Getting started with Yandex Smart Web Security
Smart Web Security protects your infrastructure from cybersecurity threats at OSI application level (L7). These may include DDoS attacks, bots, and SQL injections. In addition, you can enable DDoS protection at levels L3 and L4 using Yandex DDoS Protection.
Smart Web Security is a toolkit to protect infrastructures of various complexity and scale. Protection is achieved by cleaning malicious traffic from the incoming traffic flow. The traffic is checked against filtering rules in a security profile. You can additionally process the cleaned traffic with ARL profile rules to reduce the load on your application.
A security profile may include:
- Basic rules for simple traffic filtering based on specified conditions.
- Smart Protection rules for automatic protection against DDoS attacks with machine learning and behavior analysis algorithms.
- WAF profile rules for protection from application vulnerability exploits. Currently, you can connect the OWASP Core Rule Set
(CRS) that blocks many known threats, such as SQL and command injections, cross-site scripting, and others. - Built-in Yandex SmartCaptcha to run CAPTCHA
checks against bots and spam. - IP address filtering lists to allow or block requests from specified IP addresses.
An ARL profile contains rules for limiting the number of requests to the protected resource based on various conditions.
You can connect a security profile to various types of resources:
- Virtual host or Ingress controller to protect resources that use Yandex Application Load Balancer.
- API Gateway to protect the APIs of your applications.
- Domain to protect your website or web application hosted in Yandex Cloud or other platforms.
Setup
- Get your cloud ready.
- Create and configure a protected resource.
- Create and check a security profile.
- Associate the security profile with the virtual host.
- Test the security profile.
- (Optional) Create and connect a WAF profile.
- (Optional) Create and connect an ARL profile.
Get your cloud ready
Sign up in Yandex Cloud and create a billing account:
- Navigate to the management console
and log in to Yandex Cloud or register a new account. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can navigate to the cloud page
Learn more about clouds and folders.
Create and configure a protected resource
Application Load Balancer evenly distributes incoming traffic between nodes, thus preventing overload and improving fault tolerance. If you have no L7 load balancer set up yet, you can deploy a test infrastructure.
API gateway is the single entry point for APIs of various services, enabling requests management, routing, authentication, and so forth. If you have no API gateway configured, you can deploy one with a test specification.
Domain is a server, website, or application that processes external requests to a web address. To protect a domain, Smart Web Security provides a proxy server with load balancing, request analysis and routing. And basic DDoS protection as well.
The proxy server has an MTU limit of 1,450 bytes for all packets.
Note
The external domain protection feature is currently at the Preview stage.
Prepare data about the resource
- Address of the domain the web application is running on. You need access to the domain management interface to update the A record.
- Server IP address, port and protocol used by the web application.
- Valid private key and TLS certificate for this domain in PEM
-encoded format. Certificates with RSA-2048 and RSA-4096 keys are supported.
Create a proxy server
-
In the management console
, select your folder. -
From the list of services, select Smart Web Security.
-
In the left-hand panel, select
Domain security. -
Click Create proxy server.
-
Enter a name for the proxy server, e.g.,
test-proxy
. -
Click Create server.
To work with the proxy server, a service account with the
monitoring.editor
,smart-web-security.admin
,certificate-manager.admin
,logging.writer
roles will be created.Creating a proxy server can take several minutes. Wait for the server to get the
Active
status. After that, you can add a domain.
Add a domain
-
In the left-hand menu, go to the
Domains tab and click Add domain. -
Enter the address of the domain your web application is in, e.g.,
example.com
. -
Click Continue.
-
Select the connection type used by your application. We recommend the secure HTTPS protocol.
-
If you use Certificate Manager and have added your domain certificate to it, select it from the list.
-
If not using Certificate Manager, click Create → Custom certificate.
- Enter a name for the certificate.
- Copy or upload the private key, certificate, and intermediate certificate chain as a file in PEM format.
- Click Create certificate.
-
Click Continue.
-
Under Target resources, set up the targets:
- IP address and port your web application runs on.
- Optionally, expand the Connect target resources section to select the protocol your web application runs on.
-
Click Add domain.
After you create a domain, the domain parameters overview page will open. Under How do I activate protection?, copy the proxy server IP address, as you will need it in the next step.
