(SEC323) New: Securing Web Applications with AWS WAF

  • View
    37.923

  • Download
    0

Embed Size (px)

Text of (SEC323) New: Securing Web Applications with AWS WAF

  1. 1. 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nate Dye, AWS Edge Services October 2015 SEC323 Securing Web Applications with AWS WAF
  2. 2. What to expect from this session Deep dive AWS WAF Web defense strategies Automation for better security AWS WAF 301
  3. 3. What to expect from this session Web defense strategies Automation for better security Deep dive AWS WAF AWS WAF 301
  4. 4. Why AWS WAF? Application vulnerabilities Good users Bad guys Web server Database Exploit code
  5. 5. Why AWS WAF? Abuse Good users Bad guys Web server Database
  6. 6. Why AWS WAF? Application DDoS Good users Bad guys Web server Database
  7. 7. What is AWS WAF? Application DDoS Good users Bad guys Web server Database AWS WAF
  8. 8. What is AWS WAF? Application DDoS Good users Bad guys Web server Database AWS WAF AWS WAF rules: 1: BLOCK requests from bad guys. 2: ALLOW requests from good guys.
  9. 9. What is AWS WAF? Application DDoS Good users Bad guys Web server Database AWS WAF
  10. 10. Traditional WAF Setup is complex and slow
  11. 11. Traditional WAF Rules with too many false positives
  12. 12. Traditional WAF No APIs for automation
  13. 13. AWS WAF
  14. 14. Block or allow web requests Monitor security events AWS WAF
  15. 15. New API and console Protect websites and content AWS WAF Amazon CloudFront
  16. 16. Benefits of AWS WAF Practical security made easy Customizable and flexible Integrate with development
  17. 17. Benefits of AWS WAF Practical security made easy Customizable and flexible Integrate with development
  18. 18. Benefits of AWS WAF Practical security made easy Customizable and flexible Integrate with development
  19. 19. Benefits of AWS WAF Practical security made easy Customizable and flexible Integrate with development
  20. 20. What to expect from this session Web defense strategies Automation for better security Deep dive AWS WAF AWS WAF 301
  21. 21. Setting Up AWS WAF 1. Create a web ACL. ALLOW requests by default, but 2. Add a rule. BLOCK if 3. Add match conditions. the source IP matches this list 4. Assign to CloudFront. for any request to d123.cloudfront.net.
  22. 22. Setting Up AWS WAF
  23. 23. But wait, theres more Match conditions IP String SQLi Customizable rules AND/OR Block, allow, or count Ordered conditions Fast feedback ~1 minute for changes 1-minute metrics Request samples
  24. 24. But wait, theres more Match conditions IP String SQLi Customizable rules AND/OR Block, allow, or count Ordered conditions Fast feedback ~1 minute for changes 1-minute metrics Request samples
  25. 25. Match conditions: IPSets CIDR notation on octet boundaries: 192.0.0.0/8 Matches 192.*.*.* 192.168.0.0/16 192.168.32.0/24 192.168.32.64/32 Matches a full IP address exactly
  26. 26. Match conditions: IPSets 1,000 CIDRs per IPSet 10,000 CIDRs per web ACL Matches connecting IP, not XFF
  27. 27. Match conditions: Strings and bytes Match any part of the web request Common use case: Referrer whitelisting
  28. 28. Match conditions: Strings and bytes Match any part of the web request Host: www.example.com User-Agent: Mozilla/5.0 (Macintosh; Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.example.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header Referrer Match Type: Contains Match: example.com Action: ALLOW Rule String match condition Good users
  29. 29. Match conditions: Strings and bytes Use transforms to stop evasion Host: www.example.com User-Agent: badbot Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.example.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header User-Agent Match Type: Contains Match: badbot Action: BLOCK Rule String match condition Scraper bot
  30. 30. Match conditions: Strings and bytes Use transforms to stop evasion Host: www.example.com User-Agent: bAdBoT Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.InTeRnEtkItTiEs.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header User-Agent Transform: To lower Match Type: Contains Match: badbot Action: BLOCK Rule String match condition Scraper bot
  31. 31. Match conditions: Strings and bytes Flexible match conditions 1. Contains 2. Exact 3. Begins with 4. Ends with 5. Contains word
  32. 32. Match conditions: Strings and bytes Malicious binary? We can find it. iVBORw0KGgoAAAAN 8950 4e47 0d0a 1a0a 0000 000d bad.bin 1. Select binary file 2. Base64 encode 3. Set match criteria $> base64 bad.bin iVBORw0KGgoAAAAN
  33. 33. Match conditions: Strings and bytes 10 matches per string match set 1,000 matches in a web ACL
