Embed Size (px)
Citation preview
Defending Your Workloads With
AWS WAF and Deep Security
Mark Nunnikhoven Vice President, Cloud Research @marknca
Defences
What is does Analyze network traffic at the application layer (7)
Examines requests/responses for logic & behaviour Pros Stops common web attacks (OWASP Top #10)
Effective at stopping unknown attacks Cons Rule set is application specific
Web Application Firewall
A deeper look at what defines a WAF is available at https://en.wikipedia.org/wiki/Application_firewall
What is does Analyze network packets at network—application layers (3—7)
Examines packets for malicious content & protocol conformity Pros Stops attacks affecting all types of applications
Protects operating system and applications Cons Large rule set can impact performance
Intrusion Prevention System
A deeper look at what defines an IPS is available at https://en.wikipedia.org/wiki/Intrusion_prevention_system
Presentation
Session
Transport
Network
Data Link
Physical
6
5
1
4
3
2
Application 7
OSI Network Model
Learn more about the OSI network model at https://en.wikipedia.org/wiki/OSI_model
Presentation
Session
Transport
Network
Data Link
Physical
6
5
1
4
3
2
Application 7
Network Defence For Web Applications
Learn more about the OSI network model at https://en.wikipedia.org/wiki/OSI_model
WAF
Presentation
Session
Transport
Network
Data Link
Physical
6
5
1
4
3
2
Application 7
Network Defence For Web Applications
Learn more about the differences between WAF & IPS at https://www.sans.org/security-resources/idfaq/ips-web-app-firewall.php
WAF
IPS
Presentation
Session
Transport
Network
Data Link
Physical
6
5
1
4
3
2
Application 7
Network Defence For Web Applications
AWS WAF
Deep Security IPS
AWS(Security of the Cloud)
Learn more about the differences between WAF & IPS at https://www.sans.org/security-resources/idfaq/ips-web-app-firewall.php
TCP/IP Packet
Learn more about TCP/IP packet structure at http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time To Live Protocol Header Checksum
Source Address
Destination Address
Options Padding
Source Port Destination Port
Sequence Number
Acknowledgement Number
Data Offset URG ACK PSH RST SYN FIN Window
Checksum Urgent Point
TCP Options Padding
TCP Data (HTTP Headers & Body included here)
TCP/IP Packet; AWS WAF
Learn more about TCP/IP packet structure at http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time To Live Protocol Header Checksum
Source Address
Destination Address
Options Padding
Source Port Destination Port
Sequence Number
Acknowledgement Number
Data Offset URG ACK PSH RST SYN FIN Window
Checksum Urgent Point
TCP Options Padding
TCP Data (HTTP Headers & Body included here)
TCP/IP Packet; Deep Security IPS
Learn more about TCP/IP packet structure at http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time To Live Protocol Header Checksum
Source Address
Destination Address
Options Padding
Source Port Destination Port
Sequence Number
Acknowledgement Number
Data Offset URG ACK PSH RST SYN FIN Window
Checksum Urgent Point
TCP Options Padding
TCP Data (HTTP Headers & Body included here)
TCP/IP Packet; AWS WAF + Deep Security IPS
Learn more about TCP/IP packet structure at http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time To Live Protocol Header Checksum
Source Address
Destination Address
Options Padding
Source Port Destination Port
Sequence Number
Acknowledgement Number
Data Offset URG ACK PSH RST SYN FIN Window
Checksum Urgent Point
TCP Options Padding
TCP Data (HTTP Headers & Body included here)
Source Address
TCP Data (HTTP Headers & Body included here)
Benefits Protects OS & application
Enforces protocols
Looks for malicious payloads
Intrusion Prevention System Web Application Firewall
Benefits Protects application
Enforces logic & behaviour
Looks for malicious logic
Well rounded protection
AWS WAF
Highlights New service, GA at re:Invent 2015
Highly scalable, highly available
Not as flexible as a dedicated WAF…yet
Extremely easy to configure & deploy
AWS WAF
More on AWS WAF at https://aws.amazon.com/waf/
AWS WAF Delivery; Regions
AWS’ global infrastructure is detailed at https://aws.amazon.com/about-aws/global-infrastructure/
AWS WAF Delivery; Edge Locations
AWS’ global infrastructure is detailed at https://aws.amazon.com/about-aws/global-infrastructure/
AWS WAF Delivery
AWS’ global infrastructure is detailed at https://aws.amazon.com/about-aws/global-infrastructure/
Global Service
Delivered via edge locations
AWS WAF Primitives
More details on AWS WAF are available at https://aws.amazon.com/waf/
WACL Rules ConditionsString match SQLi IP addresses
BlockAllow Count
AWS WAF Primitives
WACL
Rules
Conditions
More details on AWS WAF are available at https://aws.amazon.com/waf/
AWS WAF Architecture
More details on AWS WAF are available at https://aws.amazon.com/waf/
AWS WAF WACL
CloudFront Distribution
S3 Bucket
ELB
EC2 Instances
AWS WAF Architecture
More details on AWS WAF are available at https://aws.amazon.com/waf/
AWS WAF WACL
CloudFront Distribution
S3 Bucket
ELB
EC2 InstancesOR
1
2
3
3
DemoCreate Rule …with SQLi …with string match …with IPSet
Deep Security
DeepSecurityhelpsyoumeetyourresponsibili3esforsecurityinAWS
Platform Goal
Learn more at http://aws.trendmicro.com
WebReputa3on
Firewall
IntrusionPreven3on
IntegrityMonitoring
LogInspec3on
An3-Malware
1simplepolicy
Deep Security Controls
AZ1
AZ2
DeepSecurityAMI(s)
DeepSecurityAgents
Create this deployment quickly with our CloudFormation templates at https://github.com/deep-security/cloudformation
Deep Security Architecture
DemoEnable IPS Configure IPS Show IP Lists
Putting It Together
Cost of Software Defects
0
250
500
750
1000
Design Early Late Release
Cost
Performance Cost of Security Controls
0
250
500
750
1000
Upstream Provider Perimeter Data
Risk
Use Case Restrict access to web application to DEV only Implementation Sync DEV IP list from Deep Security to AWS WAF IPSet
AWS WAF Rule to BLOCK based on IPSet condition
AWS WAF + Deep Security; Scenario #1
DemoShow IP List Sync IP List Build IPSet condition
Use Case Mitigate DDoS Attacks Implementation Augment AWS WAF Count rules with Deep Security
Dynamically block incoming IPs based on AWS WAF Counts and Deep Security alerts
AWS WAF + Deep Security; Scenario #2
Thank You!https://github.com/deep-security/aws-waf
aws.trendmicro.com
@marknca
