Skip to main content
Join the Agentforce Hackathon on Nov. 18-19 to compete for a $20,000 Grand Prize. Sign up now. Terms apply.

Check Your Firewall for Security Compliance

Learning Objectives

After completing this unit, you’ll be able to:

  • List the industry standards used within the Salesforce B2C Commerce eCDN WAF.
  • Describe what the eCDN WAF does.
  • Explain the eCDN WAF settings.
  • Explain how you determine how strictly you want security settings enforced.

The eCDN WAF

Linda Rosenberg, the Cloud Kicks admin, is all about securing her site from malicious attacks. One of the tools she uses is an enterprise content delivery network (eCDN) web application firewall (WAF), which is all about security standards compliance.

Linda Rosenberg, Cloud Kicks admin

The B2C Commerce eCDN follows the Open Web Application Security Protocol (OWASP) rule set for compliance standards. OWASP is an international nonprofit organization dedicated to web application security. Their mission is to provide best practices for application security, available to everyone with an unbiased source of information. When an external request triggers an OWASP rule, that rule increases the request’s overall OWASP threat score. B2C Commerce eCDN WAF uses that score.

The WAF’s primary job is to protect the Cloud Kicks storefront using Layer 7 protection, part of another standard: the Open Systems Interconnection model (OSI). OSI is an industry effort to get participants to agree on common network standards for multivendor interoperability. Layer 7 sits below the user interfaces, and on top of the other six layers of the model. In Layer 7, data is presented in a form that user-facing applications can use, where DDoS attacks often take place.

Layer 7’s job is to protect both production and development instance host-names from code level vulnerabilities such as SQL injection attacks, cross-site scripting, and open web application security project OWASP-identified threats that target the application layer.

What Does the WAF Do?

All requests to a storefront are made via http/s (full site) and AJAX (small data snippets). The eCDN WAF keeps busy watching and using this data as it comes into the system. Here are some of its activities.

  • Examines all engagements to a merchant’s site, from normal shopper to bot traffic to malicious requests
  • Evaluates requests and assigns a score based on its threat level using the OWASP rule set
  • Performs a deep inspection of every request for all common forms of web traffic and filters out malicious traffic from real shoppers
  • Identifies and isolates or blocks abnormal, malicious traffic and prevents the threat from reaching the server

The WAF is careful not to block legitimate requests, especially when a bot places an order properly. Every sale is important. To prevent fraudulent order attacks, Linda asks her developer, Vijay Lahiri, to implement CAPTCHA or a rate limiter on the order submission page.

WAF Settings

Linda takes trust seriously. Checking her WAF settings and enabling the ones she wants to use is an important step in getting her site holiday ready. She uses Business Manager to configure her WAF and access its logs. She determines how strictly she wants security settings enforced based on the type of traffic her site receives and her company’s risk tolerance. 

eCDN WAF actions are triggered based on the threat score that B2C Commerce assigns to a request at detection. Business Manager provides three sensitivity settings for the OWASP rule set. For each type of request (http/s or Ajax), depending on the sensitivity setting, B2C Commerce assigns a threat score if the OWASP rule is triggered. A threat’s score increases when it triggers an OWASP rule. 

This gives Linda a lot of flexibility. At one of the Cloud Kicks popup sites, for example, certain types of bots are an acceptable risk to the business. They trigger WAF, so she wants to configure low settings.

Let’s take a look at these settings.

Zone

A CDN configuration is organized around zones. A zone represents a root or apex domain (for example, cloudkicks.com). A hostname is a subdomain of a specific zone (for example, www.cloudkicks.com). In B2C Commerce, you can create hostname aliases that are short, meaningful URLs for external search engines to index. You should assign at least one hostname alias that’s the current hostname on which the instance is running.

B2C Commerce examines the hostname alias files for the development and production instances across all realms. It aggregates this information and derives the names of zones by inspecting the hostname entries in the alias files. For example, the hostname alias file for Linda’s production instance contains an entry for www.cloudkicks.com, from which B2C Commerce creates the zone cloudkicks.com.

