Onsite Training - Secure Web Applications with Alibaba Cloud Web Application Firewall
- 1. Secure Web Applications with Alibaba Cloud Web Application Firewall by Forster Chiu Principal Consultant – iCON Business Systems Limited
- 2. 2 Principle Consultant - Cybersecurity Assurance and Compliance (iCON Business Systems Ltd. Hong Kong) Vulnerability Assessment, Security Audit (ISO 27001, GDPR), and Pen Tester Speaker, Trainer - Security awareness and Offensive Subject Matter Expert – EC-Council PECB Certified Trainer MSc in Computer and Security, PgD in IT Forensics, BSc (Hons) Business Information Technology About Me
- 3. 2009 Alibaba Cloud is founded R&D centers are opened in Beijing, Hangzhou and Silicon Valley 2010 Alibaba Cloud’s first data center opens 2014 2017 Alibaba announced as the as the Official Cloud Services and Infrastructure Partner for the Olympic Games at the World Economic Forum in Davos. 2018 Alibaba Cloud Timeline Data Centers open in Beijing, Shenzhen and Hong Kong Included in Gartner’s Magic Quadrant for Data Analytics
- 4. Alibaba Cloud Services Data Migration Web Hosting Internet of Things Elastic Computing Storage Networking Security
- 8. What is Web Application Firewall WAF
- 9. OWASP – Top 10 2017
- 10. Protects your website against OWASP web application attacks Regular and timely patches against 0day vulnerabilities Attack event management What Alibaba Cloud WAF Can Do
- 11. Advantages of Alibaba Cloud WAF Alibaba Cloud WAF Function Solving traditional Web application attacks, solve business security issues such as HTTP connections attack and etc. Real Time Auto update the latest Web 0 Day vulnerability signature in 24 hours Performance Second level elastic expansion, support for millions of QPS business protection Deployment Quick deployment in just 5 minutes, both cloud and non-cloud Support Professional Expert Protection and IM Support
- 13. • Note: WAF instances created in International regions must be upgraded to the Enterprise edition.
- 14. Scalability Maintenance Cost Cloud WAF Versus On-Prem WAF
- 16. Demo 1: Purchase Alibaba Cloud WAF
- 19. Demo 2: Quick Start Configuration Method 1 - Add website configurations automatically Prerequisites : The DNS records of the website are managed by Alibaba Cloud DNS, and at least one A record is valid.
- 20. Add Domain and Verify HTTPS Certificate
- 21. Exception may be displayed after you have added the website configuration. Wait a few seconds and check the DNS status again, or check whether the DNS settings are configured correctly at your DNS service provider.
- 22. Method 2 – Add website configurations manually
- 23. On the Fill in the website information page, complete the following configuration.
- 24. Demo 3: WAF Protection Policies
- 25. HTTP ACL Policy Web Application Protection HTTP Flood Protection Big Data Deep Learning Engine Block IPs Initiating High-frequency Web Attacks WAF Features And Protection Rules Directory Scan Protection Threat Intelligence Blocked Regions Data Risk Control Website Tamper-proofing Data Leakage Prevention
- 27. Demo 4: Reporting and Loging Total QPS and the malicious QPS (triggering protection rules) of the latest 30 days Inbound and Outbound bandwidth of the latest 30 days Number of abnormal responses of the latest 30 days Top 5 cities and Top 10 IP addresses that requests originate from Mobile operating systems and PC browsers that requests originate from Top 5 URLs with the slowest response speed Top 5 URLs that are most frequently requested
- 29. Frequencies of Web application attacks, HTTP flood attacks, and Web ACL events of the latest 30 days Risk warnings of newly exposed industry or business security events Messages of update of Alibaba Cloud WAF protection rule sets
- 30. Web application attacks of the latest 30 days HTTP flood attacks of the latest 30 days Web ACL events of the latest 30 days You can query the details of the following attack protection records:
- 33. Lab Prerequisites: WebGoat 8 (https://github.com/WebGoat/WebGoat) OWASP ZAP (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) Vega Vulnerability Scanner (https://subgraph.com/vega/) Alibaba Cloud WAF Protection Rules Configuration Alibaba Cloud WAF Lab DEMO Lab Objectives: Discover web vulnerabilities of WebGoat 8 Attack WebGoat 8 without Alibaba Cloud WAF Protection Attack WebGoat 8 with Alibaba Cloud WAF Protection Verify the business values offered by Alibaba Cloud WAF Protection