service overview - huawei cloud · 2020. 10. 30. · web application firewall service overview...

Web Application Firewall

Service Overview

Issue 41

Date 2021-05-27

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 What Is Web Application Firewall?.....................................................................................1

2 Edition Differences.................................................................................................................. 2

3 Functions................................................................................................................................... 8

4 Product Advantages..............................................................................................................16

5 Application Scenarios........................................................................................................... 17

6 Billing Description.................................................................................................................19

7 Project and Enterprise Project............................................................................................22

8 Personal Data Protection Mechanism.............................................................................. 24

9 Permissions Management................................................................................................... 26

10 WAF and Other Services....................................................................................................29

A Change History...................................................................................................................... 32

Web Application FirewallService Overview Contents

Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. ii

1 What Is Web Application Firewall?

Web Application Firewall (WAF) keeps web services stable and secure. It examinesall HTTP and HTTPS requests to detect and block the following attacks: StructuredQuery Language (SQL) injection, cross-site scripting (XSS), web shells, commandand code injections, file inclusion, sensitive file access, third-party vulnerabilityexploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-siterequest forgery (CSRF).

How WAF WorksAfter purchasing WAF, add the website to WAF on the WAF console. After awebsite is connected to WAF, all website access requests are forwarded to WAFfirst. WAF detects and filters out malicious attack traffic, and returns normaltraffic to the origin server to ensure that the origin server is secure, stable, andavailable.

The process of forwarding traffic from WAF to the origin server is called back-to-source. WAF uses its back-to-source IP addresses to send received client requeststo the origin server. In this way, for the origin server, WAF back-to-source IPaddresses instead of client IP addresses are visible.

Figure 1-1 How WAF protects a website

Web Application FirewallService Overview 1 What Is Web Application Firewall?

Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 1

2 Edition Differences

WAF supports yearly/monthly and pay-per-use billing modes. You can switchbetween yearly/monthly and pay-per-use billing mode. The yearly/monthly billingmode is supported in the professional, enterprise, and premium editions. Getyourself familiar with differences between WAF editions before you make apurchase.

Application ScenariosTable 2-1 describes the application scenarios for different editions. Get familiarwith the application scenarios for each edition and select the one best fits yourneeds.

Table 2-1 Application Scenarios

Item Description

Billing mode ● Yearly/Monthly● Pay-per-useNOTE

Switch between yearly/monthly and pay-per-usepayments is supported by cloud WAF instances.

Edition The yearly/monthly billing mode is supported forthe following service editions:● Professional● Enterprise● Premium

Web Application FirewallService Overview 2 Edition Differences


Item Description

Application scenarios Service servers are deployed on a cloud or in on-premises data centers.Application scenarios of each edition:● Professional

Suitable for small- and medium-sized websitesthat do not have special security requirements

● EnterpriseSuitable for medium-sized enterprise websitesor services that are open to the Internet, focuson data security, and have high securityrequirements

● PremiumSuitable for large- and medium-sized enterprisewebsites that have a large service scale or havespecial security requirements

Protected object Domain names

Advantages ● Expand protection capability with just few clicks.● Protect cloud and on-premises web services.

Features and Applicable Service ScaleTable 2-2 and Table 2-3 describe applicable service scale and security features ofeach edition. To protect more domain names and traffic, you can either purchasedomain name, bandwidth, and rule expansion packages under your current WAFedition or upgrade the WAF edition you are using.

The restrictions and specifications of the expansion package are as follows:● A domain package can protect 10 domains, including one top-level domain

and nine subdomains or wildcard domains related to the top-level domain.● A bandwidth expansion package can protect up to 20 Mbit/s of traffic for

services on HUAWEI CLOUD or 50 Mbit/s for applications not on HUAWEICLOUD; or 1,000 Queries per Second (QPS). Each HTTP Get request is a query.

● A rule expansion package allows you to configure up to 10 IP address blacklistand whitelist rules.



https://support.huaweicloud.com/intl/en-us/usermanual-waf/waf_01_0114.html

NO TICE

● The number of domains is the total number of top-level domain names (forexample, example.com), single domain names/subdomain names (for example,www.example.com), and wildcard domain names (for example, *.example.com).For example, a professional WAF instance can protect 10 domain names. So,you can add 10 single domain names or wildcard domain names to it, or addone top-level domain name and nine subdomain names or wildcard domainnames related to the top-level domain name to it.

● If a domain name maps to different ports, each port is considered to representa different domain name. For example, www.example.com:8080 andwww.example.com:8081 are counted towards your quota as two distinctdomain names.

Table 2-2 Applicable service scale

Service Scale ProfessionalEdition

EnterpriseEdition

PremiumEdition

Pay-Per-Use

Peak rate ofnormal servicerequests

2,000 QPS 5,000 QPS 10,000 QPS -

Servicebandwidththreshold (Theorigin server isdeployed on thecloud.)

