This topic describes how to select protection modules and configure protection policies of Web Application Firewall (WAF) from the perspective of different roles to meet business requirements in different scenarios. By reading this topic, you can understand the protection logic of WAF.

Prerequisites

Your website configurations are added to WAF. For more information, see Add domain names.

Usage notes

All the descriptions in this topic are based on the fact that you have enabled the recommended website protection features. If you have not enabled such features, enable and configure them based on the feature descriptions.

Unless otherwise specified, the recommended website protection features are configured on the Website Protection page. Follow these steps to go to the Website Protection page:

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist.Switch Domain Name

Overview

This topic provides the recommended website protection features based on roles and business requirements. You can decide which features to enable based on your business requirements.

I am new to WAF. I am unfamiliar with website security and do not have any special requirements

You may have purchased WAF based on a need for classified protection or the intention to improve the security level of your enterprise. In either case, you need to add your website configurations to WAF so that you can use the default protection settings of WAF. The default protection settings are sufficient to protect your website from the majority of basic web threats.

We recommend that you browse the Overview and Security report pages in the Web Application Firewall console to understand the security situations of your business and the attacks it may face. For more information, see the following topics:

I am an O&M engineer. I want to ensure business stability and quickly troubleshoot issues

We recommend that you enable the following website protection features after you add your website configurations to WAF:

  • Website Whitelisting: You can configure a whitelist to allow requests that meet the specific conditions without the need to perform a check.
    Operations: On the Website Protection page, click Website Whitelisting in the upper-right corner. On the Website Whitelisting page, create a whitelist. For more information, see Configure the website whitelist.Website Whitelisting
    To implement more precise protection, you can also configure a whitelist for a specific protection module. For more information, see the following topics:
  • IP Blacklist: This feature allows you to configure an IP address blacklist to block requests from IP addresses and CIDR blocks that are irrelevant to your business and from IP addresses in specific regions. For example, if a local government forum is accessed only by local IP addresses, you can add IP addresses from other regions to a regional blacklist. If your website does not have users outside China, you can add all the regions outside China to a regional blacklist.IP Blacklist

    Operations: On the Website Protection page, click the Access Control/Throttling tab. Find the IP Blacklist card and configure the required parameters. For more information, see Configure the IP blacklist.

  • Custom Protection Policy: This feature allows you to customize access control lists (ACLs) or throttling policies. For example, you can allow access to an API only from specific IP addresses or user agents and configure an upper limit for specific types of requests. You can also use this feature to defend against HTTP flood attacks, crawler attacks, and some special web attacks.Custom Protection Policy

    Operations: On the Website Protection page, click the Access Control/Throttling tab. Find the Custom Protection Policy card and configure the required parameters. For more information, see Create a custom protection policy.

  • Account Security: This feature allows you to monitor user authentication-related endpoints, such as the endpoints used for registration and logon, to detect events that may pose a threat to user credentials. These threats include credential stuffing, brute-force attacks, account registrations launched by bots, weak password sniffing, and SMS interface abuse.Account Security

    Operations: On the Website Protection page, click the Web Security tab. In the Data Security section, find Account Security. In the Account Security card, click Settings and configure the required parameters. For more information, see Configure account security.

I am a security engineer. I need to comprehensively prevent web intrusion

We recommend that you enable the following website protection features after you add your website configurations to WAF:

  • Decoding Settings: This feature allows you to specify a decoding method for the WAF engine based on your business coding scheme to maximize protection for your website. A proper decoding method allows the WAF engine to effectively identify traffic and achieve precise prevention. WAF uses all the 13 decoding methods by default. You can filter out unnecessary methods to avoid unnecessary parsing and false blocking.Decoding Settings

    Operations: On the Website Protection page, click the Web Security tab. In the Web Intrusion Prevention section, find RegEx Protection Engine. In the RegEx Protection Engine card, specify Decoding Settings. For more information, see Configure the RegEx Protection Engine.

