Evaluate WAF/Edge/Certificates/services in a Networking multi-tier architecture

Contents

  1. 1 Summary
  2. 2 Reference
  3. 3 OCI Web Application Firewall (WAF)
  4. 4 Benefits of OCI WAF
    1. 4.1 OCI WAF Solutions
    2. 4.2 WAF Service Components
    3. 4.3 OCI WAF Architecture
    4. 4.4 WAF Point of Presences (PoPs)
    5. 4.5 OCI WAF Use Cases
    6. 4.6 Prerequisites for Using WAF
    7. 4.7 IAM Policy
    8. 4.8 Security Responsibilities
    9. 4.9 Capabilities and Limits
    10. 4.10 Getting Started with WAF: Workflow
  5. 5 Web Application Firewall (WAF): Features and Policies
    1. 5.1 OCI WAF Features (Edge)
    2. 5.2 OCI Web Application Firewall Policy
      1. 5.2.1 Access Control
      2. 5.2.2 Access Rules
      3. 5.2.3 Conditions
      4. 5.2.4 Action
    3. 5.3 WAF Protection Capabilities
      1. 5.3.1 Protection Rules: Exclusions
      2. 5.3.2 Rate Limiting
    4. 5.4 Bot Management
    5. 5.5 Caching Rule
    6. 5.6 Threat Intelligence
  6. 6 Certificates
    1. 6.1 What is a Digital Certificate?
    2. 6.2 Certificate Authority (CA)
    3. 6.3 Types of Certificates
    4. 6.4 Elements of a Certificate
    5. 6.5 Steps for Securing a Certificate
    6. 6.6 OCI Certificates
    7. 6.7 TLS Connection
    8. 6.8 Mutual TLS Connection
    9. 6.9 OCI Certificates; Concepts
    10. 6.10 Certificate Authority
    11. 6.11 Chain of Trust
    12. 6.12 OCI Certificates: Modes of Operation
    13. 6.13 Certificate Rule
    14. 6.14 Certificate Profile
    15. 6.15 Integrations
    16. 6.16 OCI Certificates: Lifecycle Management Features

Summary

OCI WAF examines incoming HTTP traffic for attacks, and provides counter-measures. OCI certificates are managed automatically.

Reference

OCI Web Application Firewall (WAF)

A cloud-based, PCI-compliant, global web application firewall service that protects applications from malicious and unwanted Internet traffic.

Can protect any Internet-facing endpoint, providing consistent rule enforcement across a customer's applications.

Benefits of OCI WAF

  • Consolidates threat intelligence
  • Pushes malicious traffic farther away from your origin
  • Augments Security Operations Center (SOC)
  • Provides better metrics visibility
  • Consolidates governance
  • Off-loads patching and maintenance
  • Manages and optimises global traffic
  • Consolidates WAF policy

OCI WAF Solutions

WAF Edge Policy
A global solution with allowlist Oracle nodes throughout the world
WAF Policy
A regional solution that works as a plug-in for your load balancer

WAF Service Components

Edge Policy
  • It ncompasses the overall configuration of the WAF service on OCI
  • Define a default origin and optional HTTP headers
Origin Management
An Origin:
  • Is an endpoint protected by WAF
  • Can be an OCI load balancer's public IP address
  • Can set up HTTP headers for outbound traffic from the WAF to the origin server

OCI WAF Architecture

OCI WAF Architecture consists of four tiers: Internet Clients; DNS Optimized Routing for HA; WAF Edge Nodes; and OCI Region

WAF Point of Presences (PoPs)

WAF points of presences

OCI WAF Use Cases

  • Protection Against Cyberattacks
  • Access Control for Data Privacy Standards
  • Integration with Existing Management System
  • Bot Management

Prerequisites for Using WAF

  • An OCI account with required IAM service policy
  • Corresponding private key for the site
  • Ability to updateDNS records for the domain
  • Public certificate for the FQDN of the application
  • IP address of a Load Balancer with an HTTP listener
  • Application running only on port 80/443

IAM Policy

To manage policies in WAF:
Allow group <group-name> to manage waas-policy in compartment <compartment_name>
Allow group <group-name> to read waas-work-request in compartment <compartment_name>
To manage certificates in WAF:
Allow group <group-name> to manage waas-certificate in compartment <compartment_name>
To view policies in WAF:
Allow group <group-name> to read waas-policy in compartment <compartment_name>

Security Responsibilities

Security in the cloud in a shared responsibility. Oracle provides security of cloud infrastructure and operations. Customers are responsible for securely configuring cloud resources.