100 Mbit/s 200 Mbit/s 300 Mbit/s -

Servicebandwidththreshold (Theorigin server isnot deployedon HUAWEICLOUD.)

30 Mbit/s 50 Mbit/s 100 Mbit/s N/A

Number ofdomains

10 (Supportsone top-leveldomain name.)

50 (Supportsfive top-level domainnames.)

80 (Supportseight top-leveldomain names.)

30(Supports threetop-leveldomainnames.)

Back-to-sourceIP address(number oforigin server IPaddresses underone protecteddomain name)

20 50 80 20



Service Scale ProfessionalEdition

EnterpriseEdition

PremiumEdition

Pay-Per-Use

Peak rate of CCattack defense

100,000 QPS 300,000 QPS 1,000,000 QPS -

Number of CCattack defenserules

20 50 100 200

Number ofpreciseprotection rules

20 50 100 200

Number ofreference tablerules

N/A 50 100 200

Number of IPaddressblacklist orwhitelist rules

20 50 1,000 200

Number ofgeolocationaccess controlrules

N/A 50 100 200

Number of webtamperprotection rules

20 50 100 200

Number ofinformationleakageprevention rules

N/A 50 100 200

Number offalse alarmmasking rules

1,000 1,000 1,000 2,000

Number of datamasking rules

20 50 100 200



Table 2-3 Security features

FunctionTemplate

ProfessionalEdition

EnterpriseEdition

PremiumEdition

Pay-Per-Use

Related Document

Adding wildcarddomain names

Supported

Supported

Supported

Supported

How Do IConfigure DomainNames to BeProtected WhenAdding DomainNames?

Protection forports except 80and 443

Supported

Supported

Supported

Supported

Which Non-Standard PortsDoes WAFSupport?

Flexiblyconfiguringdefense policies ina batch

Notsupported

Supported

Supported

Supported

Adding a Policy

Defending againstcommon webattacks, such asXSS attacks, SQLinjection, and badcrawlers

Supported

Supported

Supported

Supported

Enabling BasicWeb Protection

Updatingprotection rulesagainst zero-dayvulnerabilities tothe latest on thecloud anddelivering virtualpatches in atimely manner

Supported

Supported

Supported

Supported

Web shelldetection

Supported

Supported

Supported

Supported

CC attackprevention

Supported

Supported

Supported

Supported

Configuring CCAttack ProtectionRules

Precise protection Not allsupported

Supported

Supported

Notallsupported

Adding PreciseProtection Rules

Reference tablemanagement

Notsupported

Supported

Supported

× Adding aReference Table



https://support.huaweicloud.com/intl/en-us/waf_faq/waf_01_0105.html




















FunctionTemplate

ProfessionalEdition

EnterpriseEdition

PremiumEdition

Pay-Per-Use

Related Document

Configuring an IPaddress blacklistor whitelist

Supported

Supported

Supported

Supported

ConfiguringBlacklist andWhitelist Rules

Allowing orblocking webrequests based onthe countries thatthe requestsoriginate from.

Notsupported

Supported

Supported

Supported

ConfiguringGeolocationAccess ControlRules

Web tamperprotection

Supported

Supported

Supported

Supported

Configuring WebTamper ProtectionRules

Anti-Crawler:Dynamic anti-crawler functionbased on data riskcontrol and botidentificationsystems, such asJavaScriptChallenge.

Notsupported

Supported

Supported

√(JavaScriptanti-crawler notsupported)

Enabling Anti-Crawler

Informationleakageprevention

Notsupported

Supported

Supported

Supported

ConfiguringInformationLeakagePrevention Rules

False alarmmasking

Supported

Supported

Supported

Supported

Configuring FalseAlarm MaskingRules

Data masking Supported

Supported

Supported

Supported

Configuring DataMasking Rules
























3 Functions

WAF makes it easier for you to handle web security risks.

Basic Web ProtectionWith an extensive preset reputation database, WAF defends against Open WebApplication Security Project (OWASP) top 10 threats, vulnerability exploits, webshells, and other threats.

● All-around protectionWAF detects and blocks varied attacks, such as SQL injection, XSS, remoteoverflow vulnerabilities, file inclusions, Bash vulnerabilities, remote commandexecution, directory traversal attacks, sensitive file access, and command/codeinjections.

● Web shell detectionWAF protects against web shells from upload interface.

● Precise identification– WAF uses built-in semantic analysis engine and regex engine and

supports configuring of blacklist/whitelist rules, which reduces falsepositives.

– WAF supports anti-escape and automatic restoration of common codes,which improves the capability of recognizing deformation web attacks.WAF can decode the following types of code: url_encode, Unicode, XML,C-OCT, hexadecimal, HTML escape, and base64 code, case confusion,JavaScript, shell, and PHP concatenation confusion

● Deep inspectionWAF identifies and blocks evasion attacks, such as the ones that usehomomorphic character obfuscation, command injection with deformedwildcard characters, UTF7, data URI scheme, and other techniques.

