2016 Utah Cloud Summit: AWS WAF

50 %
50 %
Information about 2016 Utah Cloud Summit: AWS WAF
waf

Published on January 28, 2016

Author: 1Strategy

Source: slideshare.net

1. AWS WAF Tom Witman

2. What is a WAF? • A Web Application Firewall (WAF): WAF is an appliance, server plugin, or filter that applies a set of rules to HTTP traffic • WAFs Come in Four Flavors • Pure Play: stand alone appliance or software • CDN: bundled with Content Delivery Network • Load Balancer: bundled with a load balancer • Universal Threat Manager (UTM): catch-all for misc. security

3. Why use WAF? • WAFs help protect web sites & applications against attacks that cause data breaches and downtime. • General WAF use cases • Protect from SQL Injection (SQLi) and Cross Site Scripting (XSS) • Prevent Web Site Scraping, Crawlers, and BOTs • Mitigate DDoS (HTTP/HTTPS floods)

4. What is AWS WAF? • AWS WAF is a CDN bundled WAF • Create rule based web ACL’s to block requests • Unique aspects of AWS WAF are: • Customizable rules created by customers to avoid false positives • Full-feature API: this is a DevOps WAF that can be deployed inline with new web sites and applications • Integrated with AWS (CloudFront, CloudWatch with more to come) and with partners (Alert Logic, TrendMicro, Imperva, more to come) • Pay as you go pricing

5. CloudFront w/o WAF CloudFront Edge Location EC2 users hackers bad bots site scraping SQL Injection, XSS, other attacks legitimate traffic ELBS3 AND/OR Customer On Premises Environment Origin Server Origin Storage

6. Traditional WAF Deployment CloudFront Edge Location users hackers bad bots site scraping SQL Injection, XSS, other attacks legitimate traffic EC2ELBWAFELB ELB Sandwich Customer On Premises Environment Origin Origin Storage WAF on EC2 in ELB sandwich (complexity & latency)

7. CloudFront w/ AWS WAF CloudFront Edge Location EC2 users hackers bad bots site scraping SQL Injection, XSS, other attacks legitimate traffic ELBS3 AND/OR Customer On Premises Environment Origin Server Origin Storage Malicious traffic is blocked by WAF rules at edge locations -can be custom origin -can be static and dynamic content -show the other on premises + S3

8. Amazon CloudFront, Amazon Route 53, and AWS WAF Locations 54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents CloudFront Amazon Route 53 AWS WAF

9. North America Cities: 15 PoPs: 21 Ashburn, VA (3) Atlanta, GA Chicago, IL Dallas/Fort Worth, TX (2) Hayward, CA Jacksonville, FL Los Angeles, CA (2) Miami, FL New York, NY (3) Newark, NJ Palo Alto, CA San Jose, CA Seattle, WA South Bend, IN St. Louis, MO Amazon CloudFront, Amazon Route 53, and AWS WAF Locations 54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents South America Cities: 2 PoPs: 2 Rio de Janeiro, Brazil São Paulo, Brazil Europe / Middle East / Africa Cities: 10 PoPs: 16 Amsterdam, The Netherlands (2) Dublin, Ireland Frankfurt, Germany (3) London, England (3) Madrid, Spain Marseille, France Milan, Italy Paris, France (2) Stockholm, Sweden Warsaw, Poland Asia Pacific Cities: 11 PoPs: 15 Chennai, India Hong Kong, China (2) Manila, the Philippines Melbourne, Australia Mumbai, India Osaka, Japan Seoul, Korea (2) Singapore (2) Sydney, Australia Taipei, Taiwan Tokyo, Japan (2) CloudFront Amazon Route 53 AWS WAF Edge location AWS Region

10. AWS WAF Component Questions 1. What do I want to take action on? (Conditions – IP / String Match Set / SQL injection match sets) 2. Should I block, allow, count? (Rules - Precedence / Rule / Action) 3. What sites/distributions need these rules? (CloudFront Distribution) 4. What should I call the container of these rules? (Web Access Control Lists – Web ACLs) 5. How do I see if the rules are working? (Real Time Metrics, Sampled Web Requests)

11. AWS WAF: web ACLs • Web ACLs contain a set of conditions, rules, and actions. • Web ACLs are applied to one or many CloudFront distributions. • Web ACLs show you Real-Time Metrics & Sampled Web Requests for each rule.

