Protect a Web API
Last updated
Last updated
CloudGuard WAF provides a configuration wizard that allows you to set up everything you need for basic protection of your web API, as well as the ability to automatically detect your API usage and schema, providing an extra layer of security via visibility.
Once you completed the wizard you can set up a CloudGuard WAF's AppSec Gateway or Agent to enforce security.
When logged in to the management portal, click the Policy option in the main navigation menu on the left. You should see the Cloud Getting Started page.
In the Policy -> Getting Started page, click New Asset, then Select Web API. The configuration wizard should open.
Follow these configuration steps in the New Web API wizard:
Complete the following details (which you have prepared before):
Name - choose a clear distinguishable name for your API
Tags (Optional) - can be used for searches
API URLs for users - configure at least one host address with optional port. CloudGuard WAF will protect these hosts. Examples:
https://www.acme.com
(listen to inbound traffic to this address on all ports)
http://www.acme.com:80
(only listen to inbound traffic to this address on port 80)
https://www.acme.com/api
https://sales.acme.com/api
https://172.20.20.4:3000
Single application URL for the reverse proxy function - This URL is required, if the asset is secured by a CloudGuard WAF deployment in which the reverse proxy function is configured through the WAF Management. The Reverse Proxy translates the external URL, used by users, into an internal URL and forwards the request to it. This internal URL should be written here (See diagram).
Select the Practices that you want to enable and their Mode:
Activated modes for API Security:
Learn/Detect - we recommend starting with this mode as it allows the Machine Learning engine to train and you can examine the system behavior, all while traffic is not affected.
Prevent - in this mode traffic will be blocked if malicious traffic is found.
Activated modes for API Discovery:
Active - API discovery does not block traffic, hence it only has a single "Active" mode.
Choose a deployment method:
CloudGuard WAF can be deployed as:
A pre-packaged Gateway (Virtual Machine for secure managed reverse proxy):
In AWS
In Azure
In VMware vSphere
Early Availability - SaaS WAF service in supported regions world-wide (DNS configuration for your domain will change to its location)
A pre-packaged docker containing a secure managed reverse proxy. Note - a user can opt to manage the reverse proxy settings locally.
A separate Reverse Proxy/API server Docker + WAF Agent Docker
An add-on to an existing/new NGINX Kubernetes Ingress
An add-on to an existing/new supported Reverse Proxy/API Server.
If you choose the option of a Virtual Machine (VM), the option of SaaS or the option of a managed docker, you must also enter the internal URL of the application or API or internal load balancer so the reverse proxy function will know to which URL should these asset's external URL be forwarded. This URL must be accessible to the managed Reverse Proxy server but will not be exposed to the outside. This URL was configured in step 1 of the wizard.
Define how the Machine Learning engine should distinguish between different API sources and who the sources are that can be trusted.
Select the method by which different sources will be distinguished from one another:
X-Forwarded-For Header - When there is a Reverse Proxy or ALB between the Reverse Proxy the agent is running on, and the internet - the original source IP address cannot be seen on the networking level. This option allows the Nano-Agent to identify the original source IP inside the X-Forwarded-For header. No additional parameters are required in the common case where a single Reverse Proxy/ALB is found before the agent's deployment.
In the less common case, where there are more than 1 reverse proxy and/or ALB deployments before the reverse proxy with CloudGuard WAF:
After the wizard is completed you must edit the created Web Application/API asset object.
Add the IP addresses of the previous hops, to allow the distinction between them and the original source address.
This is explained in more details here.
Source IP Address- The Nano-Agent uses the source IP address as the identifier. No additional parameters are required.
Additional methods can be defined later by editing the Web Application/API asset object. These include:
Cookie Key - when you select this option, you need to add the key name within the cookie whose value is used as the unique identifier of the original source.
HTTP Header - when you select this option, you need to add the HTTP header name whose value is used as the unique identifier of the original source.
JWT Key - Authenticated API calls send a JSON Web Token (JWT) received by authentication API. This JWT usually contains identifying field. When you select this option, the value of one of the JWT keys can be used as the unique identifier of the original source.