Action

Linda can select from three action modes to respond to detected threats.

  • Simulate: Log the event without blocking or challenging the web request.
  • Challenge: Make a visitor respond to a CAPTCHA challenge before proceeding if their incoming web request is suspicious.
  • Block: Stop the request from reaching the server.

Sensitivity Level

The sensitivity is for http/s requests, the most common type of request. The WAF blocks more requests when the sensitivity is set at a higher level. It becomes less suspicious (and lets more traffic through) when sensitivity is set at a lower level. 

Here are the settings.

  • Low: Threat score of 60 and higher
  • Medium: Threat score of 40 and higher
  • High: Threat score of 25 and higher

Salesforce recommends that you use a medium or high sensitivity setting. Based on your log analysis, however, you can change the sensitivity. Your site might be detecting too many real shoppers as bad actors, or letting too many bad actors through.

Ajax Requests

  • Low: Threat score of 120 and higher
  • Medium: Threat score of 80 and higher
  • High: Threat score of 65 and higher

Configure eCDN WAF Settings

Linda gets started by enabling her WAF in Simulate mode. Here’s how she does it.

  1. Open Business Manager.
  2. Click Administration > Sites > Embedded CDN Settings.
  3. Select a zone: cloudkicks.com
  4. On the WAF tab, select Enabled to enable WAF (the default for new proxy zones).
  5. Select the Simulate action. The WAF starts logging requests, which you can review for issues.

About a week later, Linda changes the action to Challenge so she can get an idea of what her threats look like. Here’s how she does it.

  1. Open Business Manager.
  2. Click Administration > Sites > Embedded CDN Settings.
  3. Select a zone: cloudkicks.com
  4. Select an action: Challenge. The WAF presents a CAPTCHA to users and continues logging requests, which you can review for issues.
  5. Select an http/s sensitivity level: Medium
  6. Select an Ajax request level: Medium
  7. Select a time (based on the UTC time zone): 05:00 am
  8. Click Request Log.

When the log file is available for download, B2C Commerce sends a message to Linda’s Business Manager email account with a link to the log. She downloads the log to analyze her traffic and adjust sensitivity accordingly.

Example

This table shows some of the setting combinations that Linda considers.

Sensitivity

Action

Visitor

Score

What happens

Low

Challenge

A

55

The visitor lands on the storefront with no CAPTCHA page.



B

70

The visitor sees a CAPTCHA page. If they are successful, they land on the storefront.



C

70

The visitor sees a CAPTCHA page. If they are unsuccessful, they land on an error page.

Medium

Block

A

30

The visitor lands on the storefront.



B

50

The visitor sees a block page and can’t access the site.

eCDN Considerations

Here are some eCDN considerations that Linda found useful.

  • Check your SSL certificates expiry dates for all hostnames.
  • Set appropriate security levels for your firewall and review IP addresses to be part of the allowlist, IPs that you trust, such as store and office locations.
  • Set up maintenance pages and configure auto-minify (reduce source code file size) and polish (image optimizer).
  • Ensure you’re using the CNAME endpoints for your subdomains. Make sure that you can run the command dig www.mywebsite.com on your terminal to verify that the DNS is pointing to eCDN.
  • Ensure your root/apex domains are configured to support HTTPS. In the DNS map, your root says domainexample.com eCDN CNAME as well or has a redirect setup.
  • On a stacked eCDN setup, if you want to capture the end users IPs, configure the Client IP Header Name in Business Manager. This is the header name sent in by stacked CDN. If you don’t configure it, you won’t get the true end user IP. You’ll see the stacked CDN’s IP.

Next Steps

In this unit, you learned that the B2C Commerce eCDN WAF is all about industry standards compliance. You learned what the WAF does and how to configure it, and looked at a few examples. Next, learn how to mitigate bots.  

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback