Web Application Firewall Cloud Options: Alibaba Cloud WAF & AWS WAF

Image for post
Image for post

A web application or a REST API hosted in a cloud is a common scenario for most developers. However, not every application has the same level of security. Adding a Web Application Firewall (WAF) to your web application is a helpful way to improve your security.

In this article, we’ll compare two cloud-based WAF options: The one offered from Alibaba Cloud and the AWS WAF.

Alibaba Cloud WAF

Alibaba Cloud WAF uses machine learning to reduce false positives, which is one of the features that I found particularly fantastic about the tool. In addition, the monthly subscription includes protection and reporting.

To start configuring the WAF, we need to be on the main dashboard. Then, locate the Security option and Web Application Firewall.

Image for post
Image for post

This is the main screen of the WAF, and here we can see the scope of what it can protect and the radius of its reach.

Image for post
Image for post

The instructions for complete configuration are written out in detail in the documentation, which is available via the following link: https://www.alibabacloud.com/help/doc-detail/45251.htm?spm=a3c0i.o28517en.b99.6.e4658abukoP2p

AWS WAF

Let’s view the tool in practice and go over the key points. After logging into the tool and searching for AWS WAF, you’ll find this dashboard that explains some of the basics:

Image for post
Image for post

As we can see on the following screen, when we click on Configure Web ACL, initially, we have an overview of how ACLs should be created, and which applications we can protect.

Image for post
Image for post
Image for post
Image for post

Click Next to continue the setup. At this point, we can create the name of the ACL (it should be a clear and easy-to-understand name). We can then choose the ACL region (whether it is local or global), and finally, the resource that this ACL will start.

Image for post
Image for post

In the next screen, we can see the creation of the conditions of each rule. (Do more research for your understanding at this point if needed.) At this point, I chose an example of creating conditions for the SQL injection rule. I created the name, region, type of requisition and what should be done according to this request.

Image for post
Image for post

This ACL condition configuration screen is critical. If we move from this screen without the appropriate settings, it’s like forgetting to close the lock on a gate.

The following screenshots show the creation of the rule that will be applied to the ACL created according to the defined condition.

Image for post
Image for post
Image for post
Image for post

The last steps are just finishing and confirming the settings made in the previous steps. You can complete the AWS WAF setup by following the next steps in the wizard.

Conclusion

Alibaba Cloud WAF and AWS WAF are both useful tools for securing web-based applications. As noted above, Alibaba Cloud WAF’s machine learning features make it an especially convenient tool in situations where your firewall configuration and monitoring need to be as automated as possible and you want to avoid false positives. AWS WAF, on the other hand, offers more detailed configuration options — although with that detail comes a steeper learning curve. To use AWS WAF effectively, you need to have deep experience with ACLs and firewall configurations; Alibaba Cloud WAF is arguably a better WAF choice for admins with less firewall experience.

If you’d like to test the Alibaba Cloud WAF, you can take advantage of their current offer of $300 in free credits.

Bio

Image for post
Image for post

Brena Monteiro is a Fixate IO Contributor and a software engineer with experience in the analysis and development of systems. She is a free software enthusiast and an apprentice of new technologies.

Reference:

https://www.alibabacloud.com/blog/Web-Application-Firewall-Cloud-Options-Alibaba-Cloud-WAF-AWS-WAF_p304201?spm=a2c41.11212075.0.0

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store