application Firewall (WAF) protects your applications against threats such as SQL Injections, Remote File Inclusion (RFI), Cross-Site Scripting (XSS) and many others. The WAF analyses HTTP and HTTPS requests, detects and blocks threats before they can reach your infrastructure and affect your applications performance.
It works at layer 7 at the application level and is based on scoring, that is, each request is compared with a very rigorous and detailed set of application patterns and is given a score, which is associated with a certain threat family. According to the score that this request has, it can be released or blocked. This happens directly in Azion’s Edge Node before the threat reaches your origin or causes any damage. It is possible to customize the desired sensitivity and have a differentiated blocking for each threat family.
3. Support Documentation
- Rules Engine
- Network Lists
- Web Application Firewall (WAF)
- Access Permissions
- Mitigation Mechanisms and DDoS Attacks
Didn’t find what you were looking for? Open a support ticket.