● Header detectionWAF detects all header fields in the requests.

Web Application FirewallService Overview 3 Functions


CC Attack PreventionWith CC attack prevention enabled, you can configure protective actions, includingVerification code, Block, Block dynamically, and Log only, and returned pagecontent based on your service needs to effectively mitigate CC attacks.

● Flexible policy configurationWAF allows you to flexibly set rate limiting policies by IP address, cookie, orReferer field.

● Returned page customizationYou can customize returned content and page types to meet diverse serviceneeds.

GUI-based Security DataWAF provides a GUI-based interface for you to monitor attack information andevent logs in real time.

● Centralized policy configurationOn the WAF console, you can configure policies applicable to multipleprotected domain names in a centralized manner so that the policies can bequickly delivered and take effect.

● Traffic and event statisticsWAF displays the number of requests, the number and types of securityevents, and log information in real time.

Non-Standard PortsIn addition to standard ports 80 and 443, WAF also supports non-standard ports.

Table 3-1 Supported ports

Edition PortCategory

HTTP Protocol HTTPSProtocol

Port Limit

Professional

Standardports

80 443 Unlimited





Port Limit

Non-standardports (86in total)

81, 82, 83, 84, 86, 87,88, 89, 800, 808,5000, 8000, 8001,8002, 8003, 8008,8009, 8010, 8020,8021, 8022, 8025,8026, 8077, 8078,8080, 8085, 8086,8087, 8088, 8089,8090, 8091, 8092,8093, 8094, 8095,8096, 8097, 8098,8106, 8118, 8181,8334, 8336, 8800,8686, 8888, 8889,8999, 8011, 8012,8013, 8014, 8015,8016, 8017, and 8070

4443, 5443,6443, 7443,8081, 8082,8083, 8084,8443, 8843,9443, 8553,8663, 9553,9663, 18110,18381, 18980,28443, 18443,8033, 18000,19000, 7072,7073, 8803,8804, and8805

10● Professiona

l: 10 non-standardportssupported

● Cloudmode inpay-per-use billingmode: 20non-standardportssupported

Enterprise

Standardports

80 443 Unlimited





Port Limit


9945, 9770, 81, 82,83, 84, 88, 89, 800,808, 1000, 1090,3128, 3333, 3501,3601, 4444, 5000,5222, 5555, 5601,6001, 6666, 6788,6789, 6842, 6868,7000, 7001, 7002,7003, 7004, 7005,7006, 7009, 7010,7011, 7012, 7013,7014, 7015, 7016,7018, 7019, 7020,7021, 7022, 7023,7024, 7025, 7026,7070, 7081, 7082,7083, 7088, 7097,7777, 7800, 7979,8000, 8001, 8002,8003, 8008, 8009,8010, 8020, 8021,8022, 8025, 8026,8077, 8078, 8080,8085, 8086, 8087,8088, 8089, 8090,8091, 8092, 8093,8094, 8095, 8096,8097, 8098, 8106,8118, 8181, 8334,8336, 8800, 8686,8888, 8889, 8989,8999, 9000, 9001,9002, 9003, 9080,9200, 9802, 10000,10001, 10080, 12601,86, 9021, 9023, 9027,9037, 9081, 9082,9201, 9205, 9207,9208, 9209, 9210,9211, 9212, 9213,48800, 87, 97, 7510,9180, 9898, 9908,9916, 9918, 9919,9928, 9929, 9939,28080, 33702, 8011,8012, 8013, 8014,8015, 8016, 8017, and8070

8750, 8445,18010, 4443,5443, 6443,7443, 8081,8082, 8083,8084, 8443,8843, 9443,8553, 8663,9553, 9663,18110, 18381,18980, 28443,18443, 8033,18000, 19000,7072, 7073,8803, 8804,8805, 9999

18





Port Limit

Premium Standardports

80 443 Unlimited





Port Limit


8899, 8006, 9945,9770, 81, 82, 83, 84,88, 89, 800, 808,1000, 1090, 3128,3333, 3501, 3601,4444, 5000, 5222,5555, 5601, 6001,6666, 6788, 6789,6842, 6868, 7000,7001, 7002, 7003,7004, 7005, 7006,7009, 7010, 7011,7012, 7013, 7014,7015, 7016, 7018,7019, 7020, 7021,7022, 7023, 7024,7025, 7026, 7070,7081, 7082, 7083,7088, 7097, 7777,7800, 7979, 8000,8001, 8002, 8003,8008, 8009, 8010,8020, 8021, 8022,8025, 8026, 8077,8078, 8080, 8085,8086, 8087, 8088,8089, 8090, 8091,8092, 8093, 8094,8095, 8096, 8097,8098, 8106, 8118,8181, 8334, 8336,8800, 8686, 8888,8889, 8989, 8999,9000, 9001, 9002,9003, 9080, 9200,9802, 10000, 10001,10080, 12601, 86,9021, 9023, 9027,9037, 9081, 9082,9201, 9205, 9207,9208, 9209, 9210,9211, 9212, 9213,48800, 87, 97, 7510,9180, 9898, 9908,9916, 9918, 9919,9928, 9929, 9939,28080, 33702, 8011,8012, 8013, 8014,

