What is Oracle Cloud Infrastructure Web Application Firewall (WAF) Service?
Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based, PCI-compliant, global security service that protects applications from malicious and unwanted internet traffic. Oracle Cloud Infrastructure WAF can protect any internet-facing endpoint, providing consistent rule enforcement across a customer's applications.
Oracle Cloud Infrastructure WAF enables customers to create and manage rules for avoiding internet threats, including cross-site scripting (XSS), SQL injection, and other OWASP-defined vulnerabilities. Unwanted bots can be mitigated while allowing desirable bots to enter. The rules can also be used limit access based on geography or the signature of incoming requests.
Oracle's 24x7 global Security Operations Center (SOC) will continually monitor the internet threat landscape and act as an extension of your IT security team.
What is the use case for Oracle Cloud Infrastructure WAF?
The Oracle Cloud Infrastructure WAF should be considered for any internet-facing web application or HTTP-based API.
What is the shared responsibility model for Oracle Cloud Infrastructure WAF?
|Onboard/configure the WAF policy for the web application||No||Yes|
|Configure WAF onboarding dependencies (DNS, ingress rules, network)||No||Yes|
|Provide high availability (HA) for the WAF||Yes||No|
|Monitor for distributed denial of service (DDoS) attacks||Yes||No|
|Keep WAF infrastructure patched and up-to-date||Yes||No|
|Monitor data-plane logs for abnormal, undesired behavior||Yes||Yes|
|Construct new rules based on new vulnerabilities and mitigations||Yes||No|
|Review and accept new recommended rules||No||Yes|
|Tune the WAF's access rules and bot management strategies for your traffic||No||Yes|
What are the benefits of Oracle Cloud Infrastructure WAF?
Oracle Cloud Infrastructure WAF filters out malicious requests to your web application or API. It also gives you more visibility as to the where the traffic is coming from—and Layer 7 DDoS attacks are mitigated, ensuring greater availability.
The bot management solution uses detection techniques such as IP rate limiting, CAPTCHA, device fingerprinting, and human interaction challenges to identify and block bad and/or suspicious bot activity from scraping your website for competitive data. At the same time, the WAF can allow legitimate bot traffic from Google, Facebook, and others to continue to access your web applications as intended.
Oracle Cloud Infrastructure WAF employs an intelligent DNS data-driven algorithm that determines the best global point of presence (POP) to serve a given user in real time. As a result, users are routed around global network issues and potential latency while offering the best possible uptime and service levels.
What capabilities and key features do I get with Oracle Cloud Infrastructure WAF?
- Architecture deployment and origin lock down: Restrict traffic to ports 80 & 443, which results in all other connections being dropped.
- Dynamic traffic routing via DNS: Leverage DNS-based traffic-routing algorithms that consider user latency from thousands of global locations to determine the lowest latency routes.
- High availability: When configuring web-application delivery, Oracle Cloud Infrastructure WAF offers several high availability configuration options with the ability to add multiple origin servers. These settings and/or servers will only be used in cases where primary origin servers are offline or not responding correctly to health checks.
- Managing policies: Configure and manage features and functionality within the Oracle Cloud Infrastructure WAF configuration.
- Monitoring and reporting: This functionality gives users the ability to access reporting related to their content library.
- Support: Alert support teams of an issue and escalate a ticket depending on urgency (i.e. sev1, 2, or 3).
How do I get started with Oracle Cloud Infrastructure WAF?
Oracle Cloud Infrastructure WAF is available to Universal Credit Model subscribers. Universal Credit Model subscribers can access Oracle Cloud Infrastructure WAF via the Oracle Cloud Infrastructure Console under the Edge Services tab. There is a Getting Started Guide in the documentation that is the ideal place to start.
How will I be charged for Oracle Cloud Infrastructure WAF?
The Oracle Cloud Infrastructure WAF utilize universal credits model and burn down based on the following metrics:
- Number of requests (higher price with Bot Management enabled)
- Amount of data/traffic egressed from the WAF
- Number of non-Oracle Cloud Infrastructure endpoints (monthly)
Can I subscribe to Oracle Cloud Infrastructure WAF without using any other services?
Yes. Oracle Cloud Infrastructure WAF is available to Universal Credit Model Subscribers. Customers may choose to leverage only Oracle Cloud Infrastructure WAF to protect non-OCI workloads. There is a small dependency on object storage to leverage the Oracle Cloud Infrastructure console that will show up on your billing.
