2016 Utah Cloud Summit: AWS WAF

  • View

  • Download

Embed Size (px)

Text of 2016 Utah Cloud Summit: AWS WAF

PowerPoint Presentation


Tom Witman

What is a WAF?A Web Application Firewall (WAF): WAF is an appliance, server plugin, or filter that applies a set of rules to HTTP trafficWAFs Come in Four FlavorsPure Play: stand alone appliance or softwareCDN: bundled with Content Delivery NetworkLoad Balancer: bundled with a load balancerUniversal Threat Manager (UTM): catch-all for misc. security

First of all, lets make sure we are all on the same page. What is a WAF? Quite simply, a WAF is a Web Application Firewall. It is an application layer firewall used to protect web assets from various forms of attack. WAF is an appliance, server plugin or filter that applies a set of rules to HTTP traffic. Another way to look at it, a web security service providing OSI Layer 7 protection by monitoring http and https requests and restricting access to web applications.2

Why use WAF?WAFs help protect web sites & applications against attacks that cause data breaches and downtime.General WAF use casesProtect from SQL Injection (SQLi) and Cross Site Scripting (XSS)Prevent Web Site Scraping, Crawlers, and BOTsMitigate DDoS (HTTP/HTTPS floods)

Common attacks include high volume request traffic for content from a single IP address or a range of IP addresses.

CDN based WAFs filter requests at edge locations before content is served or requests are forwarded to the origin server.3

What is AWS WAF?AWS WAF is a CDN bundled WAF Create rule based web ACLs to block requestsUnique aspects of AWS WAF are:Customizable rules created by customers to avoid false positivesFull-feature API: this is a DevOps WAF that can be deployed inline with new web sites and applicationsIntegrated with AWS (CloudFront, CloudWatch with more to come) and with partners (Alert Logic, TrendMicro, Imperva, more to come)Pay as you go pricing


CloudFront w/o WAF

CloudFrontEdge LocationEC2

usershackersbad botssite scrapingSQL Injection, XSS, other attackslegitimatetraffic



Customer On Premises Environment

Origin ServerOrigin Storage


Traditional WAF Deployment

CloudFrontEdge Location

usershackersbad botssite scrapingSQL Injection, XSS, other attackslegitimatetraffic



ELBELB Sandwich

Customer On Premises Environment

OriginOrigin Storage

WAF on EC2 in ELB sandwich (complexity & latency)

The benefit of deployment of WAF sandwich, while complex, is that it tends to scale while the on premises solution is not scalable and requires infrastructure investment in order to properly protect web assets.6

CloudFront w/ AWS WAF

CloudFrontEdge LocationEC2

usershackersbad botssite scrapingSQL Injection, XSS, other attackslegitimatetraffic



Customer On Premises Environment

Origin ServerOrigin Storage

Malicious traffic is blocked by WAF rules at edge locations-can be custom origin-can be static and dynamic content-show the other on premises + S3

All customers have to do is point CF to an origin and enable the WAF, this will highlight the ease of using a CF. CF is becoming more of an application delivery platform vs. just a CDN. Here is a typical layout but you can use a custom origin.


Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents


Amazon Route 53


Amazon CloudFrontandAmazon Route 53 services are offered at AWS Edge Locations


North AmericaCities: 15PoPs: 21

Ashburn, VA (3)Atlanta, GAChicago, ILDallas/Fort Worth, TX (2)Hayward, CAJacksonville, FLLos Angeles, CA (2)Miami, FLNew York, NY (3)Newark, NJPalo Alto, CASan Jose, CASeattle, WASouth Bend, INSt. Louis, MO

Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents

South AmericaCities: 2PoPs: 2

Rio de Janeiro, BrazilSo Paulo, Brazil

Europe / Middle East / AfricaCities: 10PoPs: 16

Amsterdam, The Netherlands (2) Dublin, IrelandFrankfurt, Germany (3)London, England (3)Madrid, SpainMarseille, FranceMilan, ItalyParis, France (2)Stockholm, SwedenWarsaw, Poland

Asia PacificCities: 11PoPs: 15 Chennai, IndiaHong Kong, China (2)Manila, the PhilippinesMelbourne, AustraliaMumbai, IndiaOsaka, JapanSeoul, Korea (2)Singapore (2)Sydney, AustraliaTaipei, TaiwanTokyo, Japan (2)


Amazon Route 53


Edge location

AWS Region

AWS WAF Component QuestionsWhat do I want to take action on? (Conditions IP / String Match Set / SQL injection match sets)Should I block, allow, count? (Rules - Precedence / Rule / Action)What sites/distributions need these rules? (CloudFront Distribution)What should I call the container of these rules? (Web Access Control Lists Web ACLs)How do I see if the rules are working? (Real Time Metrics, Sampled Web Requests)


AWS WAF: web ACLsWeb ACLs contain a set of conditions, rules, and actions.

