Asset Discovery - Web Application Firewall - Alibaba Cloud Documentation Center

Web Application Firewall (WAF) provides the asset discovery feature. This feature identifies domain names in and outside the cloud and calculates the security scores of the domain names. This feature helps you monitor the overall situation of all domain names. You can enable protection for the domain names that have low security scores. This improves the overall security of your business system.

Prerequisites

A WAF instance that resides in the Chinese mainland is purchased.

Important Only WAF instances that reside in the Chinese mainland support the asset discovery feature.

Background information

Network application assets are the most important carrier of network applications in a security management system and are the most fundamental components in a business system. As enterprise business rapidly develops, more business systems are used. A single enterprise may have multiple business systems, and employees may forget to release resources after they build websites or test environments. As a result, business systems may contain unmanaged zombie assets. The most vulnerable part of a business system determines the overall security of the system. In most cases, zombie assets use outdated versions of open source systems, components, or web frameworks, which have common vulnerabilities. Attackers can exploit these vulnerabilities to invade the internal network of an enterprise.

The asset discovery feature can obtain the configurations of Alibaba Cloud services, such as Domains, SSL Certificates Service, and Alibaba Cloud DNS. Then, the feature, together with big data-enabled correlation analysis, can identify domain names in and outside the cloud based on the obtained configurations. This way, you can monitor the overall situation of all the domain names and make sure that all domain names are protected. The asset discovery feature calculates the security scores of domain names based on threat intelligence and the default attack detection capability of Alibaba Cloud. This way, you can identify the domain names that are vulnerable to attacks. Then, you can add the domain names to WAF to prevent attacks.

Note The asset discovery feature can identify domain names from Alibaba Cloud and third-party providers. The domain names from third-party providers include the domain names of servers from third-party providers and the domain names of servers that are deployed in data centers.

View domain names

Log on to the WAF console.
In the top navigation bar, select Mainland China.
Important Only WAF instances that reside in the Chinese mainland support the asset discovery feature.
In the left-side navigation pane, choose Asset Center > Asset Discovery.
Authorize WAF to access cloud resources.
Before you can use the asset discovery feature of WAF, you must authorize WAF to obtain the website information from cloud services in your Alibaba Cloud account. You must also authorize WAF to manage the Domain Name System (DNS) records of the domain names that are hosted in Alibaba Cloud DNS. Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. This role allows WAF to access cloud resources. You need to perform authorization only once.
If you have performed authorization, skip this step.
1. Click Authorized activation.
2. In the Tips message, click OK.
  After you click OK, Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role.
  To view the service-linked role, log on to the RAM console and choose Identities > Roles in the left-side navigation pane. After Alibaba Cloud creates the service-linked role AliyunServiceRoleForWAF, your WAF instance can access the associated cloud resources, such as ECS instances, ALB and CLB instances of SLB, Alibaba Cloud DNS, Alibaba Cloud CDN, SSL Certificates Service, and Log Service.
After WAF is authorized to access cloud resources, WAF automatically discovers domain names in your Alibaba Cloud account and displays the domain names on the Asset Discovery page.

On the Asset Discovery page, view the domain names that are discovered by WAF.

WAF aggregates the domain names based on the second-level domain names and displays the aggregated domain names in a list. You can perform the following operations to view domain names:

Specify a protection state above the list of domain names to search for domain names. Unprotected, Partial Protection, and Protected are supported.
Enter a keyword in the search box above the list of domain names to search for domain names. Fuzzy match is supported.
In the list of domain names , click the icon to the right of a second-level domain name to show all subdomains that belong to the second-level domain name. Then, you can view the asset information about each subdomain. Example of a second-level domain name: example.com. Example of a subdomain: www.example.com.

The following table describes the information of each domain name.


Parameter	Description
Domain Name	The domain name of the website.
Server IP	The IP address and CNAME of the origin server.
Port	The port that is used by the origin server.
Protocol	The protocol that is used by the origin server. HTTP and HTTPS are supported.
Fingerprint	The fingerprint of the origin server. The fingerprint contains the following information: Programming language, such as Java, PHP, or ASP Middleware, such as NGINX, Apache, or Tomcat Open source or commercial application, such as WordPress, DedeCMS, or Discuz! Development framework, such as ThinkPHP or Django Component, such as Apache Shiro or Apereo CAS
Security Score	The security score of the domain name. The score is a weighted security score, which is calculated based on the trend of attacks in the cloud within the last 30 days and threat intelligence. A lower security score indicates a higher risk. If your domain name has a low security score, we recommend that you add your domain name to WAF at the earliest opportunity.
Protection Status	Indicates whether the domain name is protected by WAF. Valid values: Unprotected: The domain name is not added to WAF. In this case, we recommend that you enable protection for the domain name. For more information, see Enable protection for a domain name. Partial Protection: This state is available only for wildcard domain names, such as *.example.com. In this state, some domain names that belong to a wildcard domain name are protected by WAF. In this case, we recommend that you add the unprotected domain names that belong to the wildcard domain name to WAF at the earliest opportunity. Protected: The domain name is protected by WAF. WAF detects the traffic that is destined for the domain name and protects the domain name. You can view the asset details of the domain name. For more information, see View asset details.

Enable protection for a domain name

If a domain name in the asset list is in the Unprotected state and the domain name belongs to your Alibaba Cloud account, you can click Add for Protection in the Operation column to add the domain name to WAF for protection. To check whether the domain name belongs to your Alibaba Cloud account, log on to the Domains console and check whether the domain name is displayed on the Domain Name List page. If the domain name is displayed on the page, the domain name belongs to your Alibaba Cloud account.

Note If the The wildcard domain is used by another user. message appears when you add a domain name, the wildcard domain name to which the domain name belongs is added to WAF by using another Alibaba Cloud account. You do not need to add the domain name. For example, the domain name www.example.com belongs to the wildcard domain name *.example.com. If the wildcard domain name *.example.com is added to WAF, you do not need to add the domain name www.example.com to WAF.

View asset details

If a domain name is in the Protected state, you can click Asset Details in the Operation column to view the details about the domain name.

The asset details page contains the following sections:

General Information: This section displays Domain Name, Protocol, Protection Status, and Server IP.
URL Tree:
WAF analyzes and classifies the URLs of protected domain names based on the amount and characteristics of traffic collected by WAF. The URLs and parameters in the URLs are aggregated based on data normalization. For example, WAF aggregates the URLs of the following news sites to a URL in the /{Characters+Digits}.html format:
- /news1234.html
- /oldnews1223.html
- /news1224.html
- /news124.html
In the URL Tree section, you can view the aggregation results. The results include the URLs, the parameters in each URL, the value type of each parameter, and the number of times that each URL is requested within the last day.
Note Only the paths in URLs in the site tree are displayed. By default, a maximum path depth of three is allowed in the displayed URLs. The URLs are sorted in descending order of request frequency.
In this section, you can perform the following operations:
- To search for URLs, select URL or File Extension from the drop-down list. Then, enter a keyword and click Search.
- In the URL column, click the URL for which the icon is displayed to show the information about the URL.
- In the Parameter|Data Type column, view the names and value types of the parameters that are specified in a URL.
  Note The parameter information is aggregated. By default, the names and value types of only three parameters are displayed. You can move the pointer over the icon in the lower-right corner to view all the parameters.