Contact UsGet started
© 2024 Direct Cursus Technology L.L.C.

Getting started with Yandex Smart Web Security

Written by
Updated at December 4, 2024

Smart Web Security protects your infrastructure from cybersecurity threats at application layer L7 of the OSI model. These may include DDoS attacks, bots, and SQL injections. In addition, you can enable DDoS protection at levels L3 and L4 using Yandex DDoS Protection.

Smart Web Security is an assortment of tools you can use either separately or in a combination for optimized protection for your resources. The main Smart Web Security component is a security profile to which you can connect:

  • Basic rules. For simple traffic filtering based on certain conditions.
  • Smart Protection rules. To analyze traffic with machine learning and behavioral analysis algorithms.
  • WAF profile rules. Allow using rule sets to counter common security threats, such as OWASP Core Rule Set (CRS). Rule sets protect web apps from many known threats, e.g., SQL injections, command injections, cross-site scripting, unauthorized access to server resources, and more.
  • CAPTCHA. After you have checked traffic with rules, you can additionally route it to Yandex SmartCaptcha for protection against bots and spam.
  • ARL profile. To limit the number of requests to the protected resource based on various conditions.

To protect resources, you need to connect a security profile to a virtual host or an Ingress controller in Yandex Application Load Balancer.

To get started with the service:

Prepare your cloud

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Create and check a security profile

Create your first security profile and connect it to an existing virtual host of an L7 load balancer in Yandex Application Load Balancer.

If you have no L7 load balancer configured, you can deploy a test infrastructure.

Create a security profile

  1. In the management console, select the folder you want to create a profile in.

  2. In the list of services, select Smart Web Security.

  3. Click Create and select From a preset template.

    A preset profile includes:

    Tip

    Creating a pre-configured profile with full Smart Protection is preferable. This will ensure the highest level of security for your resource being protected.

  4. Enter a name for the profile, e.g., test-sp1.

  5. In the Action for the default base rule field, select Deny.

  6. Click Create.

Check your security profile settings

  1. Select the test-sp1 profile you created earlier.

  2. Make sure the Security rules tab contains a rule with the following parameters:

    • Type: Smart Protection.
    • Action: Full protection.
    • Conditions: All traffic.

    This rule sends all incoming traffic of the protected resource for automatic analysis using ML and behavioral analysis algorithms. As a result of automatic analysis:

    • Legitimate requests are routed to the protected resource.
    • Illegitimate requests and attacks are blocked.
    • Suspicious requests are sent to SmartCaptcha for additional verification.

Connect the security profile to the virtual host

  1. At the top right, click Connect to host.

  2. In the window that opens, select:

    • Load balancer.

    • HTTP router.

    • Virtual host. You can connect the security profile to multiple virtual hosts at once.

      To connect the profile to another L7 load balancer, click Add load balancer.

  3. Click Connect.

    You will see the connected virtual host under Connected hosts.

Create and connect a WAF profile

WAF allows using rule sets to protect web applications from various information attacks.

Create a WAF profile

  1. In the management console, select the folder you want to create a WAF profile in.
  2. In the list of services, select Smart Web Security.
  3. Go to the WAF profiles tab and click Create WAF profile.
  4. Enter a name for the profile, e.g., test-waf-profile-1.
  5. By default, the WAF profile includes a basic rule set called OWASP Core Rule Set. To view the rules it includes, click the line with its description.
  6. Click Create.

Configure a basic rule set

  1. On the WAF profile's review page that opens, click Set up a basic rule set.

  2. Set the Anomaly threshold, which is the sum of anomaly values of the triggered rules that will block the request, e.g., Moderate: 25 and more.

    We recommend to start with the anomaly threshold of 25 and gradually reduce it to 5. To reduce the anomaly threshold, address WAF false positives triggered by legitimate requests. To do so, select rules from the basic set and configure exclusion rules. You can use the Only logging (dry-run) mode in the security profile to test various anomaly thresholds.

  3. Set the required Paranoia level, e.g., 2 or lower.

    Paranoia level classifies rules according to their aggression. The higher the paranoia level, the better your protection, but also the higher the probability of WAF false positives.

  4. Check the rules you included in the set. Add or delete them as needed. When using rules, pay attention to their anomaly values and paranoia levels.

