Public Cloud – Flexible Engine

WAF – security service for checking and blocking web attacks

WAF Instance Management for waf users and Web Attack Check for website users

WAF (web application firewall) is a security service for checking and blocking web attacks. It can solve Sqli, XSS, Cmdi and other types of web attacks, to which websites are faced to.

FE WAF support 3 associations for WAF users.

The following are common scenarios.

  1. Using only WAF but DNS for customer application would be outside of FE on some public DNS.
  2. Using WAF + DNSaaS which would also configure DNS record in FE DNSaaS.
  3. Using WAF + DNSaaS + ECS/CCE which would allow to deploy all the apllication landscape including protection, dns, instances within the FE.

After a user finishes to configure a security policy for his website on WAF service, the request sent by the website visitor will be checked by WAF.
The following are common application scenarios.

  1. When a common user sends normal requests to a website which is protected by WAF, his request will go to backend server and get a response like before. But if a hacker sends a malicious request then his request will be intercepted, and WAF user can get a custom alarm from WAF set by himself.
  2. A user can customize security policies which depends on WAF recorded events. For examle, add to the blacklist an ip related to several website attack events.

Product Architecture

This section describes the WAF system architecture, interconnected systems, and service operation procedures. 
Figure1. High Level Architecture

Product Advantages

Simple and easy-to-use

You can create a WAF instance and set security policies within seconds.

Reliable

WAF service is deployed across 2 Availability Zones, each Availability zone contain WAF engine cluster consisting of multiple nodes, which has high reliability, and allocate every domain 3 EIPs to assure network reliability.

High security

WAF integrates Identity and Access Management (IAM) for user authentication to isolate resources and operations of multiple tenants. WAF requires users to configure a DNS Cname record or a DNS A record, and then WAF Service will authenticates the record to ensure WAF instance’s security policies can only be modified by its owner

WAF Instance Management

WAF provides a web user interface (Web UI) for WAF user to perform the following operations:

  1. WAF users login controlled by IAM, and access the WAF Console;
  2. WAF users set a security policy for their website on WAF;
  3. WAF Engine get policies from WAF Service, and configure security rules;
  4. Website user visits the website on browser;
  5. If his request includes attack behavior, WAF Engine will intercept this request, and origin website will not get this message as well as the WAF Engine sends the attack infomation to Event Server;
  6. If his request includes no attack behavior, WAF Engine will send this request to the website;
  7. WAF users check whether their website has been attacked by viewing dashboard or events on Waf Console.