X

Cloud Security Perspectives and Insights

Oracle Cloud Infrastructure Web Application Firewall in action

Paul Toal
Distinguished Solution Engineer - Cyber Security

I suspect most people, like myself, are very visual learners. Whilst I can plough through reams of documentation, open standards, and whitepapers when necessary, I can usually skip a large proportion of reading when I see a picture, or even better, see things in action through a video or demonstration.

Back in February this year, Oracle announced three new Edge services on Oracle Cloud Infrastructure (OCI): Web Application Firewall (WAF), Traffic Steering Policies, and Health Checks. There are plenty of good write-ups and articles on the above services, including the links I have provided above. However, I thought it would be useful to bring some of the new features of these services to life, starting with WAF. As a brief introduction, for those not familiar with WAF technology, the OCI WAF is an enterprise-grade, cloud-based edge security solution that's designed to protect internet-facing applications from cyberattacks.

As introduced on its public webpage:

The WAF includes over 250 predefined application, compliance, and Open Web Application Security Project (OWASP) rules. It also aggregates useful threat intelligence from multiple sources, including Webroot BrightCloud®. The WAF's bot management feature uses an advanced set of challenges—including JavaScript verification, CAPTCHA, device fingerprinting, and human interaction algorithms—to identify and block malicious bot traffic while allowing legitimate human and bot traffic to proceed. Once deployed, the OCI WAF also protects web-facing applications from Layer 7 distributed denial of service (DDoS) attacks.

The description above summarises a number of key capabilities of the WAF. It is these that I am going to focus on below and attempt to bring each of them to life through a set of short videos. I am going to focus on 4 key use cases:

  1. Protection Rules
  2. Access Control
  3. Threat Intelligence
  4. Bot Management

Within my demo environment I have deployed a simple website emulating a freight shipping company. The website is deployed on a web server within OCI (although it could have been deployed anywhere with an internet facing endpoint.) I have configured a number of clients to access the website, as shown in the diagram below.

 

Client Connection Route
Chrome

Direct connection to the website

Firefox

Connected to the website through WAF

Postman

Connected to the website through WAF

TOR (The Onion Router)

Connected to the website through WAF

 

Scenario 1 - Protection Rules

WAF contains over 250 pre-defined protection rules. The rules match web traffic to rule conditions and determine the action to be taken when the conditions are met. Protection Rule Settings allow you to define the parameters for enforcement any time a protection rule is matched. The pre-defined rules help to protect against the most important threats as defined by the OWASP Top 10, e.g.:

  • A1 – Injections (SQL, LDAP, OS, etc.)
  • A2 – Broken Authentication and Session Management
  • A3 – Cross-site Scripting (XSS)
  • A4 – Insecure Direct Object References
  • A6 – Sensitive Data Exposure
  • A7 – Missing Function-Level Access Control

The WAF also monitors requests to your protected endpoints and provides recommendations as to which rules to enable. Recommendations are a great way to optimize your WAF security profile. The Security Operations team proactively monitors all events to provide recommendations about the action of a specific ruleset. See Supported Protection Rules for additional information.

In my demonstration, I have configured the protection rules to monitor for sensitive data being entered into the website. In my case, this is credit card data. If seen, the WAF is configured to block the traffic.

 

In this scenario, you saw how the protection rules can reduce the risk to an organisation by preventing some of the top attacks, commonly seen against web applications. The use of OCI WAF can also increase the security of all of your web applications by ensuring a consistent set of protection rules is applied.

 

Scenario 2 - Access Control

Access rules are used to define explicit actions for requests that meet various conditions, including:

  • HTTP Header Information
  • Geography
  • URL address matching
  • IP address

In my demonstration, I am using the URL address matching rules to block access to a particular area of the website. Whilst this is a simple example, I could easily combine it with other access control rules to provide capabilities such as geo-fencing access to that part of the website.

As with scenario 1, I have configured the outcome action as block. However, I could have allowed the WAF to detect and log only.

 

The benefits of using access control within OCI WAF include increased compliance, ensuring that only the appropriate users in appropriate locations can access your web application. It also helps to reduce risk by enabling access to be locked down using the right criteria.

 

Scenario 3 – Threat Intelligence

Oracle WAF takes feeds from a number of threat intelligence providers to ensure it has the latest, up-to-date information on suspicious IP addresses. At the time of writing this article, Oracle WAF takes 19 different feeds. The full list can be found here.

For my scenario, I decided to block access to my freight website for any users of a TOR browser. As with the previous examples, I opted for a blocking action, rather than just detect and log.

 

Given the very dynamic nature of threatening sources on the internet, having a strong set of threat intelligence feeds is important. This scenario demonstrates that OCI provides actionable, up-to-date threat intelligence feeds so that you can reduce the risk of a request coming from a bad source.

 

Scenario 4 – Bot Management

Bot Management enables you to mitigate undesired bot traffic from your site using CAPTCHA and JavaScript detection tools, while enabling known published bot providers to bypass these controls.

Non-human traffic makes up most of the traffic to sites and bot attacks were the #1 web security threat (Verizon Data Breach Report 2015-2018). Bot Manager is designed to detect and block, or otherwise direct, non-human traffic that may interfere with site operations. The Bot Manager features mitigate bots that conduct content and price scraping, vulnerability scanning, comment spam, brute force attacks, and application-layer DDoS attacks. You can also whitelist good bots.

In this demonstration, I have configured two use cases. The first shows how OCI WAF can present a CAPTCHA to validate the user is a human, without requiring any change to the protected web application. The second use case shows how a non-human bot can be automatically blocked.

The possible outcomes from detecting a bot can include, issuing the CAPTCHA challenge, displaying an error page, or returning a specific HTTP response code. For this example, I chose to return a CAPTCHA for human users and a HTTP 403 error code for non-human errors.

 

Bad bots are a major risk on the internet today, as highlighted in many surveys and reports, such as the Verizon Data Breach Investigation Report. Therefore, having a capability to stop the bad bots before they even hit your web application is important. This scenarios shows how OCI WAF reduces your risk by blocking the bad bots at the network edge, at the same time increasing availability of your web application by ensuring only legitimate traffic accesses it.

Summary

The above videos are not an exhaustive set of capabilities for OCI WAF, rather just an introduction to some of the key capabilities within the platform, using simple, visual examples. Utilising a WAF to protect your internet facing web applications is one layer of a multi-layered defence, helping you to:

  • Reduce risk
  • Increase availability
  • Increase compliance

Don’t just take my word for it. Feel free to have a go. You can sign up for a free trial of Oracle Cloud here. Being a cloud-based service, you can be up and running and protecting your web applications within minutes.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.