AWS WAF introduction and live demo - Pop-up Loft Tel Aviv

  • View

  • Download

Embed Size (px)

Text of AWS WAF introduction and live demo - Pop-up Loft Tel Aviv

PowerPoint Presentation


Tel Aviv Loft9 March 2016

Tom Witman, Business DevelopmentAWS Seattle

Todays Agenda

AWS WAF OverviewAWS WAF with CloudFrontAWS WAF Automation with AWS LambdaCustomer Example / Use Case: Magazine Luiza

What is a WAF?A Web Application Firewall (WAF) is an appliance, server plugin, or software filter that applies a set of rules to HTTP traffic providing Layer 7 (application) protection

WAFs Come in Four FlavorsPure Play: stand alone appliance or softwareCDN: bundled with Content Delivery NetworkLoad Balancer: bundled with a load balancerUniversal Threat Manager (UTM): catch-all for misc. security

What is AWS WAF?Web application firewall (WAF) that gives you control over who (or what) can access your web applications.

Full-feature APICustomizable securityIntegrated with Amazon CloudFront - protection at the edgeUse cases: protection against exploits, abuse, and application DDoS

And youll see how the customizability, APIs and integration with AWS can help you improve your website security.4

Web site without AWS WAF

Good usersAttackersWeb site


If youve operated a website in the internet, then you know there are a lot of bad requests flying around.

Website operators need tools to help them find and block bad requests.

Bad requests can be anything from specially craft requests design to exploit a vulnerability in your web applicationto steal data or takeover your serveror volumetric attacks designed to take down your websiteor just bots scraping all of your content to be posted on some other website5

Web site with Amazon CloudFront + AWS WAF

Good usersWeb site



CloudFrontAWS WAF

AWS WAF lets you create rules to detect and block bad stuff before it reaches your website.

We provide you with new visibility tools to see what kinds of requests are hitting your website and a flexible rule language that allows you to block requests.6

Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents


Amazon Route 53


Amazon CloudFrontandAmazon Route 53 services are offered at AWS Edge Locations


North AmericaCities: 15PoPs: 21

Ashburn, VA (3)Atlanta, GAChicago, ILDallas/Fort Worth, TX (2)Hayward, CAJacksonville, FLLos Angeles, CA (2)Miami, FLNew York, NY (3)Newark, NJPalo Alto, CASan Jose, CASeattle, WASouth Bend, INSt. Louis, MO

Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents

South AmericaCities: 2PoPs: 2

Rio de Janeiro, BrazilSo Paulo, Brazil

Europe / Middle East / AfricaCities: 10PoPs: 16

Amsterdam, The Netherlands (2) Dublin, IrelandFrankfurt, Germany (3)London, England (3)Madrid, SpainMarseille, FranceMilan, ItalyParis, France (2)Stockholm, SwedenWarsaw, Poland

Asia PacificCities: 11PoPs: 15 Chennai, IndiaHong Kong, China (2)Manila, the PhilippinesMelbourne, AustraliaMumbai, IndiaOsaka, JapanSeoul, Korea (2)Singapore (2)Sydney, AustraliaTaipei, TaiwanTokyo, Japan (2)


Amazon Route 53


Edge location

AWS Region

AWS WAF Set Up QuestionsWhat do I want to take action on? (Conditions IP / String Match Set / SQL injection match sets)Should I block, allow, count? (Rules - Precedence / Rule / Action)What sites/distributions need these rules? (CloudFront Distribution)What should I call the container of these rules? (Web Access Control Lists WebACLs)How do I see if the rules are working? (Real Time Metrics, Sampled Web Requests)


AWS WAF: WebACLsWebACLs contain a set of conditions, rules, and actions.

WebACLs are applied to one or many CloudFront distributions.

WebACLs show you Real-Time Metrics & Sampled Web Requests for each rule.


AWS WAF: ConditionsConditions are lists of criteria that identify components of web requests.Conditions include matching on the following:IP address i.e., /8, /16, /24, /32Strings, i.e., URI, query string, header, etc.SQL injection, i.e., looks for valid SQL statementsConditions are logically disjoined, i.e. OR.