  • Protection Rule Group: This feature allows you to select protection rules from a built-in protection rule set based on the form, framework, and middleware of your business system. You can use these rules to customize a rule group to prevent web attacks and apply the rule group to your website. We recommend that you use this feature to configure web intrusion prevention policies for your website. If you want to configure prevention policies for a single URL, we recommend that you use the Custom Protection Policy feature.
    Operations: Log on to the Web Application Firewall console and choose System Management > Protection Rule Group. On the Protection Rule Group page, customize the rule group for web attack prevention and apply the rule group to your website. For more information, see Customize protection rule groups.Protection Rule Group
  • Custom Protection Policy: This feature allows you to customize access control lists (ACLs) or throttling policies. For example, you can allow access to an API only from specific IP addresses or user agents and configure an upper limit for specific types of requests. You can also use this feature to defend against HTTP flood attacks, crawler attacks, and some special web attacks.Custom Protection Policy

    Operations: On the Website Protection page, click the Access Control/Throttling tab. Find the Custom Protection Policy card and configure the required parameters. For more information, see Create a custom protection policy.

  • Big Data Deep Learning Engine (Warn mode): The big data deep learning engine is trained based on the intelligence of hundreds of millions of samples generated on the cloud every day. This makes up for the weaknesses of the RegEx Protection Engine, especially in terms of defense against deformed or unknown attacks. We recommend that you enable the big data deep learning engine in Warn mode. Then, observe the anomalies that are detected by the engine over a period of one to two weeks. If the engine works properly, switch to the Block mode.Big Data Deep Learning Engine

    Operations: On the Website Protection page, click the Web Security tab. In the Web Intrusion Prevention section, find Big Data Deep Learning Engine. In the Big Data Deep Learning Engine card, turn on the Status switch and set Mode to Warn. For more information, see Configure the big data deep learning engine.

  • Positive Security Model (Warn mode): The positive security model is built based on the learning of the traffic in the current domain. The model specifies the types and lengths of request parameters and whether the parameters are mandatory. After the model is built, if a request does not match the characteristics described in the model, an alert is generated. The positive security model in Warn mode allows you to effectively detect anomalies and threats to your business. If the detected requests are useless to your business, you can enable the Block mode.Positive Security Model

    Operations: On the Website Protection page, click the Web Security tab. In the Advanced protection section, find Positive Security Model. In the Positive Security Model card, turn on the Status switch and set Mode to Warn. For more information, see Configure the positive security model.

  • Scan Protection (Blocking IPs Initiating High-frequency Web Attacks, Directory Traversal Prevention, Scanning Tool Blocking, and Collaborative Defense): This feature helps reduce the threats generated by your scanner from multiple dimensions, such as intelligence, scanner features, and scan behavior.Scan Protection

    Operations: On the Website Protection page, click the Access Control/Throttling tab. In the Scan Protection card, enable all functions and specify appropriate thresholds. For more information, see Configure scan protection.

I want to achieve the strongest protection and radically block attacks

We recommend that you enable the following website protection features after you add your website configurations to WAF:

  • RegEx Protection Engine (Strict rule group)RegEx Protection Engine - Strict rule group

    Operations: On the Website Protection page, click the Access Control/Throttling tab. In the Web Intrusion Prevention section, find RegEx Protection Engine. In the RegEx Protection Engine card, set Protection Rule Group to Strict rule group. For more information, see Create a custom protection policy.

  • Big Data Deep Learning Engine (Block mode): The big data deep learning engine is trained based on the intelligence of hundreds of millions of samples generated on the cloud every day. This makes up for the weaknesses of the RegEx Protection Engine, especially in terms of defense against deformed or unknown attacks. To achieve the strongest protection, we recommend that you enable the Block mode.Big Data Deep Learning Engine - Block mode

    Operations: On the Website Protection page, click the Web Security tab. In the Web Intrusion Prevention section, find Big Data Deep Learning Engine. In the Big Data Deep Learning Engine card, turn on the Status switch and set Mode to Block. For more information, see Configure the big data deep learning engine.

  • Positive Security Model (Block mode): The positive security model is built based on the learning of the traffic in the current domain. The model specifies the types and lengths of request parameters and whether the parameters are mandatory. After the model is built, if a request does not match the characteristics described in the model, an alert is generated. To achieve the strongest protection, we recommend that you enable the Block mode.Positive Security Model - Block mode

    Operations: On the Website Protection page, click the Web Security tab. In the Advanced Protection section, find Positive Security Model. In the Positive Security Model card, turn on the Status switch and set Mode to Block. For more information, see Configure the positive security model.

