AWS WAF
Tel Aviv Loft9 March 2016
Tom Witman, Business DevelopmentAWS Seattle
Today’s Agenda
AWS WAF OverviewAWS WAF with CloudFrontAWS WAF Automation with AWS LambdaCustomer Example / Use Case: Magazine Luiza
What is a WAF?
•A Web Application Firewall (WAF) is an appliance, server plugin, or software filter that applies a set of rules to HTTP traffic providing Layer 7 (application) protection
•WAFs Come in Four Flavors• Pure Play: stand alone appliance or software• CDN: bundled with Content Delivery Network• Load Balancer: bundled with a load balancer• Universal Threat Manager (UTM): catch-all for misc. security
What is AWS WAF?
Web application firewall (WAF) that gives you control over who (or what) can access your web applications.
• Full-feature API• Customizable security• Integrated with Amazon CloudFront - protection at the edge• Use cases: protection against exploits, abuse, and application
DDoS
Web site without AWS WAF
Good users
Attackers
Web siteExploit
Web site with Amazon CloudFront + AWS WAF
Good usersWeb site
Exploit
Attackers
CloudFrontAWS WAF
Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents
CloudFront
Amazon Route 53
AWS WAF
North AmericaCities: 15PoPs: 21
Ashburn, VA (3)Atlanta, GAChicago, IL
Dallas/Fort Worth, TX (2)Hayward, CA
Jacksonville, FLLos Angeles, CA (2)
Miami, FLNew York, NY (3)
Newark, NJPalo Alto, CASan Jose, CASeattle, WA
South Bend, INSt. Louis, MO
Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents
South AmericaCities: 2PoPs: 2
Rio de Janeiro, Brazil
São Paulo, Brazil
Europe / Middle East / Africa
Cities: 10PoPs: 16
Amsterdam, The Netherlands (2) Dublin, Ireland
Frankfurt, Germany (3)London, England (3)
Madrid, SpainMarseille, France
Milan, ItalyParis, France (2)
Stockholm, SwedenWarsaw, Poland
Asia PacificCities: 11PoPs: 15
Chennai, IndiaHong Kong, China (2)Manila, the PhilippinesMelbourne, Australia
Mumbai, IndiaOsaka, Japan
Seoul, Korea (2)Singapore (2)
Sydney, AustraliaTaipei, Taiwan
Tokyo, Japan (2)CloudFron
tAmazon Route 53
AWS WAF
Edge location
AWS Region
AWS WAF Set Up Questions
1. What do I want to take action on? (Conditions – IP / String Match Set / SQL injection match sets)
2. Should I block, allow, count? (Rules - Precedence / Rule / Action)
3. What sites/distributions need these rules? (CloudFront Distribution)
4. What should I call the container of these rules? (Web Access Control Lists – WebACLs)
5. How do I see if the rules are working? (Real Time Metrics, Sampled Web Requests)
AWS WAF: WebACLs
•WebACLs contain a set of conditions, rules, and actions.
•WebACLs are applied to one or many CloudFront distributions.
•WebACLs show you Real-Time Metrics & Sampled Web Requests for each rule.
AWS WAF: Conditions
Conditions are lists of criteria that identify components of web requests.Conditions include matching on the following:
• IP address i.e., /8, /16, /24, /32• Strings, i.e., URI, query string, header, etc.• SQL injection, i.e., looks for valid SQL
statements
Conditions are logically disjoined, i.e. “OR”.
/login?x=test%20Id=10%20AND=1
/login?x=test%27%20UNION%20ALL%20select%20NULL%20--
/login?x=test’ UNION ALL select NULL --
Transform: URL Decode
True
Match: SQL Injection
False
Match Conditions: SQLi
AWS WAF: Rules
Rules are sets of conditions with a predetermined action.Available actions are:
• Block• Allow• Count
Rules can logically join conditions, i.e., “AND”.Rules can be applied to many WebACLs.
AWS WAF: Resources
WebACLs: applied to CloudFront distributions today•Rule reusability: use one WebACL for all distributions•Flexibility: use individual WebACL for each distributionAWS Partners: developing integrations with AWS WAF
• Trend Mirco: Deep Security• GitHub: https://github.com/deep-security/aws-waf• Blog: http://aws.trendmicro.com/aws-waf-and-deep-security/
• Imperva: Threat Radar• Alert Logic: Web Security Manager
AWS WAF: Reporting & Logs
Real-Time Metrics (CloudWatch):• Blocked web requests• Allowed web requests• Counted web requests
Adjustments to rules in response to real time analysis.Time period can be adjusted by sliding graph end points or via filters.
