Web Application Firewall Cloud Options: Alibaba Cloud WAF & AWS WAF

简介: A web application or a REST API hosted in a cloud is a common scenario for most developers.

SE_004

A web application or a REST API hosted in a cloud is a common scenario for most developers. However, not every application has the same level of security. Adding a Web Application Firewall (WAF) to your web application is a helpful way to improve your security.

In this article, we'll compare two cloud-based WAF options: The one offered from Alibaba Cloud and the AWS WAF.

Alibaba Cloud WAF

The main advantage of using a WAF in the cloud, as opposed to an on-premises firewall, is that setup and installation time are minimal. In addition, you get 24/7 monitoring and automated responses to firewall-related incidents, which means you don’t have to worry about your staff constantly monitoring the firewall in order to deal with problems.

Alibaba Cloud WAF uses machine learning to reduce false positives, which is one of the features that I found particularly fantastic about the tool. In addition, the monthly subscription includes protection and reporting.

To start configuring the WAF, we need to be on the main dashboard. Then, locate the Security option and Web Application Firewall.

1

This is the main screen of the WAF, and here we can see the scope of what it can protect and the radius of its reach.

2

The instructions for complete configuration are written out in detail in the documentation, which is available via the following link: https://www.alibabacloud.com/help/doc-detail/45251.htm?spm=a3c0i.o28517en.b99.6.e4658abukoP2p

AWS WAF

To use the AWS WAF, the first thing to think about is the creation of Access Control Lists (ACLs). If you do not understand how a firewall works, how to create one, and where you start working, a good deal of research will be necessary. Initially, the rules of entry and exit need to be clear. For the inexperienced, it is possible to block everything or release everything. You can have a whole environment with a WAF, but it’s completely unprotected because of rules misapplied.

Let's view the tool in practice and go over the key points. After logging into the tool and searching for AWS WAF, you’ll find this dashboard that explains some of the basics:

3

As we can see on the following screen, when we click on Configure Web ACL, initially, we have an overview of how ACLs should be created, and which applications we can protect.

4

5

Click Next to continue the setup. At this point, we can create the name of the ACL (it should be a clear and easy-to-understand name). We can then choose the ACL region (whether it is local or global), and finally, the resource that this ACL will start.

6

In the next screen, we can see the creation of the conditions of each rule. (Do more research for your understanding at this point if needed.) At this point, I chose an example of creating conditions for the SQL injection rule. I created the name, region, type of requisition and what should be done according to this request.

7

This ACL condition configuration screen is critical. If we move from this screen without the appropriate settings, it’s like forgetting to close the lock on a gate.

The following screenshots show the creation of the rule that will be applied to the ACL created according to the defined condition.

8

9

The last steps are just finishing and confirming the settings made in the previous steps. You can complete the AWS WAF setup by following the next steps in the wizard.

Conclusion

AWS WAF is comprehensive—from prior notification in the creation and configuration of rules, rather than a firewall. To use AWS WAF, you need to be a person who knows firewalls well, or be able to request support from someone who does. And keep in mind that there is a charge per amount of ACLs and number of access requests to your application. As of now, fewer ACLs mean lower cost, but also a less secure application.

Alibaba Cloud WAF and AWS WAF are both useful tools for securing web-based applications. As noted above, Alibaba Cloud WAF’s machine learning features make it an especially convenient tool in situations where your firewall configuration and monitoring need to be as automated as possible and you want to avoid false positives. AWS WAF, on the other hand, offers more detailed configuration options—although with that detail comes a steeper learning curve. To use AWS WAF effectively, you need to have deep experience with ACLs and firewall configurations; Alibaba Cloud WAF is arguably a better WAF choice for admins with less firewall experience.

If you’d like to test the Alibaba Cloud WAF, you can take advantage of their current offer of $300 in free credits.

Bio

10

Brena Monteiro is a Fixate IO Contributor and a software engineer with experience in the analysis and development of systems. She is a free software enthusiast and an apprentice of new technologies.

目录
相关文章
|
3月前
|
安全 算法 Linux
CentOS7下部署长亭科技雷池Web应用防火墙(WAF)开源社区版
CentOS7下部署长亭科技雷池Web应用防火墙(WAF)开源社区版
413 0
|
7月前
|
弹性计算 Java 应用服务中间件
手动部署Java Web环境(Alibaba Cloud Linux 2)
本场景带您体验如何在Alibaba Cloud Linux 2.1903 LTS 64位操作系统的云服务器上部署Java Web环境。
129 0
|
8月前
|
运维 网络安全 Windows
【运维知识进阶篇】教你部署云锁WAF(Web应用防火墙)
【运维知识进阶篇】教你部署云锁WAF(Web应用防火墙)
288 0
|
5月前
|
Web App开发 缓存 前端开发
Angular 应用支持 PWA(Progressive Web Application) 特性的开发步骤分享
Angular 应用支持 PWA(Progressive Web Application) 特性的开发步骤分享
46 0
|
5月前
|
SQL 安全 JavaScript
什么是 WAF - Web Application Firewall
什么是 WAF - Web Application Firewall
66 0
|
5月前
|
Cloud Native Java 应用服务中间件
带你读《Apache Tomcat的云原生演进》——GraalVM static compilation in web container application(2)
带你读《Apache Tomcat的云原生演进》——GraalVM static compilation in web container application(2)
143 1
带你读《Apache Tomcat的云原生演进》——GraalVM static compilation in web container application(2)
|
5月前
|
Cloud Native Java 应用服务中间件
带你读《Apache Tomcat的云原生演进》——GraalVM static compilation in web container application(3)
带你读《Apache Tomcat的云原生演进》——GraalVM static compilation in web container application(3)
106 1
带你读《Apache Tomcat的云原生演进》——GraalVM static compilation in web container application(3)
|
6月前
|
应用服务中间件
阿里云的WAF(Web应用防火墙)3.0的虚拟代理
阿里云的WAF(Web应用防火墙)3.0的虚拟代理
105 2
|
7月前
|
SQL 安全 算法
Web 应用防火墙 -- 规则防护
4.4.2 白名单加白 基于请求特征对误报流量加白, 加白后的流量会被 WAF bypass,从而解决误报问题。
79 0
|
9月前
|
域名解析 SQL 监控
Web Web Application Firewall
阿里云Web应用防火墙(Web Application Firewall,简称WAF)是一种网络安全服务,用于保护Web应用程序免受常见的Web攻击,如SQL注入、跨站脚本(XSS)和跨站请求伪造(CSRF)等。它可以通过配置规则和策略,识别和拦截恶意流量,从而保护Web应用程序的安全。
91 1