Tengxun Cloud Web Application Firewall WAF Function Details: How to Install a Layer of Defense on Your Website?

If you open an online shopping mall, or run a business official website, you may encounter all kinds of strange "visitors":

Some visitors are normal, picking goods and placing orders. However, some "visitors" take all kinds of strange keys to poke your backstage password lock (brute force cracking) as soon as they enter the door. Others enter a string of codes that no one can understand in the search box, trying to get your database to spit out all users' bank card numbers and passwords (SQL injection); there are even people who hire a large number of cold "robot automation scripts" to instantly wipe out your coupons (malicious swiping).

In the face of these "fairy fights" attacks specifically aimed at the application layer (Web business), the traditional network firewall is like a doorman who only looks at the ID card and is powerless. Because the hacker wore the clothes of a normal user and went through the legitimate 80 or 443 port.

At this time, you need an advanced "intelligent bulletproof vest"--

Tengxun Cloud Web Application Firewall (Web Application Firewall, WAF)

. Today, we will use a popular and down-to-earth real-life perspective to take you down in depth what kind of housekeeping skills Tengxun Cloud WAF has and how it protects the safety of our website.

Why do 1. need to buy WAF when they have high-security IP?

Before talking about the function, let's help the novice clarify a very confusing concept:

What is the difference between high-security IP and WAF?

In simple terms, this is a two-dimensional defense:

High anti-IP block is "violent bombing" (DDoS): it belongs to the network layer. Hackers have hired tens of thousands of people to block your gate. High-security IP is responsible for widening the road and blocking hooligans at street corners. What they fight for is bandwidth and physical resistance.

WAF is "agent sneak" (application layer attack): belongs to the application layer. The hacker only sent one person, but he was disguised as a normal customer, with poison and lock pick tools in his hand, trying to bring you down from the inside. WAF is responsible for body searches, security checks, and seeing through camouflage.

Therefore, if your website is not only afraid of being paralyzed by traffic, but also afraid of database being dragged, web pages being tampered with, and interfaces being collected from wool, then WAF is your necessary option.

2. Tengxun Cloud WAF's Core Four Functions Hard Core Dismantling

Tengxunyun WAF has many functions, but its core can be summarized into four major combat forces. Let's take a look at how it works in real life.

1. Web attack protection: to see through the hacker's "easy"

This is the most basic and core capability of WAF, which is specially designed to deal with recognized in the industry.

OWASP Top 10 (Top 10 Web Security Vulnerabilities)

, such as SQL injection, XSS cross-site scripting, Trojan backdoor, etc.

Tengxun Cloud WAF has arranged two checkpoints here:

Rule base rules (regular matching): Tencent's security team maintains an extremely large "wanted list". As long as the request comes with a known attack code

Features, instant interception.

AI threat detection engine (know it, but know why): traditional rules can be easily bypassed by hackers by changing case, inserting special characters, etc. (I. e. "confusion attacks"). Tengxunyun's self-developed AI engine not only looks at surface features, it will "lexical analysis" and "grammar tree disassembly" of requests, just like correcting Chinese homework. No matter how hackers disguise it, as long as sentence logic is attacked, AI can see through it at a glance.

2. Bot traffic management: shut out "wool parties" and "malicious crawlers"

On the Internet today, more than half of the traffic is actually not real people, but a variety of automated programs (Bot). Some are good bugs (such as Baidu, Google's search spiders), but more are bad bugs.

Malicious bill brushing/bonus hunter: At the beginning of the panic buying activity, the real person did not open the webpage yet. The hacker's script submitted tens of thousands of panic buying requests in a second, taking away all the benefits.

Anti-collision library/brush credentials: hackers take a list of passwords stolen from other places and use scripts to try frantically in your login interface. once they try one, they make money.

Malicious Crawler: Take away all the original content and exclusive commodity prices you have worked hard to write in one second, leaving no underwear left.

The Bot management function of Tengxun Cloud WAF is like a "real person authenticator". By collecting hundreds of dimensions of information such as the user's browser environment, mouse trajectory, device fingerprints, etc., it can accurately distinguish whether a flesh-and-blood person or a cold script is sitting behind the screen. For suspicious bots, it will directly pop up the slider verification code, or directly return the 403 to deny access.

