Help Center> Web Application Firewall> Getting Started> Getting Started with Common Practices
Updated on 2024-02-29 GMT+08:00

Getting Started with Common Practices

WAF provides a series of common practices for you. These practices can help you start WAF protection for your workloads quickly.

Table 1 Common practices

Practice

Description

Connecting a domain name to WAF

Connecting a Domain Name to WAF for Websites with no Proxy Used

If your website is not added to WAF, DNS resolves your domain name to the IP address of the origin server. If your website is added to WAF, DNS resolves your domain name to the CNAME of WAF. In this way, the traffic passes through WAF. WAF inspects every traffic coming from the client and filters out malicious traffic.

This section describes how to change DNS settings for WAF to take effect.

Combining CDN and WAF to Get Improved Protection and Load Speed

The combination of CDN and WAF can protect websites on Huawei Cloud, other clouds, or on-premises and make websites respond more fast.

Protecting websites with WAF policies

Configuring Basic Web Protection

This section describes in what scenarios you can use WAF to defend against web attacks, including how to configure and verify WAF rules and policies.

Configuring CC Attack Protection

This section guides you through configuring IP address-based rate limiting and cookie-based protection rules against Challenge Collapsar (CC) attacks.

Configuring Anti-Crawler Rules to Prevent Crawler Attacks

WAF provides three anti-crawler policies, bot detection by identifying User-Agent, website anti-crawler by checking browser validity, and CC attack protection by limiting the access frequency, to help mitigate crawler attacks against your websites.

Handling False Alarms to Get Improved Basic Web Protection

If you enable WAF basic web protection, WAF detects and blocks requests that match the rules based on the basic web protection types you configure.

If a normal request matches a basic web protection rule and is blocked by WAF, you can handle the event as false alarm. In this way, WAF will no longer block the same type of request.

Verifying a Global Protection Whitelist Rule by Simulating Requests with Postman

After your website is connected to WAF, you can use an API test tool to send HTTP/HTTPS requests to the website and verify that WAF protection rules take effect.

This topic uses Postman as an example to describe how to verify a global protection whitelist (formerly false alarm masking) rule.

Combining WAF and HSS to Get Improved Web Tamper Protection

With HSS and WAF in place, you can stop worrying about web page tampering.

Using WAF for web vulnerability protection

Java Spring Framework Remote Code Execution Vulnerability

Spring Framework is a lightweight open-source application framework for developing enterprise Java applications. A remote code execution (RCE) vulnerability was disclosed in the Spring framework and classified as critical. This vulnerability can be exploited to attack Java applications running on JDK 9 or later versions.

Apache Dubbo Deserialization Vulnerability

On February 10, 2020, Apache Dubbo officially released the CVE-2019-17564 vulnerability notice, and the vulnerability severity is medium. Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. Now, Huawei Cloud WAF provides protection against this vulnerability.

DoS Vulnerability in Open-Source Component Fastjson

On September 3, 2019, the HUAWEI CLOUD security team detected a DoS vulnerability in multiple versions of the widely used open-source component Fastjson. An attacker can exploit this vulnerability to construct malicious requests and send them to the server that uses Fastjson. As a result, the memory and CPU of the server are used up, and the server breaks down, causing service breakdown. HUAWEI CLOUD WAF provides protection against this vulnerability.

Remote Code Execution Vulnerability of Fastjson

On July 12, 2019, the HUAWEI CLOUD Emergency Response Center detected that the open-source component Fastjson had a remote code execution vulnerability. This vulnerability is an extension of the deserialization vulnerability of Fastjson 1.2.24 detected in 2017 and can be directly used to obtain server permissions, causing serious damage.

Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814)

On April 17, 2019, the Huawei Cloud Emergency Response Center detected that China National Vulnerability Database (CNVD) released a security bulletin for the Oracle WebLogic wls9-async component. This component has a defect in deserializing input information. Attackers can send well-constructed malicious HTTP requests to obtain the permission of the target server and execute arbitrary code remotely without authorization. CNVD rates the vulnerability as "high-risk."

Upgrading dedicated WAF instances

Upgrading a Dedicated WAF Instance

You can upgrade your dedicated WAF instances on the WAF console to obtain the latest protection performance.

To ensure business availability during the upgrade, upgrade your dedicated WAF instances by following the procedure below.

Configuring TLS encryption

Configuring the Minimum TLS Version and Cipher Suite to Better Secure Connections

HTTPS is a network protocol constructed based on Transport Layer Security (TLS) and HTTP for encrypted transmission and identity authentication.

When you add a domain name to WAF, set Client Protocol to HTTPS. Then, you can configure the minimum TLS version and cipher suite to harden website security.

Protecting origin servers

Configuring ECS and ELB Access Control Policies to Protect Origin Servers

This topic describes how to protect origin servers deployed on ECSs or added to ELB backend server groups. It helps you:

  • Identify publicly accessible origin servers.
  • Configure access control policy to protect origin servers.

Obtaining real client IP addresses

Obtaining Real Client IP Addresses

This topic describes how to obtain the client IP address from WAF and how to configure different types of web application servers, including Tomcat, Apache, Nginx, IIS 6, and IIS 7, to obtain the client IP address.