Imperva Cyber Community

 View Only

Best Practices for Cloud WAF Settings

By Michael Franklin posted 11-12-2019 05:58

  



Security Modules and Alert Mode

Alert mode should only be used for websites that are subject to the “Cross Site Scripting Rule”. If your website is not subject to the rule and your security modules are set to “Alert Only”, your settings may not be meeting best practice.

Please follow the below steps to change settings:

1. Log in to your my.imperva.com account.

2. On the sidebar, click Websites (default).

3. Click a site name to access the site's dashboard.

4. On the sidebar, click Settings.

5. Click WAF and you will be directed to the below page:

Define Threat Responses
For each type of threat, you can define how the Imperva Cloud WAF responds. By default, the WAF rules are set to the Block Request option. The only exception is the Cross Site Scripting rule, which is set to Alert Only.
define threat response
Security Module Recommendations
1. Please use the most appropriate Threat Response.
2. “Alert Only” is only appropriate if you are subject to the “Cross Site Scripting Rule”.
DDoS
Your websites DDoS settings may not be meeting best practice if they are set to on/off or default threshold. Another negative practice would be if your DDoS threshold doesn’t match your websites traffic (traffic is above 90% of threshold or many "DDoS on" events).
DDoS.png
DDoS Setting Recommendations
1. Automatic is our recommended setting.
2. Your websites DDoS threshold should match your websites traffic.
Origin IP
Your CloudWAF service may not be meeting best practices if your Origin IP:

- Can be revealed via DNS settings, SSL certificate or DNS history sites
- Is accessible without going through the WAF

Please see the following steps to meet best practices for concealing your Origin IPs
1. Set IP Restriction Rules
With Incapsula deployed on the edge of your network, and serving as a proxy for all incoming traffic, there should be absolutely no reason to accept traffic from anywhere but our network. Consequently, we always suggest setting IP restriction rules (i.e., using your firewall or iptables) that will block all traffic from non-Incapsula IP addresses. Using IP restrictions will block all illegal requests that try to circumvent the Incapsula WAF. On top of that, with IP restrictions in place, your origin will also be immune to scanners, including the ones described in the study, that may try looking for IP data in SSL certificates stored on your server. For a full list of Incapsula IP addresses and directions for setting IP restriction rules, please visit here.
2. Change Your IP Address

When trying to uncover your origin IPs, perpetrators don’t have to limit themselves to simply resolving your domain name. One of the things that attackers can, and will often do, is dig around for a historical record of your origin address, which is likely to exist on one of the many websites that harvest and store domain information and IP history. To make this information irrelevant, we strongly suggest that you relocate your origin to a new IP right after activating Incapsula. That way, resolving your domain name will only “expose” our network IPs and attacks on your legacy IP will always miss their target. Note that this doesn’t mean that you have to change hosting providers, as you are very likely to have an option to relocate to a different IP address on the same hosting service. For the remaining steps, please click here


For additional Imperva Community resources, please check out our CloudWAF Product Page

#CloudWAF(formerlyIncapsula)

0 comments
2510 views

Permalink