12. AWS WAF: Conditions • Conditions are lists of criteria that identify components of web requests. • Conditions include matching on the following: • IP address i.e., /8, /16, /24, /32 • Strings, i.e., URI, query string, header, etc. • SQL injection, i.e., looks for valid SQL statements • Conditions are logically disjoined, i.e. “OR”.

13. /login?x=test%20Id=10%20AND=1 /login?x=test%27%20UNION%20ALL%20select%20NULL%20-- /login?x=test’ UNION ALL select NULL -- Transform: URL Decode True Match: SQL Injection False Match Conditions: SQLi

14. AWS WAF: Rules • Rules are sets of conditions with a predetermined action. • Available actions are: – Block – Allow – Count • Rules can logically join conditions, i.e., “AND”. • Rules can be applied to many WebACLs.

15. AWS WAF: Resources • web ACLs: applied to CloudFront distributions today • Rule R: use one Web ACL for all distributions • Flexibility: use individual Web ACL for each distribution • AWS Partners: developing integrations with AWS WAF – Trend Micro: Deep Security – Imperva: Threat Radar – Alert Logic: Web Security Manager

16. AWS WAF: Reporting & Logs • Real-Time Metrics (CloudWatch): – Blocked web requests – Allowed web requests – Counted web requests • Adjustments to rules in response to real time analysis. • Time period can be adjusted by sliding graph end points or via filters.

17. HTTP/HTTPS Request made for content to CloudFront WAF reviews request; instructs CF to allow/deny CF checks if request needs WAF inspection WAF sends metric to CW; customer can update rules via API Content Delivered via CloudFront Error Page Delivered by CloudFront AWS WAF: Request Process DENY REQUEST ALLOW REQUEST

18. AWS WAF: End to End Flow 1. Create Web ACL 2. Create Conditions (IP, string match, SQL) 3. Create Rules and Actions (order, rule, action) 4. Associate Web ACL to CloudFront distribution 5. Review and Create

19. AWS WAF: API & Data Types API Actions • Create • Delete • Get • List • Update Data Types • ChangeToken • ChangeTokenStatus • WebACL • IPSet • StringeMatchSet • SQLinjectionMatchSet • Rule

20. AWS WAF: APIs 1. Get Change Token – a change token can only be used once to make a change to WAF resources. 2. Use Token to Make a Change – provide the change token to the change request 3. Check Status Using Token – use token to determine the status of your changes. INSYNC means changes were propagated

21. AWS WAF Example: Blocking Bad Bots

22. AWS WAF Example: Blocking Bad Bots What We Need… • IP Set: contains our list of blocked IP addresses • Rule: blocks requests if requests match IP in our IP Set • Web ACL: allow requests by default, contains our Rule and… • Mechanism to detect bad bots • Mechanism to add bad bot IP address to IP Set

23. AWS WAF Example: Blocking Bad Bots • Use robots.txt to specify which areas of your site or webapp should not be scraped • Place file in your web root • Ensure there are links pointing to non-scrapable content • Hide a trigger script that normal users don’t see and good bots ignore $ cat webroot/robots.txt User-agent: * Disallow: /honeypot/ <a href="/honeypot/" class="hidden" aria- hidden="true">click me</a>