  34. 34. Match conditions: SQLi Check your query strings, URL decode
  35. 35. Match conditions: SQLi /login?x=test%27%20UNION%20ALL%20select%20NULL%20-- /login?x=test UNION ALL select NULL -- Transform: URL Decode True Match: SQL Injection Check your query strings, URL decode
  36. 36. But wait, theres more Match conditions IP String SQLi Customizable rules AND/OR Block, allow, or count Ordered conditions Fast feedback ~1 minute for changes 1-minute metrics Request samples
  37. 37. Combining conditions Restrict a rule to specific URIs, such as the login page. Public Internet Seattle admins AWS WAF /admin/login.cgi /*
  38. 38. Combining conditions Restrict a rule to specific URIs, such as the login page. IP match String match
  39. 39. Adding whitelist exceptions You can whitelist with ALLOW actions on a rule.
  40. 40. Reuse conditions You can reuse any part of a web ACL. CloudFront distributions Web ACL #1 Web ACL #2 Shared blacklist
  41. 41. But wait, theres more Match conditions IP String SQLi Customizable rules AND/OR Block, allow, or count Ordered conditions Fast feedback ~1 minute for changes 1-minute metrics Request samples
  42. 42. Observing rules in action Finding requests that match your rules
  43. 43. Setting up detection alarms
  44. 44. Building blocks for web security APIs, SDKs, and CLIs! Java Python (boto) PHP .NET Ruby Node.js iOS Android AWS Toolkit for Visual Studio AWS Toolkit for Eclipse AWS Tools for Windows PowerShell AWS CLI JavaScript
  45. 45. GetChangeToken $ aws --endpoint-url https://waf.amazonaws.com/ waf get-change-token { "ChangeToken:"d4c4f53b-9c7e-47ce-9140-0ee5765d6bff" }
  46. 46. Create* $ aws --endpoint-url https://waf.amazon.com/ waf create-web-acl --name BetaTest --metric-name BetaTest --default-action Type=ALLOW --change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff
  47. 47. GetChangeTokenStatus $ aws --endpoint-url https://waf.amazonaws.com/ waf get-change-token-status --change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff { "ChangeTokenStatus":{ ChangeToken":"d4c4f53b-9c7e-47ce-9140-0ee5765d6bff ", Status: "PROVISIONED", OR "PENDING", OR "INSYNC" ] }, }
  48. 48. Update*Set $ aws --endpoint-url https://waf.amazonaws.com/ waf update-ip-set --ip-set-id --change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff --updates [ {"Action": "INSERT", "IPSetDescriptor": {"Type": "IPV4", "Value": "192.168.0.0/16"} }, {"Action": "INSERT", "IPSetDescriptor": {"Type": "IPV4", "Value": "192.168.5.0/24"} } ]
  49. 49. GetSampledRequests { "SampledRequests": [ { "Action": "BLOCK", "Timestamp": 1441839596.476, "Request": { "Country": "IE", "URI": "/", "Headers": [ { "Name": "Host", "Value": "d123abc.cloudfront.net" }, { "Name": "User-Agent", "Value": "curl/7.30.0" }, "ClientIP": "54.240.197.225", "Method": "GET", "HTTPVersion": "HTTP/1.0"
  50. 50. Pay for what you use No upfront minimums Use it for just an hour, or always on
  51. 51. Pay for what you use $5 per web ACL, $1 per rule per month Reuse across a CloudFront distribution with no additional charge Use more rules for more visibility $0.60 per million requests
  52. 52. Pay for what you use Low monthly minimum, scales with volume Typical monthly bill Test environment (1 rule): $6 per month Small site (6 rules, 58M views): $46 per month Medium site (6 rules, 260M views): $167 per month
  53. 53. What to expect from this session Web defense strategies Automation for better security AWS WAF 101 Deep dive AWS WAF
  54. 54. Negative Typical of prod deployment ALLOW by default BLOCK known-bad threats Rule strategy comparison Positive Typical of restricted site BLOCK by default ALLOW known-good Examples BLOCK MalwareIncIPRange BLOCK {;} Examples ALLOW SeattleOfficeIPRange ALLOW referrer header example.com
  55. 55. Mitigation strategies Static policies For unchanging known-bad threats Reactive policies For dynamic emerging threats
  56. 56. Use count rules to find bad actors Count mode Alert on Amazon CloudWatch metrics Get sampled requests Add bad IPs to BlackList
  57. 57. Putting it all together Rule Order: 1. WhiteListed IPs ALLOW 2. BlackListed IPs BLOCK 3. BlackListedSignatures BLOCK 4. SQLInjection COUNT 5. SuspiciousActivity - COUNT Default: ALLOW
  58. 58. Customer example: Finding bad requestors ConnectWise 1. Uses negative security model 2. Monitors known-bad activity 3. Reactively bans bad requests
  59. 59. Users APIs CloudFront Auto Scaling Elastic Load Balancing Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 API calls made into the environment ConnectWise API architecture
  60. 60. AWS WAF ConnectWise API with AWS WAF Users APIs CloudFront Auto Scaling Elastic Load Balancing Amazon