In this session, we provide a summary of the basics of AWS's WAF (Web Application Firewall) and cover some of the benefits of using the service. Example scenarios are provided and a walkthrough of pricing is described.
2. What is a WAF?
• A Web Application Firewall (WAF): WAF is an appliance, server
plugin, or filter that applies a set of rules to HTTP traffic
• WAFs Come in Four Flavors
• Pure Play: stand alone appliance or software
• CDN: bundled with Content Delivery Network
• Load Balancer: bundled with a load balancer
• Universal Threat Manager (UTM): catch-all for misc. security
3. Why use WAF?
• WAFs help protect web sites & applications against attacks that
cause data breaches and downtime.
• General WAF use cases
• Protect from SQL Injection (SQLi) and Cross Site Scripting (XSS)
• Prevent Web Site Scraping, Crawlers, and BOTs
• Mitigate DDoS (HTTP/HTTPS floods)
4. What is AWS WAF?
• AWS WAF is a CDN bundled WAF
• Create rule based web ACL’s to block requests
• Unique aspects of AWS WAF are:
• Customizable rules created by customers to avoid false positives
• Full-feature API: this is a DevOps WAF that can be deployed inline with
new web sites and applications
• Integrated with AWS (CloudFront, CloudWatch with more to come) and
with partners (Alert Logic, TrendMicro, Imperva, more to come)
• Pay as you go pricing
7. CloudFront w/ AWS WAF
CloudFront
Edge
Location
EC2
users
hackers
bad bots
site
scraping
SQL Injection,
XSS, other attacks
legitimate
traffic
ELBS3
AND/OR
Customer On Premises Environment
Origin Server Origin Storage
Malicious traffic is blocked by WAF rules at edge locations
-can be custom origin
-can be static and dynamic content
-show the other on premises + S3
9. North America
Cities: 15
PoPs: 21
Ashburn, VA (3)
Atlanta, GA
Chicago, IL
Dallas/Fort Worth, TX (2)
Hayward, CA
Jacksonville, FL
Los Angeles, CA (2)
Miami, FL
New York, NY (3)
Newark, NJ
Palo Alto, CA
San Jose, CA
Seattle, WA
South Bend, IN
St. Louis, MO
Amazon CloudFront, Amazon Route 53, and AWS WAF Locations
54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents
South America
Cities: 2
PoPs: 2
Rio de Janeiro,
Brazil
São Paulo, Brazil
Europe / Middle East /
Africa
Cities: 10
PoPs: 16
Amsterdam, The Netherlands (2)
Dublin, Ireland
Frankfurt, Germany (3)
London, England (3)
Madrid, Spain
Marseille, France
Milan, Italy
Paris, France (2)
Stockholm, Sweden
Warsaw, Poland
Asia Pacific
Cities: 11
PoPs: 15
Chennai, India
Hong Kong, China (2)
Manila, the Philippines
Melbourne, Australia
Mumbai, India
Osaka, Japan
Seoul, Korea (2)
Singapore (2)
Sydney, Australia
Taipei, Taiwan
Tokyo, Japan (2)
CloudFront Amazon
Route 53
AWS WAF
Edge
location
AWS
Region
10. AWS WAF Component Questions
1. What do I want to take action on?
(Conditions – IP / String Match Set / SQL injection match sets)
2. Should I block, allow, count?
(Rules - Precedence / Rule / Action)
3. What sites/distributions need these rules?
(CloudFront Distribution)
4. What should I call the container of these rules?
(Web Access Control Lists – Web ACLs)
5. How do I see if the rules are working?
(Real Time Metrics, Sampled Web Requests)
11. AWS WAF: web ACLs
• Web ACLs contain a set of conditions,
rules, and actions.
• Web ACLs are applied to one or many
CloudFront distributions.
• Web ACLs show you Real-Time Metrics
& Sampled Web Requests for each
rule.
12. AWS WAF: Conditions
• Conditions are lists of criteria that
identify components of web requests.
• Conditions include matching on the
following:
• IP address i.e., /8, /16, /24, /32
• Strings, i.e., URI, query string, header, etc.
• SQL injection, i.e., looks for valid SQL
statements
• Conditions are logically disjoined, i.e.
“OR”.
14. AWS WAF: Rules
• Rules are sets of conditions with a
predetermined action.