Are all Oracle Cloud Infrastructure WAF capabilities available in the API?
Yes. Oracle Cloud Infrastructure WAF was designed API-first, so anything you can do in the console is available in the API.
Are all Oracle Cloud Infrastructure WAF controls available via the console?
Not as of February 2019. There are some management functions that can only be performed via API. Some of these API-only functions include:
- Threat intelligence
- Exclusions to protection rules
- IP rate limiting
- Sorting access rules
- Certificate management (beyond uploading a single certificate/key)
- Device fingerprinting and human interaction bot challenges
- Reporting and telemetry (assuming Oracle Cloud Infrastructure public telemetry is not available to you)
We will continue to add these items to the console and publish API, SDK, and Terraform examples for managing these features.
How do I import Oracle Cloud Infrastructure WAF logs to my SIEM?
The recommended approach is to use the API to have SIEM consume WAF logs. We do not provide any pre-built plug-ins for SIEM providers today.
From which Oracle Cloud Infrastructure regions can I configure the WAF?
Oracle Cloud Infrastructure WAF is a global service that can be configured from any commercial region. It is not limited to that region for data, though. Any Oracle Cloud Infrastructure WAF configuration is added to the global 'edge'.
Where are the global points of presences (PoPs) for Oracle Cloud Infrastructure WAF?
Oracle currently has a total of 22 edge nodes with the following global footprint*:
- Los Angeles
- São Paulo
- Hong Kong
*Note that some locations have more than one PoP.
Does Oracle Cloud Infrastructure provide layer 7 (L7) distributed denial of service (DDoS) protection?
Yes. Oracle Cloud Infrastructure provides unlimited DDoS protection for web applications and services.
Where does the L7 DDoS protection occur?
DDoS protection is provided by the Oracle Cloud Infrastructure edge network, which is comprised of globally-distributed, high-capacity points of presence (PoPs) that support a wide range of edge applications. Oracle Edge PoPs are located in Oracle Cloud Infrastructure regions and at standalone locations worldwide. Specifically, L7 DDoS attacks are managed by the Oracle Web Application Firewall (WAF), which includes a complete set of access control and bot management features designed to defeat L7 DDoS threats. Oracle WAF is designed to protect against the vast majority of DDoS attacks at each PoP. In the event of an extremely-high-volume L7 DDoS attack, Oracle uses DDoS scrubbing centers, which are globally-distributed to ensure quick response times.
How is the Oracle Cloud Infrastructure L7 DDoS mitigation provisioned?
The service is available from the Oracle Cloud Infrastructure console. The customer selects L7 DDoS protection from the console as part of the WAF’s bot management menu. Customers can select one of two options:
- On-demand: L7 DDoS protection is turned on at the customer's discretion.
- Always-on: L7 DDoS protection is always on and provides automatic protection.
What is included with the L7 DDoS mitigation?
What does Oracle charge for the L7 DDoS mitigation?
L7 DDoS mitigation is part of the Oracle Cloud Infrastructure WAF. This is a metered subscription based on traffic and request volumes. See Oracle's pricing page for more information.
How does Oracle Cloud Infrastructure L7 DDoS mitigation work?
Traffic is automatically routed to the Oracle Cloud Infrastructure edge network via a reverse proxy architecture. The edge network includes globally-distributed PoPs that inspect all HTTP and HTTPS traffic before it arrives at the web application. The PoPs use the activated DDoS countermeasures to automatically eliminate traffic that is identified as coming from malicious botnets.
What reporting is provided?
The Oracle Cloud Infrastructure portal contains consoles with near real-time reporting about alerts, blocked requests, bot mitigations, and logs.
How do I lock down my origin to only accept connections from the Oracle Cloud Infrastructure WAF edge nodes?
Configure your origin ingress rules to only accept connections from the following CIDR ranges:
Can a customer brand their CAPTCHA pages?
What Core Rule Set (CRS) of OWASP does Oracle Cloud Infrastructure WAF support?
Oracle Cloud Infrastructure WAF supports CRS 3.0.
Is there a way to enable all rules, in all sets, at the same time?
We suggest using the API, CLI, SDK, or Terraform to script this.