AWS WAFTom Witman

What is a WAF?

• A Web Application Firewall (WAF): WAF is an appliance, server plugin, or filter that applies a set of rules to HTTP traffic

• WAFs Come in Four Flavors• Pure Play: stand alone appliance or software• CDN: bundled with Content Delivery Network• Load Balancer: bundled with a load balancer• Universal Threat Manager (UTM): catch-all for misc. security

Why use WAF?

• WAFs help protect web sites & applications against attacks that cause data breaches and downtime.

• General WAF use cases• Protect from SQL Injection (SQLi) and Cross Site Scripting (XSS)• Prevent Web Site Scraping, Crawlers, and BOTs• Mitigate DDoS (HTTP/HTTPS floods)

What is AWS WAF?

• AWS WAF is a CDN bundled WAF • Create rule based web ACL’s to block requests• Unique aspects of AWS WAF are:

• Customizable rules created by customers to avoid false positives• Full-feature API: this is a DevOps WAF that can be deployed inline with

new web sites and applications• Integrated with AWS (CloudFront, CloudWatch with more to come) and

with partners (Alert Logic, TrendMicro, Imperva, more to come)• Pay as you go pricing

CloudFront w/o WAF

CloudFront

Edge Location

EC2

users

hackers

bad bots site scraping

SQL Injection, XSS, other

attacks

legitimatetraffic

ELBS3

AND/OR

Customer On Premises Environment

Origin Server Origin Storage

Traditional WAF Deployment

CloudFront

Edge Location

users

hackers

bad bots site scraping

SQL Injection, XSS, other

attacks

legitimatetraffic

EC2ELBWAFELB

ELB Sandwich

Customer On Premises Environment

Origin Origin Storage

WAF on EC2 in ELB sandwich (complexity & latency)

CloudFront w/ AWS WAF

CloudFront

Edge Location

EC2

users

hackers

bad bots site scraping

SQL Injection, XSS, other

attacks

legitimatetraffic

ELBS3

AND/OR

Customer On Premises Environment

Origin Server Origin Storage

Malicious traffic is blocked by WAF rules at edge locations-can be custom origin-can be static and dynamic content-show the other on premises + S3

Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents

CloudFront

Amazon Route 53

AWS WAF

North AmericaCities: 15PoPs: 21

Ashburn, VA (3)Atlanta, GAChicago, IL

Dallas/Fort Worth, TX (2)Hayward, CA

Jacksonville, FLLos Angeles, CA (2)

Miami, FLNew York, NY (3)

Newark, NJPalo Alto, CASan Jose, CASeattle, WA

South Bend, INSt. Louis, MO

Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents

South AmericaCities: 2PoPs: 2

Rio de Janeiro, Brazil

São Paulo, Brazil

Europe / Middle East / Africa

Cities: 10PoPs: 16

Amsterdam, The Netherlands (2) Dublin, Ireland

Frankfurt, Germany (3)London, England (3)

Madrid, SpainMarseille, France

Milan, ItalyParis, France (2)

Stockholm, SwedenWarsaw, Poland

Asia PacificCities: 11PoPs: 15

Chennai, IndiaHong Kong, China (2)Manila, the PhilippinesMelbourne, Australia

Mumbai, IndiaOsaka, Japan

Seoul, Korea (2)Singapore (2)

Sydney, AustraliaTaipei, Taiwan

Tokyo, Japan (2)CloudFron

tAmazon Route 53

AWS WAF

Edge location

AWS Region

AWS WAF Component Questions

1. What do I want to take action on? (Conditions – IP / String Match Set / SQL injection match sets)

2. Should I block, allow, count? (Rules - Precedence / Rule / Action)

3. What sites/distributions need these rules? (CloudFront Distribution)

4. What should I call the container of these rules? (Web Access Control Lists – Web ACLs)

5. How do I see if the rules are working? (Real Time Metrics, Sampled Web Requests)

AWS WAF: web ACLs

• Web ACLs contain a set of conditions, rules, and actions.

• Web ACLs are applied to one or many CloudFront distributions.

• Web ACLs show you Real-Time Metrics & Sampled Web Requests for each rule.

AWS WAF: Conditions

• Conditions are lists of criteria that identify components of web requests.

• Conditions include matching on the following:

• IP address i.e., /8, /16, /24, /32• Strings, i.e., URI, query string, header, etc.• SQL injection, i.e., looks for valid SQL

statements

• Conditions are logically disjoined, i.e. “OR”.

/login?x=test%20Id=10%20AND=1

/login?x=test%27%20UNION%20ALL%20select%20NULL%20--

/login?x=test’ UNION ALL select NULL --

Transform: URL Decode

True

Match: SQL Injection

False

Match Conditions: SQLi

AWS WAF: Rules

• Rules are sets of conditions with a predetermined action.

• Available actions are:– Block– Allow– Count

• Rules can logically join conditions, i.e., “AND”.

• Rules can be applied to many WebACLs.

