Enhance Security with Oracle Cloud Infrastructure's Web Application Firewall

Oracle recently introduced a Web Application Firewall (WAF) service to further enhance and secure its Oracle Cloud Infrastructure offerings. The Oracle Cloud Infrastructure WAF is based on Oracle Zenedge and Oracle Dyn technologies. It inspects all traffic destined to your web application origin and identifies and blocks all malicious traffic. WAF offers the following tools, which can be used on any website, regardless of where it is being hosted:

1. Origin management.

2. Bot management.

3. Access control.

4. Over 250 robust protection rules that include the OWASP rulesets to protect against SQL injection, cross-site scripting, HTML injection, & more.

Matt Carter, Product Manager for WAF, has written a topical overview of WAF and edge security in the Oracle cloud (OCI). It's a nice blog, go read it! Another cool blog was written by Paul Toal, a Distinguished Solution Engineer, who presents visual demos highlighting OCI WAF's main capabilities. To complement these blogs, I will be publishing soon a blog on how to automate deployment and configuration of WAF using Terraform/Ansible. 

Finally, in this post, Sergio J. Castro, Senior Cloud Solutions Engineer with Oracle North America Cloud, and a guest author on our A-TEAM blogs, will cover in detail how to setup and configure WAF policies. It's a nice post, and covers a lot of useful detail. Enjoy! 

Introduction

In this post, I configure a set of access control WAF policies to a website. Access control defines explicit actions for requests that meet conditions based on URI, request headers, client IP address, or countries and regions. Conditions can use regular expression and list comparison tools. Actions can be detections or blocks. The website that I use is www.denzura.com, previously created with Oracle Cloud Infrastructure Edge DNS services.

Create a WAF Policy Zone

1. Sign in to your tenancy in the Oracle Cloud Infrastructure Console.

2. Open the navigation menu. Under Solutions, Platform and Edge, go to Edge Services and click WAF Policies.

3. Select a compartment for your WAF policy to reside in. If one is preselected, ensure that you want your WAF policy to reside there, or select another compartment.

4. Click Create WAF Policy.

5. For the policy name, enter a unique name for the policy (this example uses MyWAF).

6. In the Domains section, for Primary Domain enter the naked domain of your website (this example uses denzura.com). In the Additional Domains field, enter a third-level domain. The default or the most commonly used third-level domain is www, which is what I'm using.  The complete example entry to this field is www.denzura.com. If you want to add additional domains, click Additional Domain. Note: The Additional Domains field hosts the subdomains where the policies are applied.

7. In the WAF Origin section, for Origin Name, enter a name that is unique in your tenancy. The example in this post is DenzuraWAF.

8. For the URI field, use either an IPv4 address or an FQDN. In this example, I'm using the IP address of the website: 130.61.55.114. Note: For this example, I'm not using Advanced Origin Options or Tagging.

9. Click Create WAF Policy.

In a few minutes, the policy is created.

Notice that the message that indicates to visit your DNS provider.

In this example, I added the third-level domain www to the CNAME record that was output by the WAF Policy.

Add the CNAME Record to Your DNS Zone

The following instructions are for DNS zone management in Oracle Cloud Infrastructure Edge services. If your DNS zone is outside of Oracle Cloud Infrastructure, follow your provider instructions.

1. Open the navigation menu in the Console. Under Solutions, Platform and Edge, go to Edge Services and click DNS Zone Management.

2. Select your zone name (in this example, Denzura.com).

3. Click Add Record.

4. In the Add Record dialog box, select the CNAME record from the list.

5. In the Name field, enter www.

6. In the TTL (Time To Live) field, enter a value in milliseconds (for example, 86400).

7. Leave the RDATA field as basic.

8. In the Target field, paste the CNAME string that resulted by adding your WAF policy. The string in this example is denzura-com.b.waas.oci.oraclecloud.net.

9. Click Submit.

10. Click Publish Changes.

After the policy becomes active, verify that the WAF is serving the website.

Verify WAF Coverage

1. Open a web browser (this example is using Google Chrome).

2. Enter the web address of your domain name (for example, www.denzura.com).

3. When the website is displayed, right-click and select Inspect.

4. Click the Network tab.

5. Click All.

6. In the Name column, select www.denzura.com.

7. Click the Headers tab.The Server field should display ZENEDGE. This indicates that your website is being inspected by Oracle Cloud Infrastructure WAF.

Configure WAF Access Control Rules

Now it's time to create the access control rules. In this example, I block all traffic coming from the US, with the exception of one IP address. To prove that the access control works, I access the www.denzura.com website from a host located in the US and verify that access is blocked and that a custom message is displayed. Then I access the website from that one exception and verify that it loads normally. Finally, I access the same website from an Oracle Cloud Infrastructure Windows instance located in the Frankfurt region, with the IP address 130.61.73.189, and verify that it loads normally.

1. Open the navigation menu in the Console. Under Solutions, Platform and Edge, go to Edge Services and click WAF Policies.

2. Open the policy that you created (in this example, DenzuraWAF).

3. Click Access Control.

4. Click Add Access Rule.

5. Enter a unique name for the access rule (in this example, Cease_and_Desist).

6. Under Conditions, select Country/Region is from the Rule Conditions menu.

7. From the Country/Region menu, select United States.

8. Click Additional Condition.

9. From the Rule Conditions menu, select IP Address in not.

10. Enter the IP address from a host located anywhere in the US that will be the one exception for accessing the website (in this example, 129.146.140.71).

11. Under Action, select Block.

12. Under Block Action, select Show Error Response.

13. As needed, customize the messages that open. In this post, I'll modify the Block Error Page Description with the following message: “Access blocked by website owner. CEASE AND DESIST.”

14. Click Add Access Rule.

15. Under WAF Policy, click Unpublished Changes.

16. Click Publish All. In the Publish Changes dialog box, click Publish All.

Access the Website

It takes about 10 minutes for a WAF policy access control rule to become active. After it does, test the policy by accessing the website: www.denzura.com

Success!

Both the exception and the host in the Frankfurt region work; the website can be accessed as expected. You can download screenshots that show this access from https://bit.ly/2PdSXCX. They are hosted in Oracle Cloud Infrastructure Object Storage, and the link will be active until December 31, 2020.