Set up your infrastructure
-
Add a resource A record to your domain's public DNS zone, with values specified as follows:
Record name
: Your domain's address, ending with a dot. Example:example.com.
ormy.first.example.com.
.Value
: Proxy server's IPv4 address you obtained in the previous step.
This record redirects requests coming to your domain to the proxy server IP address.
Note
If your domain is delegated to Yandex Cloud DNS, create a resource record according to this guide. Otherwise, use your domain name registrar's personal account. If you have any questions, refer to the relevant documentation or contact the registrar's support service.
-
In your server settings, block all connections except those for Yandex Cloud IP addresses.
Check your resource status
-
Under
Domain security, select the new proxy server. -
In the left-hand menu, go to the
Domains tab and select the new domain. -
Under Target resources, check that your resource's status is Healthy.
If it is not, the proxy server cannot connect to your resource. Check your web server address and network settings. Make sure access to the web server is allowed from Yandex Cloud IP addresses.
-
In the left-hand panel, check that your domain's status is Healthy.
If it is not, verify the domain address and the A record, and check the certificate for validity.
Create and check a security profile
Create a security profile
Note
To enhance your security, we use HTTP request data to improve our machine learning (ML) models. You can disable the use of this information in the management console
-
In the management console
, select the folder the protected resources are in. -
From the list of services, select Smart Web Security.
-
Click Create profile and select From a preset template.
A preset profile includes:
- Basic default rule enabled for all traffic with the
Deny
action type. - Smart Protection rule enabled for all traffic with the
Full protection
action type.
Tip
Creating a pre-configured profile with full Smart Protection is preferable. This will ensure the highest level of security for your resource being protected.
- Basic default rule enabled for all traffic with the
-
Enter a name for the profile, e.g.,
test-sp1
. -
In the Action for the default base rule field, select
Deny
. -
Optionally, enable or disable the use of HTTP request information to tune machine learning models under Fine-tuning ML models.
-
Click Create.
Check your security profile settings
-
Select the
test-sp1
profile you created earlier. -
Make sure the Security rules tab contains a rule with the following parameters:
- Type:
Smart Protection
- Action:
Full protection
- Conditions:
All traffic
This rule sends all incoming traffic of the protected resource for an automatic check using ML and behavioral analysis algorithms. As a result of this check:
- Legitimate requests are routed to the protected resource.
- Illegitimate requests and attacks are blocked.
- Suspicious requests are sent to SmartCaptcha for additional verification.
- Type:
Associate the security profile with the virtual host
The connection method depends on the resource type.
-
To connect a domain:
- Under
Domains, select the required domain.
Domain security → - From the top menu, click
Connect security profile and select an existing or create a new security profile.
- Under
-
To connect a virtual host in Application Load Balancer:
-
If the load balancer is managed by an Application Load Balancer ingress controller, use the Ingress resource annotation.
-
If the load balancer is managed by you, select the created profile under
Security profiles. -
At the top right, click
Connect to host. -
In the window that opens, select:
- Load balancer.
- HTTP router.
- Virtual host. You can associate the security profile with multiple virtual hosts at once.
To associate the profile with another L7 load balancer, click Add load balancer.
-
Click Connect.
You will see the associated virtual host under Connected hosts.
-
-
To connect an API gateway:
- Under
Security profiles, copy the ID of the profile you need. - When creating an API gateway or in the existing API gateway specification, set this extension: x-yc-apigateway:smartWebSecurity.
- Specify the copied ID in the extension.
- Under
Monitor the security profile operation
- In the Smart Web Security service page, select the
Monitoring section on the left-hand panel. - View the charts of allowed and blocked requests.
Create and connect a WAF profile
WAF allows using rule sets to protect web applications against various cyber attacks.
Create a WAF profile
- In the management console
, select the folder where you want to create a WAF profile. - From the list of services, select Smart Web Security.
- Go to the WAF profiles tab and click Create WAF profile.
- Enter a name for the profile, e.g.,
test-waf-profile-1
. - By default, the WAF profile uses the OWASP Core Rule Set
. To view the rules it includes, click the row with its description. - Click Create.
