Using AWS WAF and Lambda for Automatic Protection

  • View
    4.593

  • Download
    1

Embed Size (px)

Text of Using AWS WAF and Lambda for Automatic Protection

PowerPoint Presentation

Nathan DyeAWS WAF Software Development ManagerGleicon Moraes, Magazine Luiza Infrastructure ManagerMarch 2, 2016Using AWS WAF & Lambda for Automatic Protection

2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

1

AgendaWAF & Lambda IntroSecurity AutomationScripts & TemplatesCustomer story

Web site without AWS WAF

Good usersAttackersWeb site

Exploit

3

Web site with AWS WAF

Good usersWeb site

Exploit

Attackers

4

What is AWS WAF?Web application firewall (WAF) that gives you control over who (or what) can access your web applications.Full-feature APICustomizable securityIntegrated with Amazon CloudFront - protection at the edgeUse cases: protection against exploits, abuse, and application DDoS

5

What is AWS Lambda?Lambda automatically runs your code without requiring you to provision servers.Server-less scripting; event driven actionsIntegrated with other AWS servicesUse cases: scheduled events, provisioning services, and customer analysis

6

Bad guys are adaptive and persistentBetter protectionIntegrate application specific or open-source data sourcesSophisticated out of band analysis

Why build automated security?

7

Automated security

Good users

LogsThreat analysisRule updaterWeb site

RulesExploitAttackers

8

Automated security traditional data center

Good users

LogsThreat analysisRule updaterWeb site

Exploit

AttackersRules

9

Automated security AWS makes it easier

Good users

LogsThreat analysisRule updaterWeb site

Exploit

AttackersRules

10

Other AWS Services well useAmazon CloudFrontAmazon CloudWatchAWS CloudFormationAmazon S3Amazon API Gateway

11

Types of attacks that need automationHTTP floodsScans & probesIP reputation listsBots & scrapers

Attackers

IP reputation listsCollection of IP addresses with a bad reputation based on sending historyOpen proxies or known hosts that send spam/trojans/virusesConstantly changing/updatingSolution: import open source lists (i.e., Emerging Threats, Spamhause, Tor Node list) and update lists using CloudWatch events

IP reputation lists (contd)

IP reputation lists (contd)

HTTP floodsLegitimate requests at a level that excessively consume web server resourcesRequests targeted at expensive components, i.e., login, product search, etc.Different than other types of flood attacks because requests follow protocol.Creates the problem of identifying attack from flash crowd.Solution: count number of requests in CloudFront access logs and block offenders

Attackers

HTTP floods (contd)

HTTP floods (contd)

Scans & probesProgram that communicates with web application front end to identify potential vulnerabilitiesInitiated by you good; initiated by someone else badSomeone (something) with bad intentionsConsume resources by requesting URLs that dont existSolution: count 40x error in access logs and block offenders

Scans & probes (contd)

Bots & scrapersSoftware application that run automated tasks over the internet.Good bots (search engines, weather, price comparison) vs bad bots (scrape content, steal data, malware)Aggressive vs conservative daysConstantly changing/updatingSolution: use robots.txt and honeypot file to identify & block offenders

Bots & scrapers (contd)

Bots & scrapers (contd)

Customer storyMagazine LuizaOne of the largest retail chains in BrazilMore than 700 stores, 24K staff, & 8 distribution centerse-commerce platform customers use for purchasesMoving all in to AWS over the past 2-3 yearsBreaking up monolithic app

24

Customer story (contd)ChallengesBalance security with performance & costTraditional WAFs didnt work:Inflated models lots of rules & based on vm or hardwareCouldnt scale - constrained by bandwidth & CPUAutomation meant more hardwareNeed to block bad bots (based on IP) without affecting search & shopping experience Have solution in place by Black Friday

25

Customer story (contd)

Previous Architecture

26

Customer story (contd)

New Architecture

27

Customer story (contd)Milestones Before Black FridaySeptember October: confirmed new architecture and started building.October new architecture ready to goNovember started countdown and moved over all production traffic

28

Customer Story (contd)Black FridayNovember 26: jumped from 4 28.9 million views/dayNovember 26: all hands on deck for the last infrastructure scale.12am: everyone went home, 5 people decided to sleep in our leisure room, I kept following monitoring.November 27: Traffic started to ramp up around 6AM and stayed high during the entire weekend.

29

Customer Story (contd)Advice to OthersDo analysis in house & start smallUse the right library for the jobIdentify what needs protectionThink about the time it takes to process logsDefense in Depth: simple security rules at perimeter, complex security rules closer to app

30

ResourcesSecurity BlogsRate-Based Blacklisting Heitor Vital IPs Generating Errors Ben Potter Blocking Bots (this month) Vlad Vlasceanu Importing IP Reputation Lists (this month) Lee Atkinson

Tutorials Pageaws.amazon.com/waf/preconfiguredrules/

31

Thank you!

32