3. API Security Protection: Lock the "New Interface" in the Microservice Era

At present, modern websites and App are basically separated from the front and back ends, with various API interfaces (such

/api/v1/user/login

) to transfer data. Hackers also keep pace with the times and begin to focus on API vulnerabilities.

The common tragedy is that an API interface that queries the balance has not done a good job of identity verification. Hackers can arbitrarily check other people's privacy by modifying the user ID in the interface parameters (from 001 to 002).

Tencent Cloud WAF specially strengthened

API Security

Function:

It can automatically help you sort through your assets. Most of the time, programmers write some test interfaces and forget to delete them (shadow API). WAF can help you find them all.

It will monitor the calling logic of the API. Once it finds that the data returned by an interface contains a large number of ID numbers and mobile phone numbers (sensitive data leakage),WAF will immediately intercept and alarm.

4. Web page tamper-proof and redirection

The hard-working official website was hacked by hackers overnight, and the homepage was replaced by a mess of illegal advertisements, which not only destroyed goodwill, but also was interviewed by the regulatory authorities.

The web tamper-proofing feature of WAF provides a "locking" mechanism. You can put the website

The core page of creates a "cache mirror" in WAF ". Even if the hacker bypasses the periphery, hacks into your source server and changes the web page file, WAF will still display the correct mirror page previously locked when returning it to the end user. This buys the administrator valuable emergency repair time.

3. real-life perspective: SaaS WAF vs load balancing CLB binding WAF, how to choose?

When purchasing WAF in Tengxun Cloud Console, you will see two deployment modes:

SaaS-based WAF

and

CLB type WAF

. A lot of people here are making choices. In fact, according to your structure, very good choice:

SaaS WAF (Modify CNAME Resolution): How to Work: Your domain name resolution does not point directly to the server, but to the WAF domain name. Traffic goes to WAF first, washed and then forwarded to the server. Advantages: not pick the environment. Even if your server is not in Tengxun cloud (in the local computer room or other clouds), as long as you can change the domain name resolution, you can use it. Disadvantages: More one-hop network forwarding will increase the delay by a small amount.

CLB WAF (Bypass/Embedded Deployment): How to Work: Your website already uses Tengxun Cloud Load Balancing (CLB). After this function is enabled, WAF is directly "embedded" in CLB like a plug-in. Advantages: Ultra-high performance, zero latency. Because the traffic does not need to detour to the cleaning center on the public network, the security check is done by the way in tengxunyun intranet. And does not limit the number of IP, suitable for large traffic business. Disadvantages: Your business must be deployed in Tencent Cloud and must use load balancing CLB.

Guide to 4. Pit Avoidance: Two Thunder Easiest to Step on after WAF is turned on

WAF is a good thing, but it is a "security system" after all ". As long as it is a security check, if it is not properly configured, "manslaughter" will occur ". Please keep the following two real experiences:

Don't start "strong interception mode" as soon as you come up "! Students who have just bought WAF wish to adjust their protection level to the highest. As a result, the customer service phone was blown up the next day-normal users filled in a form with special symbols, which was also intercepted by WAF as malicious code. Correct posture: after the new station is connected to WAF, first turn on the "observation mode" (only record but not intercept) and run for 3 to 7 days. Check the log to see if any normal business has been misreported. After adding the false positive rules to the white list, switch back to "intercept mode".

The applet/App remembers to release the internal interface IP: if server a needs to call the interface of server B at a high frequency inside your system, and this traffic accidentally goes to the external network and triggers WAF,WAF may mistake it for CC attack or malicious collision with the library, thus sealing the IP of its own server. Be sure to drop the internally trusted fixed IP into the white list during configuration.

5. Conclusion

Open the door to do business on the Internet, the price of streaking

It is extremely painful. WAF is the most important line of defense for websites at the application layer.

The core advantage of Tengxun Cloud WAF lies in the "strongest brain" and massive threat intelligence database that Tencent Security (Tencent Security) has fought against black products for more than 20 years. It turns those extremely sophisticated white hat hacker offensive and defensive techniques into an easy-to-understand strategy switch.

For enterprises, a small amount of cost to configure WAF can be exchanged for the peace of mind that core data will not be leaked, business will not be collected, and web pages will not be changed indiscriminately. This is definitely a safe investment with a very high rate of return.