Responsibility Oracle Customer
Configure WAF on boarding reponsibilities (DNS, Ingress Rule, Network) No Yes
Construct new rules based on the new vulnerabilities and mitigation Yes No
Review and accept new recommended rules No Yes
Keep WAF infrastructure patched and up-to-date Yes No
Monitor data-plane logs for abnormal, undesired behaviour Yes No
Monitor for DDOS Yes No
Provide HA for WAF Yes No
Tune the WAF access rules and Bot management strategies for your traffic No Yes

Capabilities and Limits

  • Allows 100 policies per tenant
  • Does not support Network Load Balancer
  • TCP Listener not compatible / Layer 7 WAF
  • Supports IPv6
  • Policies regional only
  • Allows using one policy with multiple load balancers in the same region
  • Supports traffic only on ports 80/443

Getting Started with WAF: Workflow

  1. Create a WAF policy
  2. Update Origin - Keep Alive timeout
  3. Update DNS to enable WAF
  4. Upload your certificate and key
  5. Test your application
  6. Enable WAF to passively detect rules
  7. Test the rules

Web Application Firewall (WAF): Features and Policies

OCI WAF Features (Edge)

OCI WAF Features (Edge)

OCI Web Application Firewall Policy

WAF policy is a regional solution that works as a plug-in for your load balancer.

Edge policy is a global solution. To use this solution, allowlist Oracle nodes throughout the world and use DNS to point your application to the CNAME that we provide.

Access Control

Allows you to control access to your critical web applications, data, and services on conditions such as:

Consists of creating and managing access rules for requests and responses.

Access Rules

  • Define the actions to be taken when conditions are met
  • Distinct for request control and response control of a WAF policy

Conditions

  • A JMESPath expression specifies the criteria for matching a request or a response to a rule
  • Each rule accepts a JMESPath expression as the condition
    • Request.geo.countryCode == 'US'
  • HTTP requests or HTTP responses trigger WAF rules
  • A complex condition can be created using operators and regular expressions

Action

Defines the behaviour of your WAF policy when a request or response matches a condition:

Allow
Define the behaviour of your WAF policy when a request or response matches a condition
Check
Generates a log message documenting the result of rule execution
Return HTTP Response
Terminates further processing of an HTTP request or response and returns a predefined HTTP response

WAF Protection Capabilities

  • Protects web applications against malicious cyberattacks
  • Inspects incoming requests for attack payloads
  • Blocks or alerts of threats such as SQL injection, cross-site scripting, and HTML injection

Protection Rules: Exclusions

  • Sometimes a protection rule can trigger a false positive
  • You can configure an exception if the request generating the false positive have a particular argument or cookie

You can create exclusions using the OCI Console or through the API. Use the following exclusion parameters:

Name Value
REQUEST_COOKIES Cookie value
ARGS Argument (Query Parameter or POST/PUT data)

Rate Limiting

  • Allows inspections of HTTP request properties
  • Limits the frequency of requests for each unique client IP address
  • Helps protect web application from DDosS attacks by blocking or logging requests

Bot Management

Enables you to mitigate undesired bot traffic from your site using CAPTCHA and JavaScript detection tools, while enabling known published bot providers to bypass these controls

  • JavaScript Challenge
  • Human Interaction Challenge
  • CAPTCHS Challenge
  • Device Fingerprint Challenge
  • Good Bot Allow List Management

Caching Rule

Allows you to improve the performance and availability of your web application by selectively caching requested content on OCI's edge servers

Available Cache Rule Criteria
Determines if the requeseted content should be cached, such as URL_IS, URL_STARTS_WITH, and so on
Available Cache Rule Actions
Can be set to take one or two available actions: CACHE or BYPASS_CACHE

Threat Intelligence

Get real-time threat intelligence data from multiple sources and block requests from known malicious IP addresses.