2. If you do not intend to use additional methods, you may already define trusted sources that serve as a baseline for comparison for benign behavior, and how many sources/Addresses must exhibit similar activity for it to really be considered benign by the learning model (Otherwise it is recommended to perform this step after the wizard has been completed by editing the asset and after changing the method by which sources are distinguished).
If, during the previous step, a "New Profile" option was selected, then the "Certificates" page will also prompt a decision, relevant for all CloudGuard WAF's AppSec Gateways that will connect to this profile, regarding where the certificates for HTTPS traffic will be stored.
For the WAF SaaS option - Using your own issued certificates will be available in the future.
This decision is only relevant for the pre-packaged Gateway (Virtual Machine) option in AWS and Azure. In those cases it is possible to either select a secure vault in the relevant public cloud, or local storage. This configuration can be later changed by editing the created profile via Cloud->Profiles.
If the "Existing Profile" option was selected, then it will not be possible to choose a different configuration from what is already set in this profile.
Exact setup instructions for certificates will be available in the profile page.
For CloudGuard WAF on AWS or Azure, there are two methods for storing certificates and private keys. For all other deployments only the first is available:
On the WAF Gateway itself - a simple procedure allows you to upload the certificates and private keys directly to your gateway(s) using Secure Copy Protocol (SCP/SSH). No further configuration is required - CloudGuard WAF will locate the local files automatically.
Advantage: you have full control of your secrets
Disadvantage: does not support automatic scaling
For WAF SaaS deployment this page will support in the future the option of certificates provided by you. The available option is for WAF SaaS to provide the certificates.
Completing the deployment and providing certificates requires actions after the wizard has ended, for each domain configured on the new asset:
Proving ownership of each domain to allow issuing the certificates for it on WAF SaaS side.
Configuring the DNS record for each domain so traffic to it will be routed to WAF SaaS.
For all other deployment options there is no configuration required WAF web management. However, instructions on how to install the certificates for each deployment appear in both wizard and later on when editing the profile in Policy->Profiles.
During the Web Application onboarding it is possible to configure a new Report Trigger to send a summary report, based on your preferences to a list of email addresses or use an existing, pre-configured Report Trigger.
Review the configuration summary and choose how you would like to proceed.
By keeping the default selections and clicking Done, you can Publish & Enforce your settings and proceed to the Profile page, which includes instructions for deployment of a CloudGuard WAF's AppSec Gateway, WAF SaaS or Agent.
You can also choose Advanced Settings to explore additional features (such as in Step 6 below) and later proceed with enforcement point deployment.
You are minutes away from protecting your Web API. The last step is to deploy an Enforcement Point. See instructions here:
CloudGuard WAF protects your API from malicious attacks, and if provided with a schema file, it can enforce it. However, this is not the only manner of security for API use.
Maintaining and enforcing a secure schema file is a difficult task for a security officer. The developers of the web server add and change APIs, and even with a well-defined, well-reviewed and well-maintained schema file, an API can allow access of sensitive data in a way the schema file will not show. The frequency of changes to APIs can also cause much difficulty in keeping such a schema file well-reviewed and well-maintained.
API discovery provides security by visibility:
Discovery of the initial schema.
Discovery of API additions/deletions, and changes to existing APIs.
Discovery of APIs with sensitive data.
API discovery is the recommended way to maintain the schema file you can eventually, after a sufficient leaning period, use for Schema Validation.
The flow of working with API discovery is explained in detail in this documentation:
Important reminder - The API discovery engine was designed to learn what API is actually being used. Even if you have a well-maintained schema file for your API, it is still recommended to wait before activating the Schema Validation Security engine, until the API discovery practice has learned the actual API usage in your system and suggested a schema.
At that point we recommend comparing the suggested schema with the schema file you had, and deciding on the exact schema to enforce accordingly.
Once there is a well-maintained schema file, such as the schema the API discovery engine provides once it learned traffic to a high enough level, adding a schema file and activating the Schema Validation enforcement engine can further increase the security level by adding an openAPI schema file for your API. CloudGuard WAF will enforce the different unique applicative validations described in the schema file and alert upon attempts to use APIs in a way that does not match your schema.
If you decide to skip API discovery (not recommended) and move directly to schema validation with your own well-maintained schema file, skip directly to the following documentation and use the option of uploading your own schema file: