Community Blog Best practices for Web Application Firewall

Best practices for Web Application Firewall

In this article, you will get best practices for the protection of Web application, server and data based on Web Application Firewall.

WAF provides protection against Web attacks, such as SQL injection, XSS, remote command execution, and webshell upload. By default, Web Application Protection is enabled and the normal mode protection is used.

There are two modes provided: Protection and Warning:

  1. The Protection mode indicates that WAF automatically blocks malicious requests and logs attacks when the application is under attack.
  2. The Warning mode indicates that WAF does not block malicious requests but logs attacks when the application is under attack.

There are three protection policies available when the Protection mode is selected:

  1. Loose: This policy only blocks requests that display typical attack patterns.
  2. Normal: This policy blocks requests that display common attack patterns.
  3. Strict: This policy blocks crafted requests that display specific types of attack patterns.

Protection tips:

If you are not clear about your website's traffic patterns, we recommend that you use the Warning mode first. You can observe the traffic flow for one or two weeks and then analyze the attack log.

  1. If you do not find any record indicating that normal requests are blocked, you can switch to the Protection mode to enable further protection.
  2. If normal requests are found in the attack log, contact customer service to resolve the issue.

Note the following points in your operations:

  1. Do not pass raw SQL statements or JavaScript code in HTTP requests.
  2. Do not use special keywords, such as UPDATE and SET, to define the path in URLs, such as www.example.com/abc/update/mod.php? set=1.
  3. If file uploads are required, restrict the maximum file size to 50 MB. We recommend that you use OSS or other methods to upload files exceeding the size limit.
  4. After Web Application Protection is enabled, do not disable the All Requests option in the default rule of HTTP ACL Policy.

After Web Application Protection is enabled, you can choose Reports > Reports to view details about blocked attacks. And when new vulnerabilities are discovered, WAF updates protection rules and releases security bulletins in a timely manner.

For detailed procedures, please go to Best practices for Web application protection.

Related Documentation

Best practices for HTTP flood protection - Web Application Firewall

This topic describes common scenarios of HTTP flood attacks and introduces related protection strategies offered by WAF. By using WAF, you can effectively protect your site from HTTP flood attacks.

During HTTP flood attacks, the request rate of a single zombie server is typically far higher than that of a normal user. The most effective way to defend against this type of attack is to restrict the request rate of the source IP.

A large portion of HTTP flood attacks originate from international regions, data centers, and public clouds. If your website targets Chinese users, you can block requests from international regions to mitigate this attack.

Malicious requests in HTTP flood attacks are arbitrarily constructed and contain abnormal or unusual packets compared with normal requests.

We recommend that you use Data Risk Control to protect important APIs from abuses. These APIs include logon, registration, voting, and SMS verification APIs.

A large number of malicious scans pose a serious threat to the performance of your servers. Apart from restricting scans based on frequency, you can also use Malicious IP Blocking to enhance protection.

To protect your business from fake apps, you can use a number of different mitigations such as custom HTTP flood protection, blocked regions, and HTTP ACL policies. You can also integrate with Alibaba Cloud Security SDK for enhanced protection capability.

For informational websites offering services such as credit reports, apartment rentals, airline tickets, and e-book reading, Web crawlers can significantly increase bandwidth usage, slow down the server's performance, and even cause data leakage. The aforementioned approaches may not be very effective in preventing Web crawlers. We recommend that you use Anti-Bot Service for more advanced protection.

Protect your origin server

If the IP address of your origin server is disclosed, an attacker may exploit it to bypass Alibaba Cloud WAF and start direct-to-origin attacks against your origin server. To prevent such attacks, you can configure a security group (ECS origins) or whitelist (SLB origins) in your origin server.

Please note that you are not required to do the configuration described in this topic. But we recommend that you do so to eliminate the possible risk arises from IP exposure.

Related Blog Posts

Is Your Data Secure in the Cloud? An Overview of Alibaba Cloud's Data Security Architecture

Alibaba Cloud provides users with high-security infrastructure capabilities by default, so that users can safely store and use data on a trusted cloud platform. It is worth noting that Alibaba Cloud infrastructure secures and scans hardware and firmware, provides a TPM2.0-compliant computing environment, and offers hardware encryption (HSM) and chip-level (SGX) encryption computing capabilities at the cloud platform layer.

In general, cloud data security solutions aim to be trustworthy, controllable, and compliant. In other words, only by providing a compliant data protection solution in a trustworthy and controllable cloud security environment can one create a top-level data security solution for cloud users.

Keeping Your Data Secure with Web Application Firewall

A network attack is similar to a viral infection in humans –it will inevitably spread once contracted, resulting in more data leaks. However, that does not mean that attackers are the sole culprit of data leaks. Failure to take preventive measures is one of the leading causes of data leakage for many enterprises. In this article, we will examine how exposed your enterprise is to data leaks with the following six questions.

Of course, not all enterprises have the resources to implement all of our suggestions on security. Enterprises can selectively launch security measures based on the available funds, labor, and security policies.

For example, fast vulnerability fixes, data encryption, and regular detection and scanning are measures with immediate benefits. If you also want long-term security and stable operations for your enterprise, you will need to invest in improving employee security awareness, data visibility management, and code review procedures.

Related Market Products

NSFOCUS Web Application Firewall (WAF)(BYOL)

The NSFOCUS Web Application Firewall (WAF) provides comprehensive, application layer security to completely protect your critical servers and web applications. It provides full protection from the top 10 threats identified by the Open Web Application Security Project (OWASP), and has been specifically designed to protect web applications and their underlying infrastructure, including servers, plug-ins, protocols, network connectivity and more. Using advanced, state-of-the-art engineering the NSFOCUS WAF includes technology powered by an internationally-recognized research lab, and developed with over 10 years of experience protecting the world’s largest banks, telecommunications, gaming and social media companies. The WAF uses an innovative combination of machine learning, positive and negative security models, as well as application profile learning, to deliver real-time application layer security.

F5 Per-App VE – Advanced WAF (PAYG, 200Mbps)

F5 Per-App VE's offer feature parity with physical and virtual Advanced WAF appliances, allowing you to easily replicate configurations and policies to ensure a consistent security posture across multi-cloud environments. With reduced footprint and spin-up time, F5 Per-App VE's can be rapidly provisioned to meet more agile application requirements. By implementing a Per-App architecture, you limit the total impact if/when an application is compromised, as all apps are isolated from one another.

Related Course

Web Application Attacks and Defense Deep Dive

Web applications are the most common way to provide services on the cloud and are the most vulnerable security targets. Through this course, you can understand the top 10 network application security risks listed by OWASP. We will explain these 10 security risks one by one, and choose XSS, SQL injection, Webshell, the three most common attack methods to further In-depth discussion, and finally introduce Alibaba Cloud's WAF products to help you solve online application security problems once and for all.

0 0 0
Share on

Alibaba Clouder

2,605 posts | 744 followers

You may also like