AWS WAF: Resources

• web ACLs: applied to CloudFront distributions today• Rule R: use one Web ACL for all distributions• Flexibility: use individual Web ACL for each distribution• AWS Partners: developing integrations with AWS WAF

– Trend Micro: Deep Security– Imperva: Threat Radar– Alert Logic: Web Security Manager

AWS WAF: Reporting & Logs

• Real-Time Metrics (CloudWatch):– Blocked web requests– Allowed web requests– Counted web requests

• Adjustments to rules in response to real time analysis.

• Time period can be adjusted by sliding graph end points or via filters.

HTTP/HTTPS Request made for

content to CloudFront

WAF reviews request; instructs CF to

allow/deny

CF checks if request needs WAF inspection

WAF sends metric to CW; customer can

update rules via API

Content Delivered via CloudFrontError Page Delivered by CloudFront

AWS WAF: Request Process

DENY REQUEST

ALLOW REQUEST

AWS WAF: End to End Flow

1. Create Web ACL2. Create Conditions (IP, string match, SQL)3. Create Rules and Actions (order, rule, action)4. Associate Web ACL to CloudFront distribution5. Review and Create

AWS WAF: API & Data Types

API Actions• Create• Delete• Get• List• Update

Data Types• ChangeToken• ChangeTokenStatus• WebACL• IPSet• StringeMatchSet• SQLinjectionMatchSet• Rule

AWS WAF: APIs

1. Get Change Token – a change token can only be used once to make a change to WAF resources.

2. Use Token to Make a Change – provide the change token to the change request

3. Check Status Using Token – use token to determine the status of your changes. INSYNC means changes were propagated

AWS WAF Example: Blocking Bad Bots

AWS WAF Example: Blocking Bad Bots

What We Need…• IP Set: contains our list of blocked IP addresses• Rule: blocks requests if requests match IP in our IP Set• Web ACL: allow requests by default, contains our Ruleand…• Mechanism to detect bad bots• Mechanism to add bad bot IP address to IP Set

AWS WAF Example: Blocking Bad Bots

• Use robots.txt to specify which areas of your site or webapp should not be scraped

• Place file in your web root• Ensure there are links pointing

to non-scrapable content• Hide a trigger script that

normal users don’t see and good bots ignore

$ cat webroot/robots.txtUser-agent: *Disallow: /honeypot/

<a href="/honeypot/" class="hidden" aria-hidden="true">click me</a>

AWS WAF Example: Blocking Bad Bots

• Bad bots (ignoring your robots.txt) will request the hidden link

• Trigger script will detect the source IP of the request

• Trigger script requests change token

• Trigger script adds source IP to IP Set blacklist

• Web ACL will block subsequent request from that source

$ aws --endpoint-url https://waf.amazon.com/ waf get-change-token{ "ChangeToken": "acbc53f2-46db-4fbd-b8d5-dfb8c466927f”}$ aws --endpoint-url https://waf.amazon.com/ waf update-ip-set --cli-input-json '{ "IPSetId": ”<<IP SET ID>>", "ChangeToken": "acbc53f2-46db-4fbd-b8d5-dfb8c466927f", "Updates": [ { "Action": "INSERT", "IPSetDescriptor": { "Type": "IPV4", "Value": ”<<SOURCE IP>>/32" } } ] }’{ "ChangeToken": "acbc53f2-46db-4fbd-b8d5-dfb8c466927f”}

Pricing

Three Pricing Dimensions

• Web ACL monthly charge: $5 / Web ACL• Rule monthly charge: $1 / rule• Request Fee charge: $0.60 / million requests

Pricing is available online at: http://aws.amazon.com/waf/pricing/

Pricing Example

ACME corporation runs 5 CloudFront distributions, one for each web site. ACME sets up 1 Web ACLs, with 10 shared rules and apply the Web ACL to each website. Each website has an average HTTP / HTTPS request volume of about 5.5 million, or a total of 275 million requests.• ACME would be charged: (1 Web ACL @ $5) + (10 Rules @ $1 each)

+ (275 MM requests @ $0.60/MM)• The total charge is: $5 for Web ACL + $10 for Rules + $165 for requests

= $170/month.• This is in ADDITION to the CloudFront fees.

Which WAF Solution is Right?

1. Do you need basic WAF protection such as IP black lists or referrer checking? (3)

2. Do you need protection against SQLi and XSS? (3)3. Do you need rate based protection against attacks like

scrapers, bots, and/or HTTP floods? (1)4. Do you need configurations that support basic

customizations for your applications? (1,3)5. Do you need configurations that are highly customized

(e.g. full regex support) to your specific applications? (2)

6. Do you need to customize rules based on behavioral analysis? (2)

7. Do you need a WAF that offers a large library of rules and/or updates rules based on current and emerging threats? (2,4)

8. Do you require a third party (AWS consulting partner) to manage rules and customize your configurations? (4)

AWS WAF: Q&A