/login?x=test%20Id=10%20AND=1 /login?x=test%27%20UNION%20ALL%20select%20NULL%20--

/login?x=test UNION ALL select NULL --

Transform: URL Decode


Match: SQL Injection

FalseMatch Conditions: SQLi

Our built-in SQL injection match condition checks for valid SQL statements, not just simple keywords.

SQL injection usually occurs within query string parameters and request body.

To check for query string, use a URL decode transform to prevent URL encode evasions, and configure a match set to check the query string.


AWS WAF: RulesRules are sets of conditions with a predetermined action.Available actions are:BlockAllowCountRules can logically join conditions, i.e., AND.Rules can be applied to many WebACLs.


AWS WAF: ResourcesWebACLs: applied to CloudFront distributions todayRule reusability: use one WebACL for all distributionsFlexibility: use individual WebACL for each distributionAWS Partners: developing integrations with AWS WAFTrend Mirco: Deep SecurityGitHub: Threat RadarAlert Logic: Web Security Manager


AWS WAF: Reporting & LogsReal-Time Metrics (CloudWatch):Blocked web requestsAllowed web requestsCounted web requestsAdjustments to rules in response to real time analysis.Time period can be adjusted by sliding graph end points or via filters.


AWS WAF: End to End FlowCreate WebACLCreate Conditions (IP, string match, SQL)Create Rules and Actions (order, rule, action)Associate WebACL to CloudFront distributionReview and Deploy


AWS WAF: API & Data TypesAPI ActionsCreateDeleteGetListUpdate

Data TypesChangeTokenChangeTokenStatusWebACLIPSetStringeMatchSetSQLinjectionMatchSetRule

The WAF API is a Restful API that has five simple commands and five parameters. In addition the API requires a change token to be used when calling commands.

The combination of a command and parameter is an API action that can be carried out by the AWS WAF

There are two types of criteria that can be used to block or allow requests from being passed on to CloudFront or an ELB. The criteria are ByteMatch Set and an IP Set. A ByteMatch set includes syntax that matches a header value, http method, http version, query string, or URI. A SQL injection parameter is also considered a variant of a ByteMatch set.

Actions are also known as default action types: ALLOW, BLOCK or COUNT


AWS WAF: APIs Get Change Token a change token can only be used once to make a change to WAF resources.Use Token to Make a Change provide the change token to the change requestCheck Status Using Token use token to determine the status of your changes. INSYNC means changes were propagated


AWS WAF + AWS Lambda = Automatic Protection

2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.


What is AWS Lambda?Lambda automatically runs your code without requiring you to provision servers.Server-less scripting; event driven actionsIntegrated with other AWS servicesUse cases: scheduled events, provisioning services, and customer analysis

Our demos prominently feature the use of Lambda, a scripting environment that allows you to develop and operator you own automation, without having to manage server infrastructure.

By combining AWS WAF and AWS Lambda you can create automation to improve the security of your website.20

Bad guys are adaptive and persistentBetter protectionIntegrate application specific or open-source data sourcesSophisticated out of band analysis

Why build automated security?

Provides better protectionOut-of-band analysis doesnt affect performanceExperts are moving towards an automated model

A traditional security model tends to make use of set and forget rules21

Automated security

Good users

LogsThreat analysisRule updaterWeb site


Automated web security looks like thisAmazon uses techniques just like thisFind fraud, and bad bots22

Automated security traditional data center

Good users

LogsThreat analysisRule updaterWeb site



in a non-AWS world, this kind of analysis is a challengeLogs means lots of storage Lots of computeand scaled reliable blocking is challenging


Automated security AWS makes it easier

Good users

LogsThreat analysisRule updaterWeb site



In AWS, all of this is possible without managing servers no server instances24

Other AWS Services well useAmazon CloudFrontAmazon CloudWatchAWS CloudFormationAmazon S3Amazon API Gateway

AWS WAF connects seamlessly with the AWS ecosystem


Types of attacks that can be automatedHTTP floodsScans & probesIP reputation listsBots & scrapers


IP reputation listsCollection of IP addresses with a bad reputation based on sending historyOpen proxies or known hosts that send spam/trojans/virusesConstantly changing/updatingSolution: import open source lists (i.e., Emerging Threats, SSL blacklist, Tor Node list) and update lists using CloudWatch events

IP reputation lists

HTTP FloodsLegitimate requests at a level that excessively consume web server