How to add and view assets - Web Application Firewall

Web Application Firewall (WAF) provides the asset center feature that you can use to identify domain names in and outside Alibaba Cloud and assess risks based on the attack status of the domain names in the cloud. This helps you obtain the overall protection status of your domain names. You can enable protection for high-risk domain names to improve the overall security of your business system.

Background information

Network application assets are the most important carrier of network applications in a security management system and are the most fundamental components in a business system. As enterprise business rapidly develops, more business systems are used. A single enterprise may have multiple business systems, and employees may forget to release resources after they build websites or test environments. As a result, business systems may contain unmanaged zombie assets. The most vulnerable part of a business system determines the overall security of the system. In most cases, zombie assets use outdated versions of open source systems, components, or web frameworks, which have common vulnerabilities. Attackers can exploit these vulnerabilities to invade the internal network of an enterprise.

The asset discovery feature can obtain the configurations of Alibaba Cloud services, such as Domains, SSL Certificates Service, and Alibaba Cloud DNS. Then, the feature, together with big data-enabled correlation analysis, can identify domain names in and outside the cloud based on the obtained configurations. This way, you can monitor the overall situation of all the domain names and make sure that all domain names are protected. The asset discovery feature calculates the security scores of domain names based on threat intelligence and the default attack detection capability of Alibaba Cloud. This way, you can identify the domain names that are vulnerable to attacks. Then, you can add the domain names to WAF to prevent attacks.

Note The asset discovery feature can identify domain names from Alibaba Cloud and third-party providers. The domain names from third-party providers include the domain names of servers from third-party providers and the domain names of servers that are deployed in data centers.

Step 1: Go to the Asset Center page and authorize WAF to access cloud resources

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, click Asset Center.
On the Asset Center page, click Enable Now.
Note
You need to perform authorization only once. If you already authorized WAF to access cloud resources, skip this step.
- The first time you enable the feature, Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. You can log on to the Resource Access Management (RAM) console to view the service-linked role. For more information, see View the information about a RAM role.
  After Alibaba Cloud creates the AliyunServiceRoleForWAF service-linked role, your WAF instance can access the resources of the associated cloud services, such as Elastic Compute Service (ECS), Server Load Balancer (SLB), Alibaba Cloud DNS, Alibaba Cloud CDN, Certificate Management Service, and Simple Log Service.
- After you authorize WAF to access cloud resources, WAF automatically identifies domain names within your Alibaba Cloud account and displays the domain names on the Asset Center page.
  Note
  The asset center feature can identify domain names that are hosted on and outside Alibaba Cloud. The domain names that are hosted outside Alibaba Cloud include the domain names mapped to servers that are not deployed on Alibaba Cloud and the domain names of servers that are deployed in data centers.
  By default, the proactive fingerprint detection feature is enabled for accurate identification. The proactive fingerprint detection feature identifies the fingerprints of assets that are added to WAF by using passive traffic learning and proactive detection. Proactive fingerprint detection is performed once every two weeks to obtain comprehensive and accurate detection results. We recommend that you keep the feature enabled.

Step 2: Add a domain name

If your second-level domain name is not in the asset list, you can add the domain name to WAF.

On the Overview tab of the Asset Center page, click the icon in the upper-right corner above the asset list.
In the Add Asset dialog box, enter the domain name of your website and verify the ownership of the domain name.
The first time you add a domain name to WAF, you must verify your ownership of the domain name. You can add the domain name to WAF only after you successfully verify your ownership of the domain name. For more information, see Verify the ownership of a domain name.
Then, click Add.

Note

After you add the domain name, the domain name appears in the asset list on the T+1 day.

Step 3: View domain names

On the Asset Center page, view the details of the domain names.

资产中心

Data type

Description

Operation

Domain name statistics (Figure 1)

WAF displays the numbers of second-level domain names, subdomains, unprotected subdomains, unprotected high-risk subdomains, unprotected medium-risk subdomains, and unprotected low-risk subdomains within your Alibaba Cloud account. The daily change in the number of subdomains is displayed on the right side of the number of subdomains.

None

Details of domain names (Figure 2)

WAF aggregates the domain names based on the second-level domain names and displays the aggregated domain names in a list. The following section describes the information about each second-level domain name:

Second-level Domain Name: the second-level domain name of the website.
IP Address: the IP address or CNAME of the origin server.
Protected Subdomains: the number of subdomains that are protected by WAF.
Unprotected Subdomains: the number of subdomains that are not protected by WAF, and the numbers of unprotected high-risk subdomains, unprotected medium-risk subdomains, and unprotected low-risk subdomains.

Enter a keyword in the search box above the list of second-level domain names to search for second-level domain names. Fuzzy match is supported.
In the list of second-level domain names, click the icon to the left of a second-level domain name and filter the subdomains of the second-level domain name by status and risk level. The following section describes the information about each subdomain:
- Subdomain: the subdomain of the website.
- IP Address: the IP address or CNAME of the origin server.
- Fingerprint: the fingerprint information of the origin server, which is obtained based on passive traffic analysis and proactive fingerprint detection.
  After you enable the asset center feature, the proactive fingerprint detection feature is automatically enabled. You can enable or disable the feature in the upper-right corner of the domain name list.
- Severity: the risk level of the subdomain. The risk level is obtained based on the attack trend in the cloud within the previous 30 days and threat intelligence data. If the risk level of the subdomain is high, we recommend that you add the subdomain to WAF at the earliest opportunity.
- Status: the protection status of the subdomain. Valid values:
  - Not Added: The subdomain is not added to WAF. You can click Add in the Actions column to add the subdomain to WAF. For more information, see Add a domain name to WAF.
  - Added: The subdomain is added to WAF. WAF detects traffic that is destined for the subdomain and protects the subdomain.
You can click Details in the Actions column to view the threat information of the subdomain.
Note
Only subscription WAF instances of the Enterprise or Ultimate edition support this feature.

Step 4: Export domain names

On the Overview tab of the Asset Center page, select the second-level domain names that you want to export and click the icon in the upper-right corner.
On the Export Record tab of the Asset Center page, find the generated file and click Download to download the file.
Before the generated file is automatically deleted, the file is stored on Alibaba Cloud for up to three days.
Note
You can download domain names by using only an Alibaba Cloud account.