Azion Edge Firewall is a security product that protects from the network layer to the application layer. Your security team finds the most advanced features to protect your applications from all types of attacks in a single place.
With Edge Firewall, you can extend your security perimeter to the network edge, since your access control rules are processed directly through the Azion Edge Network, closer to users, preventing unwanted requests from reaching your origin or accessing your applications.
Because it is a programmable, modular and extendible firewall, it allows you to choose the modules that suit your needs.
You can make your own protection source code available and run it directly on the Azion distributed network. This benefits both the end-user and the application itself, as the user has access to a protected application with low latency. Protect against complex attacks by extending the protection perimeter to the edge.
With the Edge Firewall you can:
- create whitelists, blacklists and greylists based on either the IP/CIDR address or the ASN or location of the user;
- protect your applications from the Tor network;
- limit the access rate to an application to avoid brute force attacks;
- mitigate Denial of Service attacks (DDoS);
- protect applications from OWASP Top 10 threats;
- add your own source code protection or content access controls, to be run from Edge Firewall;
- integrate third-party software to be run in the Edge Firewall. For example, market-leading solutions against credential stuffing, account takeover attempts, price, and contact scraping, etc.
1. How it works
By using Azion as your edge computing platform, you can create security settings on Edge Firewall to protect your applications.
Edge Firewall settings, called Rule Sets, are sets of security rules that must be applied to a group of domains.
You can share the same Rule Set among all applications that adopt the same security policy.
An Edge Firewall Rule Set consists of a selection of domains where it should be applied, modules that must be applied and the security rules configured in Rules Engine.
Network Layer Protection
Web Application Firewall
You need at least one activated module to use the product and, to ensure the security of your applications at all layers, we recommend that you activate them all.
After activating the modules you want, you must configure your security rules in Rules Engine. The rules you configure will run sequentially until the request is blocked or restricted, or until or all your rules are processed, at which point the request is released. The request’s data stream only passes into your edge application if none of your Edge Firewall rules block or reject the request, ensuring that malicious requests don’t reach your application.
Each rule is made of conditions - Criteria - and Behaviors. The Behaviors setup will run if the conditions are met. For example, you can set up rules to block requests that come from IPs that are in a blacklist, or even make up rules to exclude IPs that are in a whitelist. In this example, “block” is the Behavior, while the IP of the request is in the blacklist and not present in the whitelist is the condition - Criteria.
The criteria and behaviors available in the Edge Firewall depend on the modules you have enabled in the Rule Set.
2. Edge Firewall Modules
Azion Edge Firewall has the following modules, so that you can build high-performance, scalable, safe edge applications, much more simply and without the heavy maintenance.
The DDoS Protection module protects your content and applications against attacks of the Distributed Denial of Service (DDoS) type, as it detects attacks using advanced algorithms that run on Azion’s distributed network. This distributed network is connected to several mitigation centers to guarantee mitigation during large-scale attacks, both at the network and application levels.
Through a modern approach to detect and mitigate attacks from the network, transport, and application layers, we reduce downtime without impacting your service’s performance.
Edge Functions are components of Azion’s Edge Computing Platform, which enable serverless functions to be added to your applications, relieving your infrastructure, performing functions closer to the user, ensuring the necessary agility and scalability to meet your business objectives.
You can benefit from a microservice-based architecture, easily creating functions that run close to users.
You can also write your own security source code and deploy it to run on the Edge of the Network close to the user, or choose from ready-to-use solutions, thus making it easy to implement in a few steps.
You can still use third-party security solutions to protect sensitive data and applications against attacks at the edge of the network.
Network Layer Protection
This module allows the creation of filters by IP / CIDR, ASN addresses or by countries (geolocation), through the configuration of Network Lists and the definition of business rules that will validate blocking or release criteria, according to your need, specified on your Edge Firewall’s Rules Engine.
Operating within layers 3 and 4 of the OSI model, Network Layer Protection is a powerful tool that is a safe and efficient option to protect your business against attacks and unwanted user access. It extends the protection period from the edge network, closer to the end-user.
Origin Shield Add-on
With this Azion Edge Firewall add-on, you can create a security perimeter for your origin infrastructure, be it a cloud provider, hosting, or even your own datacenter. With this service, your origin can restrict access only from specific IP addresses on our network and block any other access to your origin.
It allows that access can only be made through Azion edge nodes, because they will bring the application closer to the end user with full performance and security.
Web Application Firewall
Web Application Firewall (WAF) protects your applications against threats such as SQL Injections, Remote File Inclusion (RFI), Cross-Site Scripting (XSS) and many others. The WAF analyses HTTP and HTTPS requests, detects and blocks threats before they can reach your infrastructure and affect your applications performance.
It works at layer 7 at the application level and is based on scoring, that is, each request is compared with a very rigorous and detailed set of application patterns and is given a score, which is associated with a certain threat family. According to the score that this request has, it can be released or blocked. This happens directly in Azion’s Edge Node before the threat reaches your origin or causes any damage. It is possible to customize the desired sensitivity and have a differentiated blocking for each threat family.
3. Support Documentation
Didn’t find what you were looking for? Open a support ticket.