WAAS (Web-Application and API Security) can secure both containerized and non-containerized web applications. To deploy WAAS, create a new rule, and declare the entity to protect.
Although the deployment method varies slightly depending on the type of entity you’re protecting, the steps, in general, are:
- Define rule resource.
- Define application scope.
- Enable relevant protections.
Understanding WAAS rule resources and application scope
The WAAS rule engine is designed to let you tailor the best-suited protection for each part of your deployment. Each rule has two scopes:
- Rule resources.
- Application list.
This scope defines, for each type of deployment, a combination of one or more elements to which WAAS should attach itself in order to protect the web application:
In the event of scope overlap (when multiple rules are applied to the same resource scope), the first rule by order will apply and all others will not apply. You can reorder rules via the Order column in WAAS rule tables by dragging and dropping rules.
This scope defines the protected application’s endpoints within the deployment as a combination of one or more of the following:
To better illustrate, consider the following deployment scenario for a web application running on-top of an NGINX cluster:
In this example, different policies apply for different parts of the application. The steps for deploying a WAAS rule to protect the above described web application would be as follows:
- Define rule resources- Specify the resource collection the rule applies to. Collections are comprised of image names and one or more elements to which WAAS should attach itself in order to protect the web application. In the following example, the rule will apply to all containers created by the nginx image.
- Define protection policy for 'login', 'search' and 'product' endpoints- Set OWASP Top 10 protection to "Prevent" and geo-based access control to "Alert".
- Define protection policy for the application’s API endpoints- Set OWASP Top 10 and API protection to "Prevent" and HTTP header-based access control to "Alert".
Once the policy is defined, the rule overview shows the following rule resource and application definitions: