Best Practices from Oracle Development's A‑Team
-
/ A-Team Chronicles
April 7, 2021
Using a Web Application Firewall with Private Oracle Analytics
Validated April 7, 2021 for OAC 5.9
Introduction
Oracle Analytics now can use a custom or vanity URL. This feature enables the use a web application firewall and load balancers with HTTPs listeners.
Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based, Payment Card Industry (PCI) compliant, global
security service that protects applications from malicious and unwanted internet traffic. WAF can protect any internet facing
endpoint, providing consistent rule enforcement across a customer's applications.
WAF provides you with the ability to create and manage rules for internet threats including Cross-Site Scripting (XSS), SQL
Injection and other OWASP-defined vulnerabilities. Unwanted bots can be mitigated while tactically allowed desirable bots to
enter. Access rules can limit based on geography or the signature of the request.
The global Security Operations Center (SOC) will continually monitor the internet threat landscape acting as an extension of your IT infrastructure.
Refer here for a post on deploying a vanity URL and here for one on using a load balancer with it.
This post builds upon these and is a step-by-step guide for using a Web Application Firewall with private Oracle Analytics and is one of the posts in the OAC Private Endpoint Series. Although it focuses on Oracle Analytics with a private endpoint it may be useful for any public or private endpoint service that has an accessible transport layer security certificate and private key.
Validations
April 7, 2021 for OAC 5.9
Topics
Before You Begin
Deploying Web Application Firewall Components
Deploying OCI Components
Validating Connections to Oracle Analytics via a Web Application Firewall
℘ Before You Begin and Assumptions ℘
Acronyms
| OAC | Oracle Analytics Cloud |
| PE | Private Endpoint |
| VCN | Virtual Cloud Network |
| TLS | Transport Layer Security |
| LB | Load Balancer |
| OCI | Oracle Cloud Infrastructure |
| FQDN | Fully Qualified Domain Name |
| HTTPS | Hypertext Transfer Protocol Secure |
| OSN | Oracle Services Network |
| WAF | Web Application Firewall |
| DNS | Domain Name System |
| ACL | Access Control List - Security List |
| NSG | Network Security Group |
Existing Components
This post assumes an OAC PE instance with a vanity URL is accessible to users via a public load balancer with a HTTPs listener.
Privileges
A user account in an OCI tenancy for managing OAC, WAF and network resources
Initial State
℘ Deploying Web Application Firewall Components ℘
The following table lists the WAF components to be deployed with links for reference.
| COMPONENT | USE | REFERENCE |
|---|---|---|
| WAF Policy | Encompass the overall configuration of a WAF service instance | link |
| WAF Access Control | Create IP Address Lists of clients allowed to access WAF | link |
| TLS CERT | The TLS certificate and private key for the OAC vanity URL | link |
WAF Policy
From the OCI menu navigate to Security > Web Application Firewall. Choose the appropriate Compartment, click Policies and Create WAF Policy.
Enter a Name e.g. Private OAC WAF Policy
Enter the Primary domain for the OAC instance to be protected e.g. myorg.com
Enter the OAC instance's vanity FQDN as the Additional Domain e.g. ash-prv-oac.myorg.com
Enter an Origin Name e.g. <LB name>, ASH-HUB-PUB-LB
Enter the public IP address of the LB as the URI
Click Create WAF Policy
Define WAF Level Components
Note: The TLS Certificate must be in PEM format and must be a full chain certificate (that is, Root, Intermediate, Origin Server). Certificates and IP address Lists may be added at the WAF or the WAF policy level. This examples chooses from the WAF level.
From the OCI menu navigate to Security > Web Application Firewall. Choose the appropriate Compartment, click Certificates and Create WAF Certificate.
Enter a Name for the certificate
For Upload certificates source, select or paste the X.509 TLS certificate for the OAC vanity FQDN e.g. *.myorg.com.crt
For Upload private key source, select or paste the X.509 TLS certificate private key e.g. *.myorg.com.key
Accept the remaining defaults and click Create
From the OCI menu navigate to Security > Web Application Firewall. Choose the appropriate Compartment, click IP Address Lists and Create WAF IP Address List.
Enter a Name for the IP address list. e.g. Wide Open
Note: For development purposes only you may use a list that allows all IP addresses.
Enter the IP Addresses in CIDR notation e.g. 0.0.0.0/0
Click Create
Enable HTTPS Support
From the WAF menu, click Policies, click your policy, select the General Settings tab and click Edit.
Check Enable HTTPS support
Select Choose certificate
Change the Compartment if necessary and select the Certificate from the dropdown
Accept the remaining defaults and click Save Changes
Define WAF Policy Access Control
From the WAF menu, click Policies, click your policy, click Access Control, select the Access Rules tab and click Add Access Rule.
Enter a Name e.g. Wide Open
Select Log and Allow for the Action
Select IP Address in Address List for the Condition
Change the Compartment if necessary and select the Address List from the dropdown
Accept the remaining defaults and click Add Access Rule
℘ Deploying OCI Components ℘
The following table lists the components to be deployed in OCI with links for reference.
| COMPONENT | USE | REFERENCE |
|---|---|---|
| ACCESS CONTROL | Modify Security List or Network Security Group rules allowing access to the LB from WAF | link |
| DNS ZONE | Update the DNS zone that resolves the OAC vanity FQDN | link |
Access Control
Modify the current LB security list or NSG to allow access from WAF. Optionally remove direct access from clients. The WAF IP CIDR ranges are found in 6. Securing Your WAF.
Note: For development purposes only you may use a list that allows all IP addresses.
DNS Zone
At the top of the policy page is a directive to add a CNAME record to the DNS zone containing the OAC vanity FQDN.
Delete any existing records for the OAC vanity FQDN and publish the changes.
Create a CNAME record for the WAF as directed publish the changes.
Deployed State
The deployed components are depicted below. Click here for a short clip of the process.
℘ Validating Connections to Oracle Analytics via a Web Application Firewall ℘
Validate that OAC can be accessed via the WAF and sign-in to OAC.
Validate DNS
Use the nslookup command with the OAC vanity FQDN and view the WAF names and addresses.
ash-prv-oac.myOrg.com canonical name = myorg-com.o.waas.oci.oraclecloud.net.
myorg-com.o.waas.oci.oraclecloud.net canonical name = tm.inregion.waas.oci.oraclecloud.net.
tm.inregion.waas.oci.oraclecloud.net canonical name = us-ashburn.inregion.waas.oci.oraclecloud.net.
Name: us-ashburn.inregion.waas.oci.oraclecloud.net
Address: 130.35.16.92
Name: us-ashburn.inregion.waas.oci.oraclecloud.net
Address: 130.35.17.191
Name: us-ashburn.inregion.waas.oci.oraclecloud.net
Address: 147.154.4.245
Validate Access
Use the nc command on a Mac / Linux or the equivalent tnc command on Windows to validate connectivity to the OAC port.
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 130.nnn.nnn.253:443
Connect to OAC
Enter the OAC vanity URL into your browser and sign in to OAC.
℘ Connection Flow ℘
The connection flow is shown below. Click here for a short clip.
℘ Summary ℘
This post provided a step-by-step guide for using a Web Application Firewall with private Oracle Analytics.
For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley