Defending your workloads with aws waf and deep security

  • View
    1.973

  • Download
    0

Embed Size (px)

Text of Defending your workloads with aws waf and deep security

  • Defending Your Workloads With

    AWS WAF and Deep Security

  • Mark Nunnikhoven Vice President, Cloud Research @marknca

  • Defences

  • What is does Analyze network traffic at the application layer (7)

    Examines requests/responses for logic & behaviour Pros Stops common web attacks (OWASP Top #10)

    Effective at stopping unknown attacks Cons Rule set is application specific

    Web Application Firewall

    A deeper look at what defines a WAF is available at https://en.wikipedia.org/wiki/Application_firewall

    https://en.wikipedia.org/wiki/Application_firewall

  • What is does Analyze network packets at networkapplication layers (37)

    Examines packets for malicious content & protocol conformity Pros Stops attacks affecting all types of applications

    Protects operating system and applications Cons Large rule set can impact performance

    Intrusion Prevention System

    A deeper look at what defines an IPS is available at https://en.wikipedia.org/wiki/Intrusion_prevention_system

    https://en.wikipedia.org/wiki/Intrusion_prevention_system

  • Presentation

    Session

    Transport

    Network

    Data Link

    Physical

    6

    5

    1

    4

    3

    2

    Application 7OSI Network Model

    Learn more about the OSI network model at https://en.wikipedia.org/wiki/OSI_model

    https://en.wikipedia.org/wiki/OSI_model

  • Presentation

    Session

    Transport

    Network

    Data Link

    Physical

    6

    5

    1

    4

    3

    2

    Application 7Network Defence For Web Applications

    Learn more about the OSI network model at https://en.wikipedia.org/wiki/OSI_model

    WAF

    https://en.wikipedia.org/wiki/OSI_model

  • Presentation

    Session

    Transport

    Network

    Data Link

    Physical

    6

    5

    1

    4

    3

    2

    Application 7Network Defence For Web Applications

    Learn more about the differences between WAF & IPS at https://www.sans.org/security-resources/idfaq/ips-web-app-firewall.php

    WAF

    IPS

    https://www.sans.org/security-resources/idfaq/ips-web-app-firewall.php

  • Presentation

    Session

    Transport

    Network

    Data Link

    Physical

    6

    5

    1

    4

    3

    2

    Application 7Network Defence For Web Applications

    AWS WAF

    Deep Security IPS

    AWS(Security of the Cloud)

    Learn more about the differences between WAF & IPS at https://www.sans.org/security-resources/idfaq/ips-web-app-firewall.php

    https://www.sans.org/security-resources/idfaq/ips-web-app-firewall.php

  • TCP/IP Packet

    Learn more about TCP/IP packet structure at http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/

    Version IHL Type of Service Total Length

    Identification Flags Fragment Offset

    Time To Live Protocol Header Checksum

    Source Address

    Destination Address

    Options Padding

    Source Port Destination Port

    Sequence Number

    Acknowledgement Number

    Data Offset URG ACK PSH RST SYN FIN Window

    Checksum Urgent Point

    TCP Options Padding

    TCP Data (HTTP Headers & Body included here)

    http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/

  • TCP/IP Packet; AWS WAF

    Learn more about TCP/IP packet structure at http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/

    Version IHL Type of Service Total Length

    Identification Flags Fragment Offset

    Time To Live Protocol Header Checksum

    Source Address

    Destination Address

    Options Padding

    Source Port Destination Port

    Sequence Number

    Acknowledgement Number

    Data Offset URG ACK PSH RST SYN FIN Window

    Checksum Urgent Point

    TCP Options Padding

    TCP Data (HTTP Headers & Body included here)

    http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/

  • TCP/IP Packet; Deep Security IPS

    Learn more about TCP/IP packet structure at http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/

    Version IHL Type of Service Total Length

    Identification Flags Fragment Offset

    Time To Live Protocol Header Checksum

    Source Address

    Destination Address

    Options Padding

    Source Port Destination Port

    Sequence Number

    Acknowledgement Number

    Data Offset URG ACK PSH RST SYN FIN Window

    Checksum Urgent Point

    TCP Options Padding

    TCP Data (HTTP Headers & Body included here)

    http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/

  • TCP/IP Packet; AWS WAF + Deep Security IPS

    Learn more about TCP/IP packet structure at http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/

