[China] Alibaba Cloud’s WAF function [Security]
This is Ohara from the technical sales department.
This time, we will describe the features and functions of
Alibaba Cloud WAF provided by Alibaba Cloud *Information as of September 2021.
Alibaba Cloud security history
At Alibaba Cloud, we are focusing on developing security products to protect Alibaba Cloud services from various external cyber attacks.
One of its security products, Alibaba Cloud WAF (Web Application Firewall), is a web attack defense service developed based on Alibaba Cloud's more than 10 years of security experience. It is an evolving service with advanced defense mechanisms.
Alibaba Cloud WAF service overview
Alibaba Cloud WAF can be installed not only on Alibaba Cloud, but also on systems running on-premises, VPS, or other companies' cloud servers by simply switching the DNS, so it can be used to protect any infrastructure environment.
■ Web application protection
● Zero-day attack protection
- By dynamically updating defense rules within 24 hours, risks can be dealt with promptly.
● Hiding your website
: Hiding and protecting your website from intruders by using DNS to divert traffic.
● OWASP attack protection
- Provides various defense policies and quarantine functions, and accurately determines and protects against known attacks such as SQL injection.
■ Site access control
● Adding HTTPS functionality
- Add HTTPS functionality to your site by simply uploading the private key file.
● Access control
and multi-layered protection determines and blocks information-gathering activities of sites necessary for intrusion.
■ Highly accurate traffic analysis
● Accurate malicious access determination
- Malicious access such as bots can be accurately identified and evaluated when blocked.
● Custom policy
- You can freely change and reflect defense rules as necessary.
Alibaba Cloud WAF features (by edition)
Alibaba Cloud WAF has 4 editions to choose from depending on processing capacity, defense functions, and case.
For example, you can start small with the Professional edition and change editions as your web access increases, allowing you to flexibly scale up to suit your needs and situation.
Features | overview | Pro Edition | Business Edition | Enterprise Edition | Exclusive Edition (submit tickets to purchase) |
peak request rate | - | 2,000 QPS | 5,000 QPS | Higher than 10,000 QPS | 5,000 QPS |
maximum bandwidth | If the origin server is deployed on Alibaba Cloud | 50 Mbit/s | 100 Mbit/s | 200 Mbit/s | 100 Mbit/s |
If the origin server is not deployed to Alibaba Cloud | 10 Mbit/s | 30 Mbit/s | 50 Mbit/s | 30 Mbit/s | |
Maximum number of domains supported by default | - | 1 | 1 | 1 | 1,000 |
Maximum number of subdomains supported by default | Supports wildcard domains | 10 | 10 | 10 | 1,000 |
HTTPS protection | Implement HTTPS protection on your website in just a few clicks | ✓ | ✓ | ✓ | ✓ |
HTTPS/2 protection | Secure websites that use HTTP/2 | × | ✓ | ✓ | ✓ |
Non-standard port protection | Protects traffic through ports other than standard ports 80, 8080, 443 and 8443 | × | ✓ | ✓ | ✓ |
Intelligent load balancing | Connect to multiple SLB service nodes to implement automatic disaster recovery and low-latency optimal routing | ○ | ○ | ○ | ○ |
exclusive IP address | Provides exclusive IP addresses to protect specific domain names | ○ | ○ | ○ | ○ |
exclusive cluster | Customize service access and protection based on business requirements | × | × | × | ✓ |
protection rules engine | Protects against common web attacks such as SQL injection and XSS attacks | ✓ | ✓ | ✓ | ✓ |
Enable automatic update of protection rules for web zero-day vulnerabilities | ✓ | ✓ | ✓ | ✓ | |
Custom protection rule group | Customize protection rule groups | × | ✓ | ✓ | ✓ |
big data deep learning engine | Detects web zero-day vulnerabilities | × | ✓ | ✓ | ✓ |
positive security model | Proactive protection based on deep learning of website traffic | × | × | ✓ | ✓ |
Preventing website tampering | Lock web pages to prevent content tampering | ✓ | ✓ | ✓ | ✓ |
Data leak prevention | Prevent leakage of confidential data such as ID card numbers, mobile phone numbers, bank card numbers, etc. | ✓ | ✓ | ✓ | ✓ |
HTTP flood protection | Protects against common HTTP flood attacks in preventive or precautionary emergency mode | ✓ | ✓ | ✓ | ✓ |
blacklist | Block access requests from specific IP addresses or CIDR blocks | ✓ | ✓ | ✓ | ✓ |
Block access requests from specific IP addresses, specific CIDR blocks, or IP addresses in specific regions | × | ✓ | ✓ | ✓ | |
scan protection | Blocks IP addresses where web attacks and path traversals are frequently initiated and scan tool IP addresses, providing a coordinated defense (default rules are used to block the first type of IP addresses) | ✓ | ✓ | ✓ | ✓ |
Supports the above protection features and customizes blocking rules for high frequency web attacks and path traversal | × | ✓ | ✓ | ✓ | |
Custom protection policy | Supports ACL-based access control using basic fields such as IP, URL, referrer, user agent, and parameters | ✓ | ✓ | ✓ | ✓ |
Supports ACL-based access control using basic and advanced fields (advanced fields include Cookie, Content-Type, Header, and HTTP-Method) | × | ✓ | ✓ | ✓ | |
Configure rate limiting policies based on IP address and session (customize HTTP flood protection rules that allow you to add match conditions and configure rate limiting policies) | × | ✓ | ✓ | ✓ | |
Configure rate limiting policies based on IP addresses, sessions, and custom fields | × | × | ✓ | ✓ | |
data risk management | Protect critical website services such as registration, logon, activity, and forums from fraud | ○ | ○ | ○ | ○ |
allowed crawler | Maintain a whitelist of approved search engines such as Google, Bing, Baidu, and Yandex (the crawlers of these search engines will access the specified domain name) | ○ | ○ | ○ | ○ |
Bot threat intelligence | Provides information about data centers and suspicious IP addresses used by malicious scanners (also maintains a library of IP addresses for malicious crawlers and allows crawlers to visit all pages under a domain name or a particular directory) ) | ○ | ○ | ○ | ○ |
App protection | Provides secure connectivity and anti-bot protection for native apps (identifies requests from proxy servers and emulators and requests with invalid signatures) | ○ | ○ | ○ | ○ |
Account security | Detects dictionary attacks, brute force attacks, spam user registration, weak passwords, and SMS flood attacks against service endpoints such as registration endpoints and logon endpoints. | ✓ | ✓ | ✓ | ✓ |
WAF log service | Collects and stores all logs, enables near real-time query and analysis, and provides online reporting | × | ○ | ○ | ○ |
summary
Alibaba Cloud WAF is a SaaS model, so it can be used in on-premises cloud infrastructure environments other than Alibaba Cloud. It seems to be very versatile as it supports multi-cloud regardless of platform.