You can turn any rule from the set into a blocking rule. A request that satisfies such a rule will be blocked regardless of the anomaly threshold you specified. To turn a rule into a blocking rule, click to the right of it. If the Only logging(dry-run) mode is enabled in the security profile, requests will not be blocked even when if they satisfy the blocking rules.

Create an exclusion rule

  1. Go to the Exclusion rules tab and click Create exception rule.

  2. Enter a name for the exclusion rule, e.g., exception-rule-1.

  3. Under Scope of use, specify rules from the basic set for which the exclusion will be valid. You can either select All rules or specify particular rules.

  4. Under Traffic conditions, select the triggering conditions for the exclusion rule.

    If you leave the Conditions field empty, the exclusion rule will apply to all traffic.

  5. Click Create.

Connect the WAF profile to a security profile

  1. Go to the Security profiles tab.
  2. From the list, select the security profile you want to connect your WAF profile to, e.g., test-sp1.
  3. Click Add rule.
  4. Enter a name for the rule, e.g., waf-rule-1.
  5. In the Priority field, set a value higher than that of the Smart Protection rules already existing in the security profile, e.g., 888800.
  6. (Optional) To test your WAF profile and simulate false positives triggered by legitimate requests, use the Only logging (dry-run) mode in the security profile.
  7. In the Type field, select Web Application Firewall.
  8. In the WAF profile field, select the previously created test-waf-profile-1.
  9. In the Action field, select Full protection.
  10. If required, set the conditions for traffic mapping.
  11. Click Add.

Create and connect an ARL profile

ARL allows limiting the number of requests to the protected resource to avoid an overload.

Create an ARL profile

  1. In the management console, select the folder you want to create your ARL profile in.
  2. In the list of services, select Smart Web Security.
  3. Go to the ARL profiles tab and click Create ARL profile.
  4. Enter a name for the profile, e.g., test-arl-profile-1.
  5. Add profile description and labels if needed.
  6. Click Create.

Configure rules

  1. On the ARL profile's review page that opens, click Add rule.

  2. Enter a name for the rule, e.g., arl-rule-1.

  3. In the Priority field, set the rule's priority within the ARL profile, e.g., 1000.

  4. (Optional) To test the ARL rule, enable the Only logging (Dry run) mode. Requests will not be blocked in this mode.

  5. Under Traffic conditions, select All traffic or On condition.

  6. To set traffic conditions, select one or more items from the Conditions list:

    • IP: IP address, IP address range, or IP address region.
    • HTTP header: HTTP header string.
    • Host: Domain receiving the request.
    • HTTP method: Request method.
    • Cookie: Cookie header string.

  7. Under Request counting, select how to count requests for limit application purposes:

    • No grouping: Count each request separately.
    • Grouping by property: Count the number of request groups sharing one or more common properties.

    1. Select a grouping property:

      • Request path: Request path.
      • HTTP method: Request method.
      • IP address: IP address the request originates from.
      • Region: IP address region of the requests.
      • Host: Domain receiving the request.
      • HTTP cookie: String in the cookie header.
      • HTTP header: HTTP header string.
      • Query params: String in query parameters.

    2. (Optional) Enable Case-sensitive to put properties with the same values in different cases into different groups.

  8. Specify the request limit and select the time interval, e.g., 1000 requests per 1 minute.

  9. Click Save rule.

Connect your ARL profile to a security profile

  1. Go to the Security profiles tab.
  2. From the list, select the security profile you want to connect your ARL profile to, e.g., test-sp1.
  3. Click Edit.
  4. In the ARL profile list, select the previously created test-arl-profile-1.
  5. Click Save.

Configure the L7 load balancer for additional protection

To enhance DDoS protection of your applications, consider these additional tips:

  • Configure autoscaling. This will allow you to dynamically adapt to the increased load and optimize traffic redistribution.
  • Place resource units in multiple availability zones.
  • Use the secure HTTPS protocol: configure a listener to automatically redirect requests from HTTP to HTTPS.
  • Ensure protection at the lower OSI model level: enable basic DDOS protection at L3 and L4 to prevent some attacks at an earlier stage.

These measures, in addition to setting up Smart Web Security, will increase the resilience of your services to potential threats and ensure security of your applications.

See also

Next
All guides