X

Best Practices from Oracle Development's A‑Team

Using a Web Application Firewall with Private Oracle Analytics

Validated April 7, 2021 for OAC 5.9

Introduction

Oracle Analytics now can use a custom or vanity URL. This feature enables the use a web application firewall and load balancers with HTTPs listeners.

Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based, Payment Card Industry (PCI) compliant, global
security service that protects applications from malicious and unwanted internet traffic. WAF can protect any internet facing
endpoint, providing consistent rule enforcement across a customer's applications.

WAF provides you with the ability to create and manage rules for internet threats including Cross-Site Scripting (XSS), SQL
Injection and other OWASP-defined vulnerabilities. Unwanted bots can be mitigated while tactically allowed desirable bots to
enter. Access rules can limit based on geography or the signature of the request.

The global Security Operations Center (SOC) will continually monitor the internet threat landscape acting as an extension of your IT infrastructure.

Refer here for a post on deploying a vanity URL and here for one on using a load balancer with it.

This post builds upon these and is a step-by-step guide for using a Web Application Firewall with private Oracle Analytics and is one of the posts in the OAC Private Endpoint Series. Although it focuses on Oracle Analytics with a private endpoint it may be useful for any public or private endpoint service that has an accessible transport layer security certificate and private key.

Validations

April 7, 2021 for OAC 5.9

Topics

Before You Begin

Deploying Web Application Firewall Components

Deploying OCI Components

Validating Connections to Oracle Analytics via a Web Application Firewall

 

 Before You Begin and Assumptions ℘

Acronyms

OAC Oracle Analytics Cloud
PE Private Endpoint
VCN Virtual Cloud Network
TLS Transport Layer Security
LB Load Balancer
OCI Oracle Cloud Infrastructure
FQDN Fully Qualified Domain Name
HTTPS Hypertext Transfer Protocol Secure
OSN Oracle Services Network
WAF Web Application Firewall
DNS Domain Name System
ACL Access Control List - Security List
NSG Network Security Group
   

 

Existing Components

This post assumes an OAC PE instance with a vanity URL is accessible to users via a public load balancer with a HTTPs listener. 

Privileges

A user account in an OCI tenancy for managing OAC, WAF and network resources

Initial State

 

 

 Deploying Web Application Firewall Components 

The following table lists the WAF components to be deployed with links for reference.

COMPONENT USE REFERENCE
WAF Policy Encompass the overall configuration of a WAF service instance link
WAF Access Control Create IP Address Lists of clients allowed to access WAF link
TLS CERT The TLS certificate and private key for the OAC vanity URL link
     

 

WAF Policy

From the OCI menu navigate to Security > Web Application Firewall. Choose the appropriate Compartment, click Policies and Create WAF Policy.

Enter a Name e.g. Private OAC WAF Policy
Enter the Primary domain for the OAC instance to be protected e.g. myorg.com
Enter the OAC instance's vanity FQDN as the Additional Domain e.g. ash-prv-oac.myorg.com
Enter an Origin Name e.g. <LB name>, ASH-HUB-PUB-LB
Enter the public IP address of the LB as the URI
Click Create WAF Policy

Define WAF Level Components

Note: The TLS Certificate must be in PEM format and must be a full chain certificate (that is, Root, Intermediate, Origin Server). Certificates and IP address Lists may be added at the WAF or the WAF policy level. This examples chooses from the WAF level.

From the OCI menu navigate to Security > Web Application Firewall. Choose the appropriate Compartment, click Certificates and Create WAF Certificate.

Enter a Name for the certificate
For Upload certificates source, select or paste the X.509 TLS certificate for the OAC vanity FQDN e.g. *.myorg.com.crt
For Upload private key source, select or paste the X.509 TLS certificate private key e.g. *.myorg.com.key
Accept the remaining defaults and click Create

From the OCI menu navigate to Security > Web Application Firewall. Choose the appropriate Compartment, click IP Address Lists and Create WAF IP Address List.

Enter a Name for the IP address list. e.g. Wide Open

Note: For development purposes only you may use a list that allows all IP addresses.


Enter the IP Addresses in CIDR notation e.g. 0.0.0.0/0
Click Create

Enable HTTPS Support

From the WAF menu, click Policies, click your policy, select the General Settings tab and click Edit.

Check Enable HTTPS support
   Select Choose certificate
      Change the Compartment if necessary and select the Certificate from the dropdown
   Accept the remaining defaults and click Save Changes

Define WAF Policy Access Control

From the WAF menu, click Policies, click your policy, click Access Control, select the Access Rules tab and click Add Access Rule.

Enter a Name e.g. Wide Open
Select Log and Allow for the Action
Select IP Address in Address List for the Condition
Change the Compartment if necessary and select the Address List from the dropdown   
Accept the remaining defaults and click Add Access Rule

 

 

 Deploying OCI Components 

The following table lists the components to be deployed in OCI with links for reference.

COMPONENT USE REFERENCE
ACCESS CONTROL Modify Security List or Network Security Group rules allowing access to the LB from WAF link
DNS ZONE Update the DNS zone that resolves the OAC vanity FQDN link
     

 

Access Control

Modify the current LB security list or NSG to allow access from WAF. Optionally remove direct access from clients. The WAF IP CIDR ranges are found in 6. Securing Your WAF.

Note: For development purposes only you may use a list that allows all IP addresses.

DNS Zone

At the top of the policy page is a directive to add a CNAME record to the DNS zone containing the OAC vanity FQDN. 

Delete any existing records for the OAC vanity FQDN and publish the changes.
Create a CNAME record for the WAF as directed publish the changes.

Deployed State

The deployed components are depicted below. Click here for a short clip of the process.

 

Validating Connections to Oracle Analytics via a Web Application Firewall

Validate that OAC can be accessed via the WAF and sign-in to OAC.

Validate DNS

Use the nslookup command with the OAC vanity FQDN and view the WAF names and addresses.

ash-prv-oac.myOrg.com    canonical name = myorg-com.o.waas.oci.oraclecloud.net.
myorg-com.o.waas.oci.oraclecloud.net    canonical name = tm.inregion.waas.oci.oraclecloud.net.
tm.inregion.waas.oci.oraclecloud.net    canonical name = us-ashburn.inregion.waas.oci.oraclecloud.net.
Name:    us-ashburn.inregion.waas.oci.oraclecloud.net
Address: 130.35.16.92
Name:    us-ashburn.inregion.waas.oci.oraclecloud.net
Address: 130.35.17.191
Name:    us-ashburn.inregion.waas.oci.oraclecloud.net
Address: 147.154.4.245

Validate Access

Use the nc command on a Mac / Linux or the equivalent tnc command on Windows to validate connectivity to the OAC port.

Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 130.nnn.nnn.253:443

Connect to OAC

Enter the OAC vanity URL into your browser and sign in to OAC.

 

℘ Connection Flow ℘

The connection flow is shown below. Click here for a short clip. 

 

 Summary 

This post provided a step-by-step guide for using a Web Application Firewall with private Oracle Analytics.

For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Recent Content