What is a web application firewall?
Web Application Firewall (WAF), Web application firewall is an interesting product that provides protection for Web applications through security policies for HTTP/HTTPS. It protects against many common attacks such as SQL injection, XSS, remote command execution, and directory traversal, etc.
Is e Cloud Web Application Firewall a paid product?
A: As an important product of e Cloud’s security business, e Cloud WAF is provided to e Cloud customers as a paid value-added service product. Users need to make the purchase.
Q: Does e Cloud WAF support HTTPS protection for websites?
A: Yes. e Cloud Web Application Firewall supports both https and http for a single domain name.
Q: What issues should e Cloud WAF pay attention to?
Cloud WAF protection needs to pay attention to ensuring the correctness of DNS traction.
The customers of Cloud WAF are those who use e Cloud host as their website service, and the customers must provide the correct website domain name before purchasing the service.
Q: What is the difference between Cloud WAF and firewall?
A: The firewall utilizes IP and port as a strategy and cannot be based on the application layer.
Therefore, the firewall cannot solve the threats of Web applications such as SQL injection, XSS, command code injection, and malicious crawler scanning.
Q: Does it support HTTPS website protection?
A: The user submits the SSL certificate to the ELB (Elastic Load Balancing Service) configuration, then the protection of the https website will be initiated.
Q: What impact does the Web Application Firewall have on the protected sites?
A: The web application firewall works in proxy mode and detects http(s) data. It will not affect the stability of the website server and will not occupy the CPU or memory resources of the user server. However, requests for website visits will bring millisecond delays.
And there is a very slight chance of false interception (when false interception occurs, it can be solved by setting the false alarm strategy).
Q: After purchasing the web application firewall service, will there be no problems with the website?
A: Just like anti-virus software cannot detect and kill 100% of the viruses, web application firewalls cannot guarantee protection against all attacks.
However, the deployment of a web application firewall can greatly reduce the risk of web sites being attacked.
It improves the difficulty of hacker attacks and avoids business directly facing security threats.
Q: How to deal with false positives (false intercepts)?
A: You can log in to the console of the Web Application Firewall and add the URL information and rule ID of the false alarm in the false alarm processing.
Q: Can Web Application Firewall and CDN be used at the same time?
A: If your current CDN service provider supports specifying the back-to-origin server through CNAME, you can use them at the same time.
For client access traffic interception, the web application firewall will return an interception page. After the cdn caches the intercepted page, it will cause normal users to access the resource, regardless of whether they violate the rules, and get the previous intercepted page, which affects normal access.
After the CDN, the client's real IP will be replaced by the CDN, so when there is a business problem, troubleshooting will be more difficult, and it will take a long time to locate the problem.
After CDN, the real client will be hidden by CDN, and some functions of the web application firewall will be invalid, such as detection based on source IP frequency, geographic location, IP intelligence database and other functions cannot be used.
Q: What is a CC attack?
A: CC is an application layer DDoS, which occurs after the TCP 3-way handshake has been completed, so the sent IP is real. The principle of the CC attack is very simple. It is to continuously initiate normal requests to some resource-consuming application pages to achieve the purpose of consuming server-side resources. In web applications, the operations of querying the database and reading and writing hard disk files relatively consume more resources. A simple example, a small website may be crawled to death by crawlers of search engines, information collection systems, or scanned by scanners. This is very similar to the results of a DDoS attack at the application layer.
Q: Why do I need to add a whitelist to the security device of the system's intranet?
A: After the website is successfully connected to the cloud web application firewall platform, all website access requests will first flow to the protection platform for monitoring, and then return to the origin server after filtering. Since all requests received by the origin server are from the IP of the web application firewall cloud platform, the security software (such as security dog, cloud lock) on the origin server seems to be suspicious and may trigger the blocking of cloud web applications firewall back to the source IP. Therefore, before accessing the web application firewall platform, you need to set the return-to-source IP of all web application firewall platforms on the security software of the origin server.
Q: Under what circumstances will the product be intercepted by mistake?
A: 1) Irregular website code leads to interception
When the website code is not standardized, it may be intercepted due to triggering the protection strategy. For example, if relevant keywords such as "directory traversal", "command execution", "onclick parameter", "div tag: style parameter", etc. are included in the request POST, the interception will be triggered. Therefore, standardized website coding will greatly reduce the probability of interception.
2) The website interface data transmission rules lead to interception
If the website has an interface, when the call is made, it may be judged by the web application firewall as a non-browser or programmatic access due to the non-human access behavior, resulting in interception. In this case, you need to whitelist the source address that initiated the interface call.
3) User-side behavior is suspected of being intercepted by artificial DDoS attacks
The user frequently clicks on a certain URL, or frequently downloads the same file, etc., may be judged as a DDoS attack, which will lead to interception. In this case, the user must temporarily add a whitelist after confirming whether it is operating normally (the whitelist will be deleted after use).
4) Overall interception of international traffic
The web application firewall supports national geographic location restrictions for IP addresses. When the restriction is enabled, international traffic will be blocked, and only domestic traffic can pass. This strategy can avoid all kinds of attacks and infiltration behaviors from the international if the target users of the website are all domestic.