AWS WAF: End to End Flow
1. Create WebACL2. Create Conditions
(IP, string match, SQL)
3. Create Rules and Actions (order, rule, action)
4. Associate WebACL to CloudFront distribution
5. Review and Deploy
AWS WAF: API & Data Types
API ActionsCreateDeleteGetListUpdate
Data Types• ChangeToken• ChangeTokenStatus• WebACL• IPSet• StringeMatchSet• SQLinjectionMatchSet• Rule
AWS WAF: APIs
1. Get Change Token – a change token can only be used once to make a change to WAF resources.
2. Use Token to Make a Change – provide the change token to the change request
3. Check Status Using Token – use token to determine the status of your changes. INSYNC means changes were propagated
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF + AWS Lambda = Automatic Protection
What is AWS Lambda?
Lambda automatically runs your code without requiring you to provision servers.• “Server-less” scripting; event driven actions• Integrated with other AWS services• Use cases: scheduled events, provisioning services,
and customer analysis
• Bad guys are adaptive and persistent• Better protection
• Integrate application specific or open-source data sources• Sophisticated out of band analysis
Why build automated security?
Automated security
Good users
Logs Threat analysis
Rule updater
Web siteRulesExploit
Attackers
Automated security – traditional data center
Good users
Logs Threat analysis
Rule updater
Web siteExploit
Attackers
Rules
Automated security – AWS makes it easier
Good users
Logs Threat analysis
Rule updater
Web siteExploit
Attackers
Rules
Other AWS Services we’ll use
Amazon CloudFront Amazon CloudWatch AWS CloudFormation
Amazon S3 Amazon API Gateway
Types of attacks that can be automated
HTTP floods Scans & probesIP reputation lists Bots & scrapers
Attackers
IP reputation lists
Collection of IP addresses with a bad reputation based on sending history• Open proxies or known hosts that send
spam/trojans/viruses• Constantly changing/updating• Solution: import open source lists (i.e., Emerging
Threats, SSL blacklist, Tor Node list) and update lists using CloudWatch events
IP reputation lists
HTTP Floods
Legitimate requests at a level that excessively consume web server resources• Requests targeted at expensive components, i.e.,
login, product search, etc.• Different than other types of flood attacks because
requests follow protocol.• Creates the problem of identifying attack from flash
crowd.• Solution: count number of requests in CloudFront
access logs and block offenders
Attackers
HTTP Floods
Scans & probes
Program that communicates with web application front end to identify potential vulnerabilities• Initiated by you – good; initiated by someone else –
bad• Someone (something) with bad intentions• Consume resources by requesting URLs that don’t
exist• Solution: count 40x error in access logs and block
offenders
Bots & scrappers
Software application that run automated tasks over the internet.• Good bots (search engines, weather, price
comparison) vs bad bots (scrape content, steal data, malware)
• Aggressive vs conservative days• Constantly changing/updating• Solution: use robots.txt and “honeypot” file to identify
& block offenders
Bots & scrappers
Customer Story
Magazine Luiza• One of the largest retail
chains in Brazil• More than 700 stores, 24K
staff, & 8 distribution centers• e-commerce platform
customers use for purchases• Moving “all in” to AWS over
the past 2-3 years• Breaking up monolithic app
Customer Story
Challenges• Balance security with performance & cost• Traditional WAFs didn’t work:
1. Inflated models – lots of rules & based on vm or hardware2. Couldn’t scale - constrained by bandwidth & CPU3. Automation meant more hardware
• Need to block bad bots (based on IP) without affecting search & shopping experience
• Have solution in place by Black Friday
Customer Story
Previous Architecture
Customer Story
New Architecture
Customer Story
Milestones Before Black Friday• September – October: confirmed new architecture and started
building.• October – new architecture ready to go• November – started countdown and moved over all production traffic
Customer Story
Black Friday• November 26: jumped from 4 to 28.9 million views/day• November 26 all hands on deck for the last infrastructure scale up!• All hands on deck until midnight, everyone went home, 5 people decided to
sleep in our leisure room, I kept following monitoring.• Traffic started to ramp up again November 27 6:00AM and kept high page
views and sales during the weekend.
Customer Story
Advice to Others• Do analysis in house & start small• Use the right library for the job• Identify what needs protection• Think about the time it takes to process logs• Defense in Depth: simple security rules at perimeter, complex
security rules closer to app
Conclusion
Types of Attacks that can be Automated• IP reputation lists• HTTP floods• Web probes & scans• Bots & scrappers
Thanks to our Solution Architects:• Heitor Vital, Ben Potter, Vlad Vlasceanu, and Lee Atkinson• Tutorials available on https://aws.amazon.com/waf/preconfiguredrules/
Thank you!
Top Related