A web application or a REST API hosted in a cloud is a common scenario for most developers. However, not every application has the same level of security. Adding a Web Application Firewall (WAF) to your web application is a helpful way to improve your security.
In this article, we'll compare two cloud-based WAF options: The one offered from Alibaba Cloud and the AWS WAF.
Alibaba Cloud WAF
The main advantage of using a WAF in the cloud, as opposed to an on-premises firewall, is that setup and installation time are minimal. In addition, you get 24/7 monitoring and automated responses to firewall-related incidents, which means you don’t have to worry about your staff constantly monitoring the firewall in order to deal with problems.
Alibaba Cloud WAF uses machine learning to reduce false positives, which is one of the features that I found particularly fantastic about the tool. In addition, the monthly subscription includes protection and reporting.
To start configuring the WAF, we need to be on the main dashboard. Then, locate the Security option and Web Application Firewall.
This is the main screen of the WAF, and here we can see the scope of what it can protect and the radius of its reach.
The instructions for complete configuration are written out in detail in the documentation, which is available via the following link: https://www.alibabacloud.com/help/doc-detail/45251.htm?spm=a3c0i.o28517en.b99.6.e4658abukoP2p
AWS WAF
To use the AWS WAF, the first thing to think about is the creation of Access Control Lists (ACLs). If you do not understand how a firewall works, how to create one, and where you start working, a good deal of research will be necessary. Initially, the rules of entry and exit need to be clear. For the inexperienced, it is possible to block everything or release everything. You can have a whole environment with a WAF, but it’s completely unprotected because of rules misapplied.
Let's view the tool in practice and go over the key points. After logging into the tool and searching for AWS WAF, you’ll find this dashboard that explains some of the basics:
As we can see on the following screen, when we click on Configure Web ACL, initially, we have an overview of how ACLs should be created, and which applications we can protect.
Click Next to continue the setup. At this point, we can create the name of the ACL (it should be a clear and easy-to-understand name). We can then choose the ACL region (whether it is local or global), and finally, the resource that this ACL will start.
In the next screen, we can see the creation of the conditions of each rule. (Do more research for your understanding at this point if needed.) At this point, I chose an example of creating conditions for the SQL injection rule. I created the name, region, type of requisition and what should be done according to this request.
This ACL condition configuration screen is critical. If we move from this screen without the appropriate settings, it’s like forgetting to close the lock on a gate.
The following screenshots show the creation of the rule that will be applied to the ACL created according to the defined condition.
The last steps are just finishing and confirming the settings made in the previous steps. You can complete the AWS WAF setup by following the next steps in the wizard.
Conclusion
AWS WAF is comprehensive—from prior notification in the creation and configuration of rules, rather than a firewall. To use AWS WAF, you need to be a person who knows firewalls well, or be able to request support from someone who does. And keep in mind that there is a charge per amount of ACLs and number of access requests to your application. As of now, fewer ACLs mean lower cost, but also a less secure application.
Alibaba Cloud WAF and AWS WAF are both useful tools for securing web-based applications. As noted above, Alibaba Cloud WAF’s machine learning features make it an especially convenient tool in situations where your firewall configuration and monitoring need to be as automated as possible and you want to avoid false positives. AWS WAF, on the other hand, offers more detailed configuration options—although with that detail comes a steeper learning curve. To use AWS WAF effectively, you need to have deep experience with ACLs and firewall configurations; Alibaba Cloud WAF is arguably a better WAF choice for admins with less firewall experience.
If you’d like to test the Alibaba Cloud WAF, you can take advantage of their current offer of $300 in free credits.
Bio
Brena Monteiro is a Fixate IO Contributor and a software engineer with experience in the analysis and development of systems. She is a free software enthusiast and an apprentice of new technologies.