• Available actions are:
– Block
– Allow
– Count
• Rules can logically join conditions, i.e.,
“AND”.
• Rules can be applied to many
WebACLs.
15. AWS WAF: Resources
• web ACLs: applied to CloudFront distributions today
• Rule R: use one Web ACL for all distributions
• Flexibility: use individual Web ACL for each distribution
• AWS Partners: developing integrations with AWS WAF
– Trend Micro: Deep Security
– Imperva: Threat Radar
– Alert Logic: Web Security Manager
16. AWS WAF: Reporting & Logs
• Real-Time Metrics
(CloudWatch):
– Blocked web requests
– Allowed web requests
– Counted web requests
• Adjustments to rules in
response to real time analysis.
• Time period can be adjusted
by sliding graph end points or
via filters.
17. HTTP/HTTPS
Request made for
content to CloudFront
WAF reviews request;
instructs CF to
allow/deny
CF checks if request
needs WAF
inspection
WAF sends metric to
CW; customer can
update rules via API
Content Delivered via
CloudFront
Error Page Delivered by CloudFront
AWS WAF: Request Process
DENY
REQUEST
ALLOW
REQUEST
18. AWS WAF: End to End Flow
1. Create Web ACL
2. Create Conditions (IP, string match, SQL)
3. Create Rules and Actions (order, rule, action)
4. Associate Web ACL to CloudFront distribution
5. Review and Create
19. AWS WAF: API & Data Types
API Actions
• Create
• Delete
• Get
• List
• Update
Data Types
• ChangeToken
• ChangeTokenStatus
• WebACL
• IPSet
• StringeMatchSet
• SQLinjectionMatchSet
• Rule
20. AWS WAF: APIs
1. Get Change Token – a change token can only be
used once to make a change to WAF resources.
2. Use Token to Make a Change – provide the change
token to the change request
3. Check Status Using Token – use token to determine
the status of your changes. INSYNC means changes
were propagated
22. AWS WAF Example: Blocking Bad Bots
What We Need…
• IP Set: contains our list of blocked IP addresses
• Rule: blocks requests if requests match IP in our IP Set
• Web ACL: allow requests by default, contains our Rule
and…
• Mechanism to detect bad bots
• Mechanism to add bad bot IP address to IP Set
23. AWS WAF Example: Blocking Bad Bots
• Use robots.txt to specify
which areas of your site or
webapp should not be
scraped
• Place file in your web root
• Ensure there are links
pointing to non-scrapable
content
• Hide a trigger script that
normal users don’t see and
good bots ignore
$ cat
webroot/robots.txt
User-agent: *
Disallow: /honeypot/
<a href="/honeypot/"
class="hidden" aria-
hidden="true">click
me</a>
24. AWS WAF Example: Blocking Bad Bots
• Bad bots (ignoring your
robots.txt) will request the
hidden link
• Trigger script will detect the
source IP of the request
• Trigger script requests change
token
• Trigger script adds source IP to
IP Set blacklist
• Web ACL will block subsequent
request from that source
$ aws --endpoint-url
https://waf.amazon.com/ waf get-change-
token
{
"ChangeToken": "acbc53f2-46db-4fbd-b8d5-
dfb8c466927f”
}
$ aws --endpoint-url
https://waf.amazon.com/ waf update-ip-set
--cli-input-json '{ "IPSetId": ”<<IP SET
ID>>", "ChangeToken": "acbc53f2-46db-4fbd-
b8d5-dfb8c466927f", "Updates": [ {
"Action": "INSERT", "IPSetDescriptor": {
"Type": "IPV4", "Value": ”<<SOURCE
IP>>/32" } } ] }’
{
"ChangeToken": "acbc53f2-46db-4fbd-b8d5-
dfb8c466927f”
}
25. Pricing
Three Pricing Dimensions
• Web ACL monthly charge: $5 / Web ACL
• Rule monthly charge: $1 / rule
• Request Fee charge: $0.60 / million requests
Pricing is available online at: http://aws.amazon.com/waf/pricing/
26. Pricing Example
ACME corporation runs 5 CloudFront distributions, one for each web
site. ACME sets up 1 Web ACLs, with 10 shared rules and apply the
Web ACL to each website. Each website has an average HTTP /
HTTPS request volume of about 5.5 million, or a total of 275 million
requests.