    Version IHL Type of Service Total Length

    Identification Flags Fragment Offset

    Time To Live Protocol Header Checksum

    Source Address

    Destination Address

    Options Padding

    Source Port Destination Port

    Sequence Number

    Acknowledgement Number

    Data Offset URG ACK PSH RST SYN FIN Window

    Checksum Urgent Point

    TCP Options Padding

    TCP Data (HTTP Headers & Body included here)

    Source Address

    TCP Data (HTTP Headers & Body included here)

    http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/

  • Benefits Protects OS & application

    Enforces protocols

    Looks for malicious payloads

    Intrusion Prevention System Web Application Firewall

    Benefits Protects application

    Enforces logic & behaviour

    Looks for malicious logic

    Well rounded protection

  • AWS WAF

  • Highlights New service, GA at re:Invent 2015

    Highly scalable, highly available

    Not as flexible as a dedicated WAFyet

    Extremely easy to configure & deploy

    AWS WAF

    More on AWS WAF at https://aws.amazon.com/waf/

    https://aws.amazon.com/waf/

  • AWS WAF Delivery; Regions

    AWS global infrastructure is detailed at https://aws.amazon.com/about-aws/global-infrastructure/

  • AWS WAF Delivery; Edge Locations

    AWS global infrastructure is detailed at https://aws.amazon.com/about-aws/global-infrastructure/

  • AWS WAF Delivery

    AWS global infrastructure is detailed at https://aws.amazon.com/about-aws/global-infrastructure/

    Global Service

    Delivered via edge locations

  • AWS WAF Primitives

    More details on AWS WAF are available at https://aws.amazon.com/waf/

    WACL Rules ConditionsString match SQLi IP addresses

    BlockAllow Count

    https://aws.amazon.com/waf/

  • AWS WAF Primitives

    WACL

    Rules

    Conditions

    More details on AWS WAF are available at https://aws.amazon.com/waf/

    https://aws.amazon.com/waf/

  • AWS WAF Architecture

    More details on AWS WAF are available at https://aws.amazon.com/waf/

    AWS WAF WACL

    CloudFront Distribution

    S3 Bucket

    ELB

    EC2 Instances

    https://aws.amazon.com/waf/

  • AWS WAF Architecture

    More details on AWS WAF are available at https://aws.amazon.com/waf/

    AWS WAF WACL

    CloudFront Distribution

    S3 Bucket

    ELB

    EC2 InstancesOR

    1

    2

    3

    3

    https://aws.amazon.com/waf/

  • DemoCreate Rule with SQLi with string match with IPSet

  • Deep Security

  • DeepSecurityhelpsyoumeetyourresponsibili3esforsecurityinAWS

    Platform Goal

  • Learn more at http://aws.trendmicro.com

    WebReputa3on

    Firewall

    IntrusionPreven3on

    IntegrityMonitoring

    LogInspec3on

    An3-Malware

    1simplepolicy

    Deep Security Controls

    http://aws.trendmicro.com

  • AZ1

    AZ2

    DeepSecurityAMI(s)

    DeepSecurityAgents

    Create this deployment quickly with our CloudFormation templates at https://github.com/deep-security/cloudformation

    Deep Security Architecture

    https://github.com/deep-security/cloudformation

  • DemoEnable IPS Configure IPS Show IP Lists

  • Putting It Together

  • Cost of Software Defects

    0

    250

    500

    750

    1000

    Design Early Late Release

    Cost

  • Performance Cost of Security Controls

    0

    250

    500

    750

    1000

    Upstream Provider Perimeter Data

    Risk

  • Use Case Restrict access to web application to DEV only Implementation Sync DEV IP list from Deep Security to AWS WAF IPSet

    AWS WAF Rule to BLOCK based on IPSet condition

    AWS WAF + Deep Security; Scenario #1

  • DemoShow IP List Sync IP List Build IPSet condition

  • Use Case Mitigate DDoS Attacks Implementation Augment AWS WAF Count rules with Deep Security

    Dynamically block incoming IPs based on AWS WAF Counts and Deep Security alerts

    AWS WAF + Deep Security; Scenario #2

  • Thank You!https://github.com/deep-security/aws-waf

    aws.trendmicro.com

    @marknca