8750, 9190,9184, 9182,8950, 8920,8910, 8848,8445, 18010,4443, 5443,6443, 7443,8081, 8082,8083, 8084,8443, 8843,9443, 8553,8663, 9553,9663, 18110,18381, 18980,28443, 18443,8033, 18000,19000, 7072,7073, 8803,8804, 8805,9999, 8244,8224, 8281,8211, 8243,8221, and8231

58





Port Limit

8015, 8016, 8017,8070, and 8232

ELBMode

Port 1 to 65535 1 to 65535 Unlimited

Precise ProtectionSupport precise logic- and parameter-based access control policies.

● A variety of parameter conditionsSet conditions with combinations of common HTTP parameters, such as IP,URL, Referer, User Agent, Params, and Header.

● Abundant logical conditionsWAF blocks or allows traffic based on logical conditions, such as "Include","Exclude", "Equal to", "Not equal to", "Prefix is", and "Prefix is not."

IP Address Blacklist and WhitelistThis function allows you to blacklist or whitelist IP addresses or an IP addressrange to improve defense accuracy.

Known Attack Source● If WAF blocks a malicious request by IP address, Cookie, or Params, you can

configure a known attack source rule to let WAF automatically block allrequests from the attack source for a blocking duration set in the knownattack source rule.

● Known attack source rules can be set based on attacks blocked against thebasic web protection, precise access protection, and blacklist and whitelistrules.

Geolocation Access ControlYou can allow some web requests and block others based on the geographicallocations of IP addresses that the requests originate from.

Web Page Tampering PreventionYou can configure cache for static web pages. When a user accesses a web page,the system returns a cached page to the user and randomly checks whether thepage is tampered with.

Anti-Crawler ProtectionDynamically analyze website service models and accurately identify crawlerbehavior based on data risk control and bot identification systems, such asJavaScript Challenge.



● Feature libraryBlocks web page crawling with user-defined scanner and crawler rules. Thisfeature improves protection accuracy.

● JavaScriptIdentifies and blocks JavaScript crawling with user-defined rules.

False Alarm MaskingThis function enables you to ignore certain attack detection rules for specificrequests.

Data MaskingWAF masks sensitive information, such as usernames and passwords, in the eventlog.

Information Leakage PreventionWAF prevents your sensitive information from being disclosed on web pages, suchas ID numbers, phone numbers, and email addresses.

ReliableWAF can be deployed on multiple clusters in multiple regions based on the loadbalancing principle. This can prevent single point of failures (SPOFs) and ensureonline smooth capacity expansion, maximizing service stability.

Alarm NotificationYou can enable notification for attack logs. Once this function is enabled, WAFsends attack logs to you by the method you configure.

Event Management● WAF allows you to view and handle false alarms for blocked or logged events.● You can download events data over the past five days.● You can use Log Tank Service (LTS) on HUAWEI CLOUD to record all WAF

logs, including attack and access logs.



4 Product Advantages

WAF examines web traffic from multiple dimensions to accurately identifymalicious requests and filter attacks, reducing the risks of data being tamperedwith or stolen.

Comprehensive ProtectionWAF uses a built-in extensive database of attack signatures to detect and blockdozens of common web attacks.

Industry-leading TechnologiesWAF leverages industry-leading semantics, regex, and AI engines to accuratelyidentify threats and significantly improve the threat detection rate.

Flexible ConfigurationWAF enables custom precise protection rules to meet diverse requirements ofsecurity operations.

Professional and Reliable ServiceWAF ensures zero service interruption with distributed deployment, 24/7monitoring, and remote disaster recovery.

Web Application FirewallService Overview 4 Product Advantages


5 Application Scenarios

Common protection

WAF helps you defend against common web attacks, such as command injectionand sensitive file access.

Protection for online shopping mall promotion activities

Countless malicious requests may be sent to service interfaces during onlinepromotions. WAF allows configurable rate limiting policies to defend against CCattacks. This prevents services from breaking down due to many concurrentrequests, ensuring response to legitimate requests.

Protection against zero-day vulnerabilities

Services cannot recover quickly from impact of zero-day vulnerabilities in third-party web frameworks and plug-ins. WAF updates the preset protection rulesimmediately to add an additional protection layer to such web frameworks andplug-ins and this layer can react faster than fixing the vulnerabilities.

