Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Add Oracle Cloud Infrastructure Web Application Firewall protection to a flexible Load Balancer

Introduction

Web applications are often targets of malicious attacks that exploit vulnerabilities and misconfigurations in the application. Oracle Cloud Infrastructure Web Application Firewall (OCI WAF) helps you strengthen the security posture of your applications by providing some protection from the common web vulnerabilities, as identified by the Open Web Application Security Project (OWASP) top 10 vulnerabilities. OCI WAF is a regional-based and edge-enforcement service that is attached to an enforcement point, such as an OCI Flexible Load Balancer or a web application domain name.

OCI WAF provides protection to your web application against layer 7 threats with two versions: Edge WAF and Regional WAF (WAF on Load Balancer). WAF on OCI Load Balancers can help you protect your internal applications against insider threats and provide enhanced WAF security for your ‘in-region’ application workloads. WAF on Load Balancer supports both public and private applications. It is best for applications with regional presence. Edge WAF is best for public facing applications/users that are distributed globally.

Objective

Apply OCI WAF’s protection capabilities to an OCI Load Balancer.

Prerequisites

• An OCI account with access to create and manage OCI Load Balancer and OCI WAF policies
• Web application pre-configured (In this tutorial, the web application is running in OCI on port 80)
• An OCI Flexible Load Balancer

Task 1: Set up a flexible load balancer

• Follow the instructions in this blog and create a public load balancer in the OCI console.

• In this tutorial, we have created a public load balancer and added a pre-configured web application as the backend server to this load balancer.

• The load balancer name is LB_WAF. Once it is created in OCI, the following status is shown in the OCI console:

  

• The ‘Overall health’ shown for the load balancer shows the health status summaries of each backend set. Health status indicators displaying OK means all backend servers in the backend set are running fine and healthy.

Task 2: Create a web application firewall policy for the Load Balancer

Web application firewall policies comprise of the overall configuration of your OCI WAF service, including access rules, rate limiting rules, and protection rules.

Note:

• WAF access control consists of rules to control access to your web application based on conditions such as geolocation, URL query, IP addresses, Request header, and so on.

• Rate limiting allows inspection of HTTP request properties and limits the frequency of requests for each unique client IP address.

• Protection rules match web traffic to rule conditions and determine the action to be taken when the conditions are met.

1. Navigate to the OCI Console, Identity & Security, Web Application Firewall.

   

2. Choose your compartment and click Create WAF policy.

3. Enter basic information for the WAF policy- Name and Compartment.

   

4. Add a sample access control rule, rate limiting and protection rule.

   • Access Control rule: In this tutorial, we have created an access control rule when the condition of URL path containing the keyword script is met. The rule action will return a HTTP response - 401 unauthorized.

     

     Rule Output

     

   • Rate Limiting rule: Rate limiting the access when the condition for URL path containing the keyword rate and accessed for 3 times in a duration of 10 seconds is met. The rule action will return HTTP response - 303 and a message.

     

     Rule Output

     

   • Protection rule: In this tutorial, we have enabled protection rule against cross-site scripting (XSS) where WAF recognizes the script injected into the URL based on the XSS rule enabled. If there is an attempt to inject a Cross Site Script in the Load Balancer IP , access is denied as set in the rule.

     

     Rule Output

     

5. Add the Load Balancer (LB_WAF), created in Task 1 as a firewall.

   

6. From the Create WAF policy wizard, choose the Review and Create option. Once the WAF policy is created, the following details are displayed.

   

Related Links

• OCI WAF

• Open Web Application Security Project (OWASP) top 10 vulnerabilities

• OCI Flexible Load Balancer

• OCI Console

Acknowledgments

Author: Shruti Soumya (Senior Cloud Security Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Add Oracle Cloud Infrastructure Web Application Firewall protection to a flexible Load Balancer

F80290-01

April 2023

Copyright © 2023, Oracle and/or its affiliates.