Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based, PCI-compliant, global security service that protects applications from malicious and unwanted internet traffic. Oracle Cloud Infrastructure WAF can protect any internet-facing endpoint, providing consistent rule enforcement across a customer's applications.
Oracle Cloud Infrastructure WAF enables customers to create and manage rules for avoiding internet threats, including cross-site scripting (XSS), SQL injection, and other OWASP-defined vulnerabilities. Unwanted bots can be mitigated while allowing desirable bots to enter. The rules can also be used limit access based on geography or the signature of incoming requests.
Oracle's 24x7 global Security Operations Center (SOC) will continually monitor the internet threat landscape and act as an extension of your IT security team.
The Oracle Cloud Infrastructure WAF should be considered for any internet-facing web application or HTTP-based API.
| Responsibility | Oracle | Customer |
|---|---|---|
| Onboard/configure the WAF policy for the web application | No | Yes |
| Configure WAF onboarding dependencies (DNS, ingress rules, network) | No | Yes |
| Provide high availability (HA) for the WAF | Yes | No |
| Monitor for distributed denial of service (DDoS) attacks | Yes | No |
| Keep WAF infrastructure patched and up-to-date | Yes | No |
| Monitor data-plane logs for abnormal, undesired behavior | Yes | Yes |
| Construct new rules based on new vulnerabilities and mitigations | Yes | No |
| Review and accept new recommended rules | No | Yes |
| Tune the WAF's access rules and bot management strategies for your traffic | No | Yes |
Oracle Cloud Infrastructure WAF filters out malicious requests to your web application or API. It also gives you more visibility as to the where the traffic is coming from—and Layer 7 DDoS attacks are mitigated, ensuring greater availability.
The bot management solution uses detection techniques such as IP rate limiting, CAPTCHA, device fingerprinting, and human interaction challenges to identify and block bad and/or suspicious bot activity from scraping your website for competitive data. At the same time, the WAF can allow legitimate bot traffic from Google, Facebook, and others to continue to access your web applications as intended.
Oracle Cloud Infrastructure WAF employs an intelligent DNS data-driven algorithm that determines the best global point of presence (POP) to serve a given user in real time. As a result, users are routed around global network issues and potential latency while offering the best possible uptime and service levels.
The Oracle Cloud Infrastructure WAF utilize universal credits model and burn down based on the following metrics:
Yes. Oracle Cloud Infrastructure WAF is available to Universal Credit Model Subscribers. Customers may choose to leverage only Oracle Cloud Infrastructure WAF to protect non-OCI workloads. There is a small dependency on object storage to leverage the Oracle Cloud Infrastructure console that will show up on your billing.
Yes. Oracle Cloud Infrastructure WAF was designed API-first, so anything you can do in the console is available in the API.
Not as of March 2021. There are some management functions that can only be performed via API. Some of these API-only functions include:
We will continue to add these items to the console and publish API, SDK, and Terraform examples for managing these features.
The recommended approach is to use the API to have SIEM consume WAF logs. We do not provide any pre-built plug-ins for SIEM providers today.
Oracle Cloud Infrastructure WAF is a global service that can be configured from any commercial region. It is not limited to that region for data, though. Any Oracle Cloud Infrastructure WAF configuration is added to the global 'edge'.
Oracle currently has a total of 11 edge nodes with the following global footprint*:
*Note that some locations have more than one PoP.
Yes. Oracle Cloud Infrastructure provides unlimited DDoS protection for web applications and services.
DDoS protection is provided by the Oracle Cloud Infrastructure edge network, which is comprised of globally-distributed, high-capacity points of presence (PoPs) that support a wide range of edge applications. Oracle Edge PoPs are located in Oracle Cloud Infrastructure regions and at standalone locations worldwide. Specifically, L7 DDoS attacks are managed by the Oracle Web Application Firewall (WAF), which includes a complete set of access control and bot management features designed to defeat L7 DDoS threats. Oracle WAF is designed to protect against the vast majority of DDoS attacks at each PoP. In the event of an extremely-high-volume L7 DDoS attack, Oracle uses DDoS scrubbing centers, which are globally-distributed to ensure quick response times.
The service is available from the Oracle Cloud Infrastructure console. The customer selects L7 DDoS protection from the console as part of the WAF’s bot management menu. Customers can select one of two options:
1. On-demand: L7 DDoS protection is turned on at the customer's discretion.
2. Always-on: L7 DDoS protection is always on and provides automatic protection.
L7 DDoS mitigation is part of the Oracle Cloud Infrastructure WAF and is activated when users select a range of policy options designed to defeat sophisticated L7 DDoS attacks. Policy options include but are not limited to JavaScript challenges, IP rate limiting, device fingerprinting, and human interaction challenges. These countermeasures are fully automated when the 'always-on' option is selected. Users can also select the 'on-demand' option to manually turn on L7 DDoS protection at their discretion.
L7 DDoS mitigation is part of the Oracle Cloud Infrastructure WAF. This is a metered subscription based on traffic and request volumes. See Oracle's pricing page for more information.
Traffic is automatically routed to the Oracle Cloud Infrastructure edge network via a reverse proxy architecture. The edge network includes globallydistributed PoPs that inspect all HTTP and HTTPS traffic before it arrives at the web application. The PoPs use the activated DDoS countermeasures to automatically eliminate traffic that is identified as coming from malicious botnets.
The Oracle Cloud Infrastructure portal contains consoles with near real-time reporting about alerts, blocked requests, bot mitigations, and logs.
Configure your origin ingress rules to only accept connections from certain CIDR ranges, please refer to Securing Your WAF in the Getting Started Guide to get the updated list.
No, we do not support this feature at this time.
Oracle Cloud Infrastructure WAF supports CRS 3.0.
We suggest using the API, CLI, SDK, or Terraform to script this, however it is not recommended to enable all at the same time.
Please refer to the Web Application Firewall main page for further details.
WAF for Oracle Fusion Cloud Applications Suite improves our customers’ security posture by giving the Oracle SaaS Cloud Security team additional visibility into application-level attacks with respect to their application data. WAF for Fusion Applications is completely transparent to customers and managed end-to-end by Oracle's subject matter experts. With this out-of-the-box offering, customers are supported with a 24/7 security operations center that’s responsible for updating, monitoring, managing, responding to, and protecting our Fusion Applications—without impacting application resilience or availability.
WAF for Fusion Applications is available free of charge for all Fusion customers hosted on Oracle Cloud Infrastructure.
WAF for Fusion Applications is deployed along with our load balancer and supports hundreds of rules that can inspect any part of the web request to Fusion Applications and APIs with minimal latency impact to incoming traffic.
WAF for Fusion Applications is a version of Oracle Cloud Infrastructure WAF that has been fine-tuned for SaaS products. It protects SaaS applications from targeted attacks by filtering traffic based on out-of-the-box rules that SaaS security teams have designed to provide always-on layer-7 protection.