Web ACLs are applied to one or many CloudFront distributions.

Web ACLs show you Real-Time Metrics & Sampled Web Requests for each rule.


AWS WAF: ConditionsConditions are lists of criteria that identify components of web requests.Conditions include matching on the following:IP address i.e., /8, /16, /24, /32Strings, i.e., URI, query string, header, etc.SQL injection, i.e., looks for valid SQL statementsConditions are logically disjoined, i.e. OR.


/login?x=test%20Id=10%20AND=1 /login?x=test%27%20UNION%20ALL%20select%20NULL%20--

/login?x=test UNION ALL select NULL --

Transform: URL Decode


Match: SQL Injection

FalseMatch Conditions: SQLi


Our built-in SQL injection match condition checks for valid SQL statements, not just simple keywords.

SQL injection usually occurs within query string parameters and request body.

To check for query string, use a URL decode transform to prevent URL encode evasions, and configure a match set to check the query string.


AWS WAF: RulesRules are sets of conditions with a predetermined action.Available actions are:BlockAllowCountRules can logically join conditions, i.e., AND.Rules can be applied to many WebACLs.


AWS WAF: Resourcesweb ACLs: applied to CloudFront distributions todayRule R: use one Web ACL for all distributionsFlexibility: use individual Web ACL for each distributionAWS Partners: developing integrations with AWS WAFTrend Micro: Deep SecurityImperva: Threat RadarAlert Logic: Web Security Manager


AWS WAF: Reporting & LogsReal-Time Metrics (CloudWatch):Blocked web requestsAllowed web requestsCounted web requestsAdjustments to rules in response to real time analysis.Time period can be adjusted by sliding graph end points or via filters.


HTTP/HTTPS Request made for content to CloudFront

WAF reviews request; instructs CF to allow/denyCF checks if request needs WAF inspection

WAF sends metric to CW; customer can update rules via API

Content Delivered via CloudFrontError Page Delivered by CloudFront




AWS WAF: End to End FlowCreate Web ACLCreate Conditions (IP, string match, SQL)Create Rules and Actions (order, rule, action)Associate Web ACL to CloudFront distributionReview and Create


AWS WAF: API & Data TypesAPI ActionsCreateDeleteGetListUpdate

Data TypesChangeTokenChangeTokenStatusWebACLIPSetStringeMatchSetSQLinjectionMatchSetRule

The WAF API is a Restful API that has five simple commands and five parameters. In addition the API requires a change token to be used when calling commands.

The combination of a command and parameter is an API action that can be carried out by the AWS WAF

There are two types of criteria that can be used to block or allow requests from being passed on to CloudFront or an ELB. The criteria are ByteMatch Set and an IP Set. A ByteMatch set includes syntax that matches a header value, http method, http version, query string, or URI. A SQL injection parameter is also considered a variant of a ByteMatch set.

Actions are also known as default action types: ALLOW, BLOCK or COUNT


AWS WAF: APIs Get Change Token a change token can only be used once to make a change to WAF resources.Use Token to Make a Change provide the change token to the change requestCheck Status Using Token use token to determine the status of your changes. INSYNC means changes were propagated


AWS WAF: GetChangeToken $ aws --endpoint-url https://waf.amazonaws.com/ waf get-change-token { "ChangeToken:"d4c4f53b-9c7e-47ce-9140-0ee5765d6bff" }

Ive got a few notes to help you with API and CLI usage

First, change tokens are required for any create or update operation.These drive our optimistic lock mechanisms to prevent your changes from conflicting with each other, and they are used to track change sync status throughout the system.

So to make any change first call the API to get a change token.21

AWS WAF: Create* $ aws --endpoint-url https://waf.amazon.com/ waf create-web-acl --name BetaTest --metric-name BetaTest --default-action Type=ALLOW --change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff

In my create call, I pass the change token as a parameter.22

AWS WAF: GetChangeTokenStatus $ aws --endpoint-url https://waf.amazonaws.com/ waf get-change-token-status--change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff { "ChangeTokenStatus":{ ChangeToken":"d4c4f53b-9c7e

View more >