• ACME would be charged: (1 Web ACL @ $5) + (10 Rules @ $1 each)
+ (275 MM requests @ $0.60/MM)
• The total charge is: $5 for Web ACL + $10 for Rules + $165 for requests
= $170/month.
• This is in ADDITION to the CloudFront fees.
27. Which WAF Solution is Right?
1. Do you need basic WAF protection such as IP black
lists or referrer checking? (3)
2. Do you need protection against SQLi and XSS? (3)
3. Do you need rate based protection against attacks like
scrapers, bots, and/or HTTP floods? (1)
4. Do you need configurations that support basic
customizations for your applications? (1,3)
5. Do you need configurations that are highly customized
(e.g. full regex support) to your specific applications? (2)
6. Do you need to customize rules based on behavioral
analysis? (2)
7. Do you need a WAF that offers a large library of rules
and/or updates rules based on current and emerging
threats? (2,4)
8. Do you require a third party (AWS consulting partner) to
manage rules and customize your configurations? (4)
First of all, let’s make sure we are all on the same page. What is a WAF?
Quite simply, a WAF is a Web Application Firewall. It is an application layer firewall used to protect web assets from various forms of attack. WAF is an appliance, server plugin or filter that applies a set of rules to HTTP traffic. Another way to look at it, a web security service providing OSI Layer 7 protection by monitoring http and https requests and restricting access to web applications.
Common attacks include high volume request traffic for content from a single IP address or a range of IP addresses.
CDN based WAF’s filter requests at edge locations before content is served or requests are forwarded to the origin server.
The benefit of deployment of WAF sandwich, while complex, is that it tends to scale while the on premises solution is not scalable and requires infrastructure investment in order to properly protect web assets.
All customers have to do is point CF to an origin and enable the WAF, this will highlight the ease of using a CF. CF is becoming more of an application delivery platform vs. just a CDN. Here is a typical layout but you can use a custom origin.
Amazon CloudFront and Amazon Route 53 services are offered at AWS Edge Locations
TOM
Our built-in SQL injection match condition checks for valid SQL statements, not just simple keywords.
SQL injection usually occurs within query string parameters and request body.
To check for query string, use a URL decode transform to prevent URL encode evasions, and configure a match set to check the query string.
TOM
The WAF API is a Restful API that has five simple commands and five parameters. In addition the API requires a change token to be used when calling commands.
The combination of a command and parameter is an API action that can be carried out by the AWS WAF
There are two types of criteria that can be used to block or allow requests from being passed on to CloudFront or an ELB. The criteria are ByteMatch Set and an IP Set. A ByteMatch set includes syntax that matches a header value, http method, http version, query string, or URI. A SQL injection parameter is also considered a variant of a ByteMatch set.
Actions are also known as default action types: ALLOW, BLOCK or COUNT
I’ve got a few notes to help you with API and CLI usage
First, change tokens are required for any create or update operation.
These drive our optimistic lock mechanisms to prevent your changes from conflicting with each other, and they are used to track change sync status throughout the system.
So to make any change first call the API to get a change token.
In my create call, I pass the change token as a parameter.
Finally, I can query for the status of my change using the GetChangeTokenStatus call.
The API returns one of three states:
Provisioned means that the token has been issued, but no one has used it to make a change
Pending means the change has been made to the API, but has’t propagated to all CloudFront edge locations
InSync –
All of the API calls use an Add / Remove pattern.
To add one IP, it’s one API call, you don’t need to supply the full list of IPs.
That should make fail2ban style automation easier where you can just add a single IP to your blacklist, without having to store any other state.
We follow this basic.
Simply explain the use of this action, get sampled data from the WAF for selected time range.
AWS costs $5 per WebACL, $1 per Rule and $0.60 per million web requests. You can reuse your WebACL across as many CloudFront distributions as you like for no additional monthly charge. One WebACL gives you CloudWatch metrics and sampled web requests across all associated CloudFront distributions. Each rule lets you configure many conditions to match specific web requests you can use to block, allow or count web traffic. Each rule also provides you with rule-specific CloudWatch metrics and sampled requests so you can see exactly which web requests are matching your conditions. Use more rules when you need detailed visibility into your configured match conditions, use less rules when you don't need as much visibility.
The WebACL being charged at $5 that can cover all your websites.