24. AWS WAF Example: Blocking Bad Bots • Bad bots (ignoring your robots.txt) will request the hidden link • Trigger script will detect the source IP of the request • Trigger script requests change token • Trigger script adds source IP to IP Set blacklist • Web ACL will block subsequent request from that source $ aws --endpoint-url https://waf.amazon.com/ waf get-change- token { "ChangeToken": "acbc53f2-46db-4fbd-b8d5- dfb8c466927f” } $ aws --endpoint-url https://waf.amazon.com/ waf update-ip-set --cli-input-json '{ "IPSetId": ”<<IP SET ID>>", "ChangeToken": "acbc53f2-46db-4fbd- b8d5-dfb8c466927f", "Updates": [ { "Action": "INSERT", "IPSetDescriptor": { "Type": "IPV4", "Value": ”<<SOURCE IP>>/32" } } ] }’ { "ChangeToken": "acbc53f2-46db-4fbd-b8d5- dfb8c466927f” }

25. Pricing Three Pricing Dimensions • Web ACL monthly charge: $5 / Web ACL • Rule monthly charge: $1 / rule • Request Fee charge: $0.60 / million requests Pricing is available online at: http://aws.amazon.com/waf/pricing/

26. Pricing Example ACME corporation runs 5 CloudFront distributions, one for each web site. ACME sets up 1 Web ACLs, with 10 shared rules and apply the Web ACL to each website. Each website has an average HTTP / HTTPS request volume of about 5.5 million, or a total of 275 million requests. • ACME would be charged: (1 Web ACL @ $5) + (10 Rules @ $1 each) + (275 MM requests @ $0.60/MM) • The total charge is: $5 for Web ACL + $10 for Rules + $165 for requests = $170/month. • This is in ADDITION to the CloudFront fees.

27. Which WAF Solution is Right? 1. Do you need basic WAF protection such as IP black lists or referrer checking? (3) 2. Do you need protection against SQLi and XSS? (3) 3. Do you need rate based protection against attacks like scrapers, bots, and/or HTTP floods? (1) 4. Do you need configurations that support basic customizations for your applications? (1,3) 5. Do you need configurations that are highly customized (e.g. full regex support) to your specific applications? (2) 6. Do you need to customize rules based on behavioral analysis? (2) 7. Do you need a WAF that offers a large library of rules and/or updates rules based on current and emerging threats? (2,4) 8. Do you require a third party (AWS consulting partner) to manage rules and customize your configurations? (4)

28. AWS WAF: Q&A

Add a comment

Related pages

AWS Global Summits 2016 - Amazon Web Services (AWS ...

... mit deren Hilfe Sie die Kosten für die AWS-Cloud ... AWS WAF Filtern von ... Vielen Dank für Ihr Interesse an der AWS Global Summit-Reihe 2016.
Read more

AWS Summits 2016 | Chicago

AWS WAF Filter Malicious ... something new at the AWS Summit. ... many significant new features and services to customers on the AWS Cloud, ...
Read more

Register for the Free AWS Summit – Chicago, April 2016 ...

Register for the Free AWS Summit – Chicago, April 2016. ... Securing Next-Generation Workloads at Cloud ... How to Use AWS WAF to Block IP Addresses ...
Read more

Mark Your Calendar for AWS Summits in 2016 - AWS Security Blog

Mark Your Calendar for AWS Summits in 2016. ... each designed to accelerate your cloud journey and help you ... How to Use AWS WAF to Block IP ...
Read more

Resources | Trend Micro - Cloud Security | Deep Security ...

Trend Micro Deep Security: AWS Quick Start update. ... AWS WAF (web application firewall). Trend Micro was a launch partner and at the ... © 2016 Trend Micro.
Read more

AWS Service Health Dashboard - Feb 24, 2016 PST

Amazon Web Services » Service Health Dashboard. ... Amazon Elastic Compute Cloud ... AWS WAF: Service is operating ...
Read more

Using AWS WAF and Lambda for Automatic Protection | IT Videos

IT Videos is the world leader in cloud, data ... 2016 10:15 pm. Share with your ... we will share AWS Lambda scripts that you can use to automate security ...
Read more

AWS WAF and Deep Security - - Trend Micro Internet Security

There are a ton of great features in the AWS Cloud that let you build ... Home » Cloud Computing » AWS WAF and ... Trend Micro at RSA 2016: ...
Read more