  • Scan Protection (Blocking IPs Initiating High-frequency Web Attacks, Directory Traversal Prevention, Scanning Tool Blocking, and Collaborative Defense): This feature helps reduce the threats generated by your scanner from multiple dimensions, such as intelligence, scanner features, and scan behavior.Scan Protection

    Operations: On the Website Protection page, click the Access Control/Throttling tab. In the Scan Protection card, enable all functions and specify appropriate thresholds. For more information, see Configure scan protection.

  • IP Blacklist: This feature allows you to configure an IP address blacklist to block requests from IP addresses and CIDR blocks that are irrelevant to your business and from IP addresses in specific regions. For example, if a local government forum is accessed only by local IP addresses, you can add IP addresses from other regions to a regional blacklist. If your website does not have users outside China, you can add all the regions outside China to a regional blacklist.IP Blacklist

    Operations: On the Website Protection page, click the Access Control/Throttling tab. Find the IP Blacklist card and configure the required parameters. For more information, see Configure the IP blacklist.

My website is often crawled and is at risk of data breach or tampering

We recommend that you enable the following website protection features after you add your website configurations to WAF:

  • Data Risk Control: This feature is best suited to defend against bot traffic that is generated by scripts or automated tools and destined for specific APIs for logon, registration, and order placing.
    Note Data risk control depends on JavaScript injection and is applicable only to web pages. Do not use this feature in applications. If you are not sure whether this feature is suitable for your API, Submit a ticket or contact the technical support by using the DingTalk.
    Data Risk Control

    Operations: On the Website Protection page, click the Bot Management tab. In the Data Risk Control card, configure the required parameters. For more information, see Configure data risk control.

  • Data Leakage Prevention: This feature allows you to filter sensitive information in the returned content, such as abnormal pages and keywords, from the server. The sensitive information includes ID numbers, bank card numbers, telephone numbers, and sensitive words.Data Leakage Prevention

    Operations: On the Website Protection page, click the Web Security tab. In the Data Security section, find Data Leakage Prevention. In the Data Leakage Prevention card, configure the required parameters. For more information, see Configure data leakage prevention.

  • Website Tamper-proofing: This feature allows you to lock specified web pages to avoid content tampering. When a locked web page receives a request, a cached page you have preconfigured is returned.Website Tamper-proofing

    Operations: On the Website Protection page, click the Web Security tab. In the Data Security section, find Website Tamper-proofing. In the Website Tamper-proofing card, configure the required parameters. For more information, see Configure tamper-proofing.

  • Custom Protection Policy: You can one-click enable JavaScript verification for frequently crawled static web pages to block most scripts and automated programs. You can also use fine-grained frequency control to enable slider verification for sessions from which access requests are initiated at an abnormally high frequency.Custom Protection Policy

    Operations: On the Website Protection page, click the Access Control/Throttling tab. Find the Custom Protection Policy card and configure the required parameters. For more information, see Create a custom protection policy.

  • Account Security: This feature allows you to monitor user authentication-related endpoints, such as the endpoints used for registration and logon, to detect events that may pose a threat to user credentials. These threats include credential stuffing, brute-force attacks, account registrations launched by bots, weak password sniffing, and SMS interface abuse.Account Security

    Operations: On the Website Protection page, click the Web Security tab. In the Data Security section, find Account Security. In the Account Security card, click Settings and configure the required parameters. For more information, see Configure account security.

  • Allowed Crawlers: This feature maintains a whitelist of authorized search engines, such as Google, Bing, Baidu, Sogou, 360, and Yandex. The crawlers of these search engines are allowed to access the specified domains.Allowed Crawlers

    Operations: On the Website Protection page, click the Bot Management tab. In the Allowed Crawlers card, configure the required parameters. For more information, see Set a threat intelligence rule to allow requests from specific crawlers.

  • Bot Threat Intelligence: This feature provides information about suspicious IP addresses used by harassing phone calls, Internet data centers (IDCs), and malicious scanners. This feature also maintains an IP address library of malicious crawlers to prevent crawlers from accessing your website or specific directories.Bot Threat Intelligence

    Operations: On the Website Protection page, click the Bot Management tab. In the Bot Threat Intelligence card, configure the required parameters. For more information, see Set a bot threat intelligence rule.

  • App Protection: This feature provides secure connections and anti-bot protection for native applications and can identify proxies, emulators, and requests with invalid signatures.App Protection

    Operations: On the Website Protection page, click the Bot Management tab. In the App Protection card, configure the required parameters. For more information, see Configure application protection.