Data leakage prevention

WAF prevents malicious actors from using methods such as SQL injection and webshells to bypass application security and gain remote access to web databases. Youcan configure anti-data leakage rules on WAF to provide the following functions:

● Precise identificationWAF uses semantic analysis & regex to examine traffic from differentdimensions, precisely detecting malicious traffic.

● Distortion attack detectionWAF detects a wide range of distortion attack patterns with 7 decodingmethods to prevent bypass attempts.

Web page tampering prevention

WAF ensures that attackers cannot leave backdoors on your web servers ortamper with your web page content, preventing damage to your credibility. You

Web Application FirewallService Overview 5 Application Scenarios


can configure web tamper protection rules on WAF to provide the followingfunctions:

● Website malicious code detectionYou can configure WAF to detect malicious code injected into web servers andensure secure visits to web pages.

● Web page tampering preventionWAF prevents attackers from tampering with web page content or publishinginappropriate information that can damage your reputation.

Web Application FirewallService Overview 5 Application Scenarios


6 Billing Description

WAF supports two billing modes: yearly/monthly (prepaid) and pay-per-use(postpaid).

For more details, see Product Pricing Details.

Billing ItemsYou are billed for WAF instances you select based on the billing mode youspecified.

Table 6-1 Billing items

BillingMode

Billing Item Billing Description

Yearly/Monthly

Edition(mandatory)

Billed based on purchased edition(professional, enterprise, or premium)For details about specifications and functionsof each edition, see Edition Differences.

Domain ExpansionPackage(Optional)

Billed based on the number of purchaseddomain expansion packages

BandwidthExpansion Package(Optional)

Billed based on the number of purchasedbandwidth expansion packages

Rule ExpansionPackage (Optional)

Billed based on how many packages youpurchased.

Required Duration Billed on a yearly or monthly basis

Web Application FirewallService Overview 6 Billing Description


https://www.huaweicloud.com/intl/en-us/pricing/index.html#/waf

BillingMode

Billing Item Billing Description

Pay-per-use

● Number ofdomains

● Number ofcustomized rules

● Number ofrequests

● Number of domain names: Billed on anhourly basis. Once a domain name isadded during the billing period, it will bebilled no matter when it is deleted.

● Number of customized rules: Billed on adaily basis. The billing is calculated at00:00 every day.

● Number of requests: Billed on a monthlybasis.

NO TE

Switch between yearly/monthly and pay-per-use payments is supported by WAF instances.

Billing Options● Yearly/Monthly: The longer you subscribe, the more you save. A yearly/

monthly WAF instance is billed based on the required duration you select.

● Pay-per-use: This billing mode allows you to make a subscription orunsubscription at any time.

For a pay-per-use WAF instance, you are billed for the number of addeddomain names, number of customized rules, and number of used requests.

Changing Billing Options● In the yearly/monthly billing mode, you can upgrade the edition of your WAF

instance or increase the number of domain name, bandwidth, and expansionpackages to meet your business needs.

● Unsubscription: If you no longer need your WAF instance that is billed yearly/monthly, unsubscribe from it in the Billing Center.

Renewal

If you do not renew a WAF instance billed on a yearly/monthly basis upon itsexpiration, a retention period is available for you.

For details, see Retention Period.

● During this period, WAF only forwards traffic but does not check it againstyour protection policies.

● When this period ends, resources will be cleared, that is, all configurations ofyour domain names will be deleted. During the clearing period, domainnames are pointed back to origin severs by default. However, services on yourdomain names may not run properly because there may be inconsistenciesbetween your configured protocols and ports.



https://account-intl.huaweicloud.com/en-us/usercenter/#/userindex/retreatManagement

https://support.huaweicloud.com/intl/en-us/faq-billing/postRules_topic_100015.html

To avoid unnecessary loss caused by security issues, renew your subscriptionbefore the retention period expires. WAF expiration does not affect your otherservices.

You can renew your resources on the management console. For details, seeRenewal Rules.

Expiration and Overdue Payment● Expiration

If you do not renew a WAF instance billed on a yearly/monthly basis upon itsexpiration, a retention period is available for you. For details, see RetentionPeriod.

● Overdue PaymentIf your account of WAF instances billed on a yearly/monthly basis is in arrears,top up your account in a timely manner to let WAF protect your websitecontinuously. For details, see How Does a Common HUAWEI CLOUDCustomer Repay?

FAQsFor more billing FAQs, see WAF FAQs.



https://support.huaweicloud.com/intl/en-us/usermanual-billing/renewals_topic_10000002.html



https://support.huaweicloud.com/intl/en-us/usermanual-billing/en-us_topic_0091620027.html

https://support.huaweicloud.com/intl/en-us/usermanual-billing/en-us_topic_0091620027.html


7 Project and Enterprise Project

Project

Projects in IAM are used to group and isolate OpenStack resources (computingresources, storage resources, and network resources). Resources in your accountmust be mounted under projects. A project can be a department or a projectteam. Multiple projects can be created under one account.