Source Description
Webroot BotNets Botnet C&C channels and infected zombie machines
Webroot Scanners Reconnaisance attacks
Webroot Spam Sources Tunneling spam messages
Webroot Windows Exploits Active IP addresses distributing threats

Certificates

What is a Digital Certificate?

A digital certificate is a special ID card that websites use to show that they are safe and trustworthy, and helps users and computers to communicate with websitses securely and privately.

Certificate Authority (CA)

Organization that issues and manages digital cerificates for websites and other online entities

Public CA
  • A third-party oragnisation trusted by browsers, client, operating systems, and applications
  • Trusted by a large group of people. For example, Let's Encrypy, DigiCert, etc.
Private CA
  • An internal organisation known and trusted by its network and IT environment
  • Trusted by a small group of people. For example, internal IT departments, Keytos

Types of Certificates

Self-Signed Certificate
  • Signed by own private key
  • Used to encrypt and decrypt data
  • Cannot be trusted by a browser
Root Certificate
  • Self-signed and issued by a CA
  • Used to secure and authenticate websites
  • Can be trusted by a browser

Elements of a Certificate

  • Version
  • Serial Number
  • Issuer
  • Issued date and time
  • Expiration
  • Subject
  • Pupose

Steps for Securing a Certificate

Generate Request
Create a Certificate Signing Request (CSR)
Prove Identity
Submit documents for verification
Get Certificate
Pay the required amount and get your certificate

OCI Certificates

  • Creates and manages TLS certificates, certificate authorities (CAs), and CA budles
  • Provide organisations with certificate issurance, storage, and management capabilities, including revocation and automatic renewal
  • Enables native integration with OCI services like Load Balancer and API Gateway
  • Imports cerificates issued by a third-party CA to use in an OCI tenancy
  • Free of cost

TLS Connection

TLS Connection

Mutual TLS Connection

Mutual TLS Connection

OCI Certificates; Concepts

Certificates
Digital document that confirms its subject is the owner of the public key
Certifiate Authorities (CA)
Issues certificates and subordinate CAs
CA Bundles
Includes root and intermediate certicates, certificate properties, user-provided contextual metadata
Certificate Chains
List of certificates from the end-entity certificat to the root certificate
Certificate Revocation List
Contains all CAs and certificates that the issuing CA has revoked prior to their expiration dates.

Certificate Authority

  • Only HSM Private Keys provided through OCI KMS supported
  • No access to read customer's private key
  • Conform with RFC5280
  • Supported Key Algorithm
    • RSA_2048
    • RSA_4096
    • ECDSA_P256
    • ECDSA_P384
  • Supported Signing Algorithms
    • SHA256_WITH_RSA
    • SHA384_WITH_RSA
    • SHA512_WITH_RSA
    • SHA256_WITH_ECDSA
    • SHA384_WITH_ECDSA
    • SHA512_WITH_ECDSA

Chain of Trust

Chain of Trust

OCI Certificates: Modes of Operation

  • Manage Internally
  • Manage Externally
  • Bring Your Own Certificate (BYOC)

Certificate Rule

Renewal Intervals
Frequency with which the certificate is automatically renewed
Advance Renewal Period
Advance period of the certificate expriration when the certificate is renewed

Certificate Profile

OCI Certificates have four (4) predefined profiles to easily create certificates for particular use cases:

  1. TLS Server or Client
  2. TLS Server
  3. TLS Client
  4. TLS Code Sign

Integrations

  • Native Integration with Load Balancer, API Gateway. OCI IAM, OCI Audit, Cloud Guard, and so on
  • Automatic revocation and deployments
  • No accidental deletion of used certificate
  • Immediate effect of revocation

OCI Certificates: Lifecycle Management Features

  • Create CAs, Certificates, and CA bundles
  • Import Certificates
  • Update, tag, or delete CA, certificate, or CA bundle metadata
  • Renew Certificate
  • Configure Rules
  • Specify current version
  • Revoke a CA or certificate version