Configure a basic rule set
-
On the WAF profile's overview page that opens, click Set up a basic rule set.
-
Set the Anomaly threshold, which is the sum of anomaly scores of the triggered rules that will block the request, e.g.,
Moderate: 25 and more
.We recommend that you start with an anomaly threshold of
25
and gradually reduce it to5
. To reduce the anomaly threshold, address WAF false positives triggered by legitimate requests. To do so, select rules from the basic set and configure exclusion rules. You can use the Only logging (dry-run) mode in the security profile to test various anomaly thresholds. -
Set the required Paranoia level, e.g.,
2 or lower
.The paranoia level classifies rules based on how aggressive they are. The higher the paranoia level, the better the protection, but also the greater the risk of WAF false positives.
-
Check the rules you included in the set. Add or delete them as needed. When using rules, pay attention to their anomaly scores and paranoia levels.
You can configure any rule in the set to block requests. Requests matching such a rule get blocked regardless of the anomaly threshold you set. To turn a rule into a blocking one, click
Create an exclusion rule
-
Go to the
Exclusion rules tab and click Create exception rule. -
Enter a name for the exclusion rule, e.g.,
exception-rule-1
. -
Under Scope of use, specify rules from the basic set for which the exclusion will apply. You can either select
All rules
or specify particular rules. -
Under Traffic conditions, select the triggering conditions for the exclusion rule.
If you leave the Conditions field empty, the exclusion rule will apply to all traffic.
-
Click Create.
Connect the WAF profile to the security profile
- Navigate to the
Security profiles tab. - From the list, select the security profile to connect your WAF profile to, e.g.,
test-sp1
. - Click
Add rule. - Enter a name for the rule, e.g.,
waf-rule-1
. - In the Priority field, set a value higher than that of the Smart Protection rules already existing in the security profile, e.g.,
888800
. - Optionally, to test your WAF profile and simulate false positives triggered by legitimate requests, use the Only logging (dry-run) mode in the security profile.
- In the Rule type field, select
Web Application Firewall
. - In the WAF profile field, select the previously created profile named
test-waf-profile-1
. - In the Action field, select
Full protection
. - If required, set the conditions for traffic mapping.
- Click Add.
Create and connect an ARL profile
ARL allows limiting the number of requests to the protected resource to prevent an overload.
Create an ARL profile
- In the management console
, select the folder where you want to create an ARL profile. - From the list of services, select Smart Web Security.
- Go to the
ARL profiles tab and click Create ARL profile. - Enter a name for the profile, e.g.,
test-arl-profile-1
. - Add a profile description and labels if needed.
- Click Create.
Configure rules
-
On the ARL profile's overview page that opens, click Add rule.
-
Enter a name for the rule, e.g.,
arl-rule-1
. -
In the Priority field, set the rule priority within the ARL profile, e.g.,
1000
. -
Optionally, to test the ARL rule, enable the Only logging (dry run) mode. Requests will not be blocked in this mode.
-
Under Traffic conditions, select
All traffic
orOn condition
. -
To set traffic conditions, select one or more items from the Conditions list:
IP
: IP address, IP address range, IP address region, or address list.HTTP header
: HTTP header string.Host
: Domain receiving the request.HTTP method
: Request method.Cookie
: Cookie header string.
-
Under Request counting, select how to count requests for limiting:
No grouping
: Count each request separately.Grouping by property
: Count the number of request groups sharing one or more properties.
-
Select a grouping property:
Request path
: Request path.HTTP method
: Request method.IP address
: IP address the request originates from.Region
: IP address region of the requests.Host
: Domain receiving the request.HTTP cookie
: String in the cookie header.HTTP header
: HTTP header string.Query params
: String in the request parameters.
-
Optionally, enable Case-sensitive to put properties with the same values in different cases into different groups.
-
Specify the request limit and select the time interval, e.g.,
1000
requests per1
minute. -
Click Save rule.
Connect your ARL profile to the security profile
- Navigate to the
Security profiles tab. - From the list, select the security profile to connect your ARL profile to, e.g.,
test-sp1
. - Click
Edit. - In the ARL profile list, select the previously created
test-arl-profile-1
. - Click Save.