Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Best practices Policy Cloud Imperva

    Posted 07-19-2023 15:20

    Hi everybody please would like to known some experience about the rules or policiy that must have for protection a portal login web and api.


    #CloudWAF(formerlyIncapsula)

    ------------------------------
    osmar murillo
    Security TI
    BOL - Banco Ganadero
    Santa Cruz
    ------------------------------


  • 2.  RE: Best practices Policy Cloud Imperva

    Posted 07-20-2023 14:59
    Hi Osmar!
     
    It's not a secret that each enviroment it's different every time. We have been builded a criteria based on our experience with CloudWAF, and the best way to start the onboarding for sercurity polies and Imperva Rules, it's to following some of the next Use Cases documented.
     
    https://docs.imperva.com/bundle/cloud-application-security/page/rules/security-rule-examples.htm#Anti-scr
     
    On the other hand I recommend that if your enviroemt or customer doesn't have an scope in order to identify the web trransactions that are hanlded  by CloudWAF and are addressed to your (his) web applications, make general rules with an Alert action to get visibility for the User Agents, Countries, Source Applications, etc, and take desicions from here.
     
    Best regards!


    ------------------------------
    Edson A. Perez Hernandez
    Data Warden S.A. de C.V. | Support Engineer | IDSC
    Mexico City
    ------------------------------



  • 3.  RE: Best practices Policy Cloud Imperva
    Best Answer

    Posted 07-21-2023 07:45

    Hi Good Morning

    Unfortunately, every environment have your particular issue. For those that don´t have the ATO license, I normally create A Manual Rate-Limit Rule on specific Login page, however, an motivated attacker can lower their rate and bypass your Rate-Limit. (That´s Why the ATO feature to me is a "must have"). the values of rate-limit depends in how many requests do you see per minute.

    PS: I use the "exact" string on login endpoint, some customer here, use the same endpoint after logged in, if you use "contains" the counter is still running even a successful authentication causing unwanted blocks.

    For API , be aware with OPTION method. they normally flood the Log because most devs don´t specify them on API Specifications. otherwise you can put the same filters above on TOKEN request/authentication. The secret is coordinate with customer to check the best approach of user logins/ some marketing campaign and a real situation of Brute Force.

    You life will be more easier with ATO or even a well configured ABP.

    If you can, add a 2FA

    Regards



    ------------------------------
    Roberto Junior
    Technical User
    ETEK Novared Brasil Ltda
    São Paulo
    ------------------------------



  • 4.  RE: Best practices Policy Cloud Imperva

    Posted 07-21-2023 13:36

    Hi Osmar,

    It depends on the use case and we have a way in the form of custom rules to mitigate the bad actors.

    We also have various features that give us more insight and protect the environment. 

    You can explore more of our features on the below portal for cloud WAF

    https://docs.imperva.com/bundle/cloud-application-security/page/introducing/overview.htm

    Custom rule:-https://docs.imperva.com/bundle/cloud-application-security/page/rules/create-rule.htm

    https://docs.imperva.com/bundle/cloud-application-security/page/rules/create-rule.htm



    ------------------------------
    Ankit Sharma
    Cloud Security Engineer | Enterprise Services
    Imperva
    ------------------------------