Enterprise Project

Enterprise projects are used to categorize and manage multiple resources.Resources in different regions can belong to one enterprise project. You canclassify resources by department or project group and put related resources intoone enterprise project for management. Resources can be moved betweenenterprise projects.

Differences Between Projects and Enterprise Projects● IAM Project

Projects are used to categorize and physically isolate resources in a region.Resources in an IAM project cannot be transferred. They can only be deletedand then rebuilt.

● Enterprise ProjectEnterprise projects are upgraded based on IAM projects and used tocategorize and manage resources of different projects of an enterprise. Anenterprise project can contain resources of multiple regions, and resources canbe added to or removed from enterprise projects. If you have enabledenterprise management, you cannot create an IAM project and can only

Web Application FirewallService Overview 7 Project and Enterprise Project


manage existing projects. In the future, IAM projects will be replaced byenterprise projects, which are more flexible.

Both projects and enterprise projects can be managed by one or more user groups.Users who manage enterprise projects belong to user groups. After a policy isgranted to a user group, users in the group can obtain the permissions defined inthe policy in the project or enterprise project.

For details about how to create a project, create an enterprise project, and grantpolicies, see Managing Projects and Enterprise Projects.

Web Application FirewallService Overview 7 Project and Enterprise Project



8 Personal Data Protection Mechanism

To ensure that website visitors' personal data, such as the username, password,and mobile phone number, will not be obtained by unauthorized orunauthenticated entities or people and to prevent data leakage, WAF encryptsyour personal data before storing it to control access to the data and records logsfor operations performed on the data.

Personal Data to Be CollectedWAF records requests that trigger attack alarms in event logs. Table 8-1 providesthe personal data collected and generated by WAF.

Table 8-1 Personal data

Type CollectionMethod

Can Be Modified Mandatory

Request source IPaddress

Attacker IPaddress that isblocked orrecorded by WAFwhen the domainname is attacked.

No Yes

URL Attacked URL ofthe protecteddomain name, orURL of theprotected domainname that isblocked orrecorded by WAF.

No Yes

Web Application FirewallService Overview 8 Personal Data Protection Mechanism


Type CollectionMethod

Can Be Modified Mandatory

HTTP/HTTPSheaderinformation(including thecookie)

Cookie value andheader valueentered on theconfigurationpage when youconfigure a CCattack or preciseprotection rule.

No NoThe configuredcookie and headerinformation maynot contain theuser's personalinformation.

Requestparameters (Getand Post)

Request detailsrecorded by WAFin protection logs.

No NoThe requestparameters maynot contain auser's personalinformation.

Storage ModeThe values of sensitive fields are saved after being anonymized, and the values ofother fields are saved in plaintext in logs.

Access ControlUsers can view only logs related to their own services.

Web Application FirewallService Overview 8 Personal Data Protection Mechanism


9 Permissions Management

To assign different permissions to employees in your enterprise to access yourWAF resources, IAM is a good choice for fine-grained permissions management.IAM provides identity authentication, permissions management, and accesscontrol, helping you secure access to your HUAWEI CLOUD resources.

With IAM, you can use your HUAWEI CLOUD account to create IAM users for youremployees, and assign permissions to the users to control their access to specificresource types. For example, some software developers in your enterprise need touse WAF resources but must not delete them or perform any high-risk operations.To achieve this result, you can create IAM users for the software developers andgrant them only the permissions required for using WAF resources.

If your HUAWEI CLOUD account does not need individual IAM users forpermissions management, then you may skip over this chapter.

IAM can be used free of charge. You pay only for the resources in your account.For more details, see IAM Service Overview.

WAF Permissions

By default, new IAM users do not have any permissions assigned. You need to adda user to one or more groups, and attach permissions policies or roles to thesegroups. Users inherit permissions from the groups to which they are added andcan perform specified operations on cloud services based on the permissions.

WAF is a project-level service deployed and accessed in specific physical regions.To assign WAF permissions to a user group, specify the scope as region-specificprojects and select projects for the permissions to take effect. If All projects isselected, the permissions will take effect for the user group in all region-specificprojects. When accessing WAF, the users need to switch to a region where theyhave been authorized to use the WAF service.

You can grant users permissions by using roles and policies.

● Roles: A type of coarse-grained authorization mechanism that definespermissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. You need to also assign otherdependent roles for the permission control to take effect. Roles are not idealfor fine-grained authorization and secure access control.

