The document discusses the Alibaba Cloud Web Application Firewall (WAF) and its benefits for securing web applications against OWASP top 10 vulnerabilities. It highlights the features, advantages, and quick deployment methods of Alibaba Cloud WAF, along with demos for configuring the service and monitoring web traffic. Additionally, it outlines various protection policies, reporting capabilities, and the integration of Alibaba Cloud WAF with other tools for enhanced security.

1. Secure Web Applications with
Alibaba Cloud Web Application Firewall
by Forster Chiu
Principal Consultant – iCON Business Systems Limited

2. 2
Principle Consultant - Cybersecurity Assurance and Compliance
(iCON Business Systems Ltd. Hong Kong)
Vulnerability Assessment, Security Audit (ISO 27001, GDPR), and Pen Tester
Speaker, Trainer - Security awareness and Offensive
Subject Matter Expert – EC-Council
PECB Certified Trainer
MSc in Computer and Security, PgD in IT Forensics,
BSc (Hons) Business Information Technology
About Me

3. 2009
Alibaba Cloud is founded
R&D centers are opened in Beijing,
Hangzhou and Silicon Valley
2010
Alibaba Cloud’s first data center opens
2014
2017
Alibaba announced as the as the Official Cloud
Services and Infrastructure Partner for the Olympic
Games at the World Economic Forum in Davos.
2018
Alibaba Cloud Timeline
Data Centers open in Beijing,
Shenzhen and Hong Kong
Included in Gartner’s Magic Quadrant
for Data Analytics

4. Alibaba Cloud Services
Data Migration
Web Hosting
Internet of Things
Elastic Computing
Storage
Networking
Security

5. Alibaba Cloud Services

6. Alibaba Cloud Regions

7. Security and compliance

8. What is Web Application Firewall WAF

9. OWASP – Top 10 2017

10. Protects your website
against OWASP web
application attacks
Regular and timely
patches against 0day
vulnerabilities
Attack event management
What Alibaba Cloud WAF Can Do

11. Advantages of Alibaba Cloud WAF
Alibaba Cloud WAF
Function Solving traditional Web application attacks, solve business security
issues such as HTTP connections attack and etc.
Real Time Auto update the latest Web 0 Day vulnerability signature in 24 hours
Performance Second level elastic expansion, support for millions of QPS business
protection
Deployment Quick deployment in just 5 minutes, both cloud and non-cloud
Support Professional Expert Protection and IM Support

12. Editions and features

13. • Note: WAF instances created in International regions must be upgraded to the Enterprise edition.

14. Scalability
Maintenance Cost
Cloud WAF Versus On-Prem WAF

15. High security infrastructure

16. Demo 1: Purchase Alibaba Cloud WAF

19. Demo 2: Quick Start Configuration
Method 1 - Add website configurations automatically
Prerequisites :
The DNS records of the website are managed by Alibaba Cloud DNS, and at least one A
record is valid.

20. Add Domain and Verify HTTPS Certificate

21. Exception may be displayed after you have added the
website configuration. Wait a few seconds and check the
DNS status again, or check whether the DNS settings are
configured correctly at your DNS service provider.

22. Method 2 –
Add website configurations manually

23. On the Fill in the website information page,
complete the following configuration.

24. Demo 3: WAF Protection Policies

25. HTTP ACL Policy
Web Application Protection
HTTP Flood Protection
Big Data Deep Learning Engine
Block IPs Initiating High-frequency
Web Attacks
WAF Features And Protection Rules
Directory Scan Protection
Threat Intelligence
Blocked Regions
Data Risk Control
Website Tamper-proofing
Data Leakage Prevention

27. Demo 4: Reporting and Loging
Total QPS and the malicious QPS (triggering protection rules) of the latest 30 days
Inbound and Outbound bandwidth of the latest 30 days
Number of abnormal responses of the latest 30 days
Top 5 cities and Top 10 IP addresses that requests originate from
Mobile operating systems and PC browsers that requests originate from
Top 5 URLs with the slowest response speed
Top 5 URLs that are most frequently requested

29. Frequencies of Web application attacks, HTTP flood attacks, and Web ACL events of the latest 30 days
Risk warnings of newly exposed industry or business security events
Messages of update of Alibaba Cloud WAF protection rule sets

30. Web application attacks
of the latest 30 days
HTTP flood attacks
of the latest 30 days
Web ACL events
of the latest 30 days
You can query the details of the following attack protection records:

33. Lab Prerequisites:
WebGoat 8 (https://github.com/WebGoat/WebGoat)
OWASP ZAP (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)
Vega Vulnerability Scanner (https://subgraph.com/vega/)
Alibaba Cloud WAF Protection Rules Configuration
Alibaba Cloud WAF Lab DEMO
Lab Objectives:
Discover web vulnerabilities of WebGoat 8
Attack WebGoat 8 without Alibaba Cloud WAF Protection
Attack WebGoat 8 with Alibaba Cloud WAF Protection
Verify the business values offered by Alibaba Cloud WAF Protection

34. Reference
https://www.alibabacloud.com/help/doc-
detail/58487.htm?spm=a2c63.p38356.b99.9.2e106981OxhLej
https://www.alibabacloud.com/product/waf
http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/pdf/comparison-AlicloudlvsAWS-intl-en-
2018-03-26.pdf
https://www.alibabacloud.com/blog/web-application-firewall-cloud-options-alibaba-cloud-
waf-%26-aws-waf_304201
https://video-intl.alicdn.com/Campaign%20038%20Introducing%20AC%20Whitepaper%20v5e.pdf