Web Application FirewallService Overview 9 Permissions Management


https://support.huaweicloud.com/intl/en-us/productdesc-iam/iam_01_0026.html

● Policies: A fine-grained authorization mechanism that defines permissionsrequired to perform operations on specific cloud resources under certainconditions. This mechanism allows for more flexible policy-basedauthorization and meets secure access control requirements. For example, youcan grant WAF users only the permissions for managing a certain type ofresources. Most policies define permissions based on APIs. For the API actionssupported by WAF, see Permissions Policies and Supported Actions.

Table 9-1 lists all the system roles supported by WAF.

Table 9-1 System policies supported by WAF

Role/PolicyName

Description Category Dependencies

WAFAdministrator

Administratorpermissions forWAF

System-defined role

Dependent on the TenantGuest and ServerAdministrator roles.● Tenant Guest: A global

role, which must beassigned in the globalproject.

● Server Administrator:A project-level role,which must be assignedin the same project.

WAFFullAccess

All permissionsfor WAF

System-definedpolicy

None.

WAFReadOnlyAccess

Read-onlypermissions forWAF.

System-definedpolicy

Helpful Links● IAM Service Overview● Creating a User Group and User and Granting WAF Permissions● WAF Custom Policies● WAF Permissions and Supported Actions

WAF FullAccess Policy Content{ "Version": "1.1", "Statement": [ { "Action": [ "waf:*:*", "lts:groups:get", "lts:groups:list", "lts:topics:get", "lts:topics:list"








], "Effect": "Allow" } ]}

WAF ReadOnlyAccess Policy Content{ "Version": "1.1", "Statement": [ { "Action": [ "waf:*:get*", "waf:*:list*", "lts:groups:get", "lts:groups:list", "lts:topics:get", "lts:topics:list" ], "Effect": "Allow" } ]}



10 WAF and Other Services

This topic describes WAF and other cloud services.

CTS

Cloud Trace Service (CTS) records all WAF operations for you to query, audit, andbacktrack.

NO TICE

CTS is available for WAF instances purchased in the following regions:● AP-Hong-Kong● AP-Bangkok● AP-Singapore● AF-Johannesburg● LA-Santiago

Table 10-1 WAF operations that can be recorded by CTS

Operation Resource Type Trace Name

Creating a WAF instance instance createInstance

Deleting a WAF instance instance deleteInstance

Modifying a WAF instance instance modifyInstance

Modifying the protection statusof a WAF instance

instance modifyProtectStatus

Modifying the connection statusof a WAF instance

instance modifyAccessStatus

Creating a policy policy createPolicy

Applying a policy policy applyToPolicy

Web Application FirewallService Overview 10 WAF and Other Services


https://support.huaweicloud.com/intl/en-us/productdesc-cts/cts_01_0001.html


Modifying a policy policy modifyPolicy

Deleting a policy policy deletePolicy

Modifying alarm notificationsettings

alertNoticeConfig modifyAlertNotice-Config

Uploading a certificate certificate createCertificate

Changing the name of acertificate

certificate modifyCertificate

Deleting a certificate certificate deleteCertificate

Adding a CC attack protectionrule

policy createCc

Modifying a CC attack protectionrule

policy modifyCc

Deleting a CC attack protectionrule

policy deleteCc

Adding a precise protection rule policy createCustom

Modifying a precise protectionrule

policy modifyCustom

Deleting a precise protection rule policy deleteCustom

Adding an IP address blacklist orwhitelist rule

policy createWhiteblackip

Modifying an IP address blacklistor whitelist rule

policy modifyWhiteblackip

Deleting an IP address blacklistor whitelist rule

policy deleteWhiteblackip

Adding a web tamper protectionrule

policy createAntitamper

Updating a web tamperprotection rule

policy refreshAntitamper

Deleting a web tamperprotection rule

policy deleteAntitamper

Adding a false alarm maskingrule

policy createIgnore

Deleting a false alarm maskingrule

policy deleteIgnore

Adding a data masking rule policy createPrivacy

Modifying a data masking rule policy modifyPrivacy




Deleting a data masking rule policy deletePrivacy

IAMIdentity and Access Management (IAM) provides the permission managementfunction for WAF. Only users granted WAF Administrator permissions can use WAF.To obtain this permission, contact the users who have the Security Administratorpermissions.

LTSLog Tank Service (LTS) collects log data from hosts and cloud services. WAFallows you to transfer WAF attack logs and access logs to LTS so that you canhandle with logs in real time.

SMNSimple Message Notification (SMN) service provides the notification function.After you enable the notification function in WAF, alarm information will be sentto you as configured once your domain name is attacked.

Enterprise ManagementYou can manage multiple projects in an enterprise, separately settle their costs,and assign different personnel for them. A project can be started or stoppedindependently without affecting others. With Enterprise Management, you caneasily manage your projects after creating an enterprise project for each of them.

WAF can be interconnected with Enterprise Management. You can manage WAFresources by enterprise project and grant different permissions to users.




https://support.huaweicloud.com/intl/en-us/productdesc-lts/lts-03201.html

https://support.huaweicloud.com/intl/en-us/productdesc-smn/smn_pd_22000.html

https://support.huaweicloud.com/intl/en-us/usermanual-em/em_am_0006.html

A Change History

Released On Description

2021-05-27 This issue is the forty-first official release.Optimized descriptions in Edition Differences.

2021-05-24 This issue is the fortieth official release.Added the description of new features in Functions.

2021-05-18 This issue is the thirty-ninth official release.Added the description of protection objects in What Is WebApplication Firewall?

2021-04-30 This issue is the thirty-eighth official release.Added the billing description of the bandwidth expansionpackage in Billing Description.

2021-04-07 This issue is the thirty-seventh official release.Added the description of security features in EditionDifferences.

2021-03-02 This issue is the thirty-sixth official release.Modified the deployment architecture diagram. For details,see Edition Differences.

2021-02-25 This issue is the thirty-fifth official release.● Added Project and Enterprise Project.● Added the description of the Enterprise Management

service in WAF and Other Services.

2021-02-23 This issue is the thirty-fourth official release.Modified the description in Edition Differences.

2021-02-05 This issue is the thirty-third official release.Added description about the pay-per-use billing mode inBilling Description.

Web Application FirewallService Overview A Change History



2021-01-25 This issue is the thirty-second official release.Optimized descriptions in Edition Differences.

2020-12-31 This issue is the thirty-first official release.Optimized descriptions in Functions.

2020-12-25 This issue is the thirtieth official release.Optimized descriptions.

2020-12-11 This issue is the twenty-ninth official release.Deleted the description of the pay-per-use billing mode forthe cloud mode.

2020-10-22 This issue is the twenty-eighth official release.Modified specifications of pay-per-use WAF instances inEdition Differences.

2020-09-23 This issue is the twenty-seventh official release.Optimized descriptions in WAF and Other Services.

2020-09-11 This issue is the twenty-sixth official release.● Added the description of ports supported by cloud

instances billed on a pay-per-use basis in Functions.● Added the description of the pay-per-use billing mode

for cloud instances in Billing Description.

2020-07-31 This issue is the twenty-fifth official release.Optimized descriptions in Billing Description.

2020-07-08 This issue is the twenty-fourth official release.● Optimized descriptions in Edition Differences.● Optimized descriptions in Billing Description.

2020-06-24 This issue is the twenty-third official release.Optimized descriptions in Edition Differences.

2020-06-22 This issue is the twenty-second official release.Added descriptions of fine-grained policy in PermissionsManagement.

2020-06-16 This issue is the twenty-first official release.Optimized the domain name description in EditionDifferences.

2020-06-11 This issue is the twentieth official release.Optimized descriptions in Edition Differences.




2020-05-26 This issue is the nineteenth official release.Added the description of the professional edition inFunctions and Edition Differences.

2020-05-19 This issue is the eighteenth official release.Added Billing Description.

2020-03-19 This issue is the seventeenth official release.Modified supported non-standard ports in for Functions.

2020-01-20 This issue is the sixteenth official release.Optimized descriptions in Permissions Management.

2019-12-26 This issue is the fifteenth official release.Optimized descriptions in Functions.

2019-12-09 This issue is the fourteenth official release.● Optimized descriptions in Edition Differences.● Optimized descriptions in Functions.

2019-11-28 This issue is the thirteenth official release.● Optimized descriptions in Functions.● Optimized descriptions in Edition Differences.

2019-10-25 This issue is the twelfth official release.Added Personal Data Protection Mechanism.

2019-10-14 This issue is the eleventh official release.● Optimized descriptions in What Is Web Application

Firewall?● Optimized descriptions in Functions.● Optimized descriptions in Edition Differences.● Optimized descriptions in Application Scenarios.

2019-05-16 This issue is the tenth official release.Optimized descriptions in Functions.

2019-05-14 This issue is the ninth official release.● Added Functions.● Optimized descriptions in What Is Web Application

Firewall?● Optimized descriptions in WAF and Other Services.

2018-11-08 This issue is the eighth official release.Optimized some descriptions.




2018-10-29 This issue is the seventh official release.Optimized descriptions in What Is Web ApplicationFirewall?

2018-04-26 This issue is the sixth official release.Added Permissions Management.

2018-04-12 This issue is the fifth official release.Added content about sensitive data leakage protection inWhat Is Web Application Firewall?

2018-04-02 This issue is the fourth official release.Optimized descriptions in What Is Web ApplicationFirewall?

2018-03-27 This issue is the third official release.● Added function description in What Is Web Application

Firewall?● Deleted section "Concepts."

2018-01-11 This issue is the second official release.Added the description about WAF and CTS in WAF andOther Services.

2017-10-30 This issue is the first official release.



service overview - huawei cloud · 2020. 10. 30. · web application firewall service overview...

Documents