AWS WAF Tom Witman
AWS WAFTom Witman
What is a WAF?
• A Web Application Firewall (WAF): WAF is an appliance, server plugin, or filter that applies a set of rules to HTTP traffic
• WAFs Come in Four Flavors• Pure Play: stand alone appliance or software• CDN: bundled with Content Delivery Network• Load Balancer: bundled with a load balancer• Universal Threat Manager (UTM): catch-all for misc. security
Why use WAF?
• WAFs help protect web sites & applications against attacks that cause data breaches and downtime.
• General WAF use cases• Protect from SQL Injection (SQLi) and Cross Site Scripting (XSS)• Prevent Web Site Scraping, Crawlers, and BOTs• Mitigate DDoS (HTTP/HTTPS floods)
What is AWS WAF?
• AWS WAF is a CDN bundled WAF • Create rule based web ACL’s to block requests• Unique aspects of AWS WAF are:
• Customizable rules created by customers to avoid false positives• Full-feature API: this is a DevOps WAF that can be deployed inline with
new web sites and applications• Integrated with AWS (CloudFront, CloudWatch with more to come) and
with partners (Alert Logic, TrendMicro, Imperva, more to come)• Pay as you go pricing
CloudFront w/o WAF
CloudFront
Edge Location
EC2
users
hackers
bad bots site scraping
SQL Injection, XSS, other
attacks
legitimatetraffic
ELBS3
AND/OR
Customer On Premises Environment
Origin Server Origin Storage
Traditional WAF Deployment
CloudFront
Edge Location
users
hackers
bad bots site scraping
SQL Injection, XSS, other
attacks
legitimatetraffic
EC2ELBWAFELB
ELB Sandwich
Customer On Premises Environment
Origin Origin Storage
WAF on EC2 in ELB sandwich (complexity & latency)
CloudFront w/ AWS WAF
CloudFront
Edge Location
EC2
users
hackers
bad bots site scraping
SQL Injection, XSS, other
attacks
legitimatetraffic
ELBS3
AND/OR
Customer On Premises Environment
Origin Server Origin Storage
Malicious traffic is blocked by WAF rules at edge locations-can be custom origin-can be static and dynamic content-show the other on premises + S3
Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents
CloudFront
Amazon Route 53
AWS WAF
North AmericaCities: 15PoPs: 21
Ashburn, VA (3)Atlanta, GAChicago, IL
Dallas/Fort Worth, TX (2)Hayward, CA
Jacksonville, FLLos Angeles, CA (2)
Miami, FLNew York, NY (3)
Newark, NJPalo Alto, CASan Jose, CASeattle, WA
South Bend, INSt. Louis, MO
Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents
South AmericaCities: 2PoPs: 2
Rio de Janeiro, Brazil
São Paulo, Brazil
Europe / Middle East / Africa
Cities: 10PoPs: 16
Amsterdam, The Netherlands (2) Dublin, Ireland
Frankfurt, Germany (3)London, England (3)
Madrid, SpainMarseille, France
Milan, ItalyParis, France (2)
Stockholm, SwedenWarsaw, Poland
Asia PacificCities: 11PoPs: 15
Chennai, IndiaHong Kong, China (2)Manila, the PhilippinesMelbourne, Australia
Mumbai, IndiaOsaka, Japan
Seoul, Korea (2)Singapore (2)
Sydney, AustraliaTaipei, Taiwan
Tokyo, Japan (2)CloudFron
tAmazon Route 53
AWS WAF
Edge location
AWS Region
AWS WAF Component Questions
1. What do I want to take action on? (Conditions – IP / String Match Set / SQL injection match sets)
2. Should I block, allow, count? (Rules - Precedence / Rule / Action)
3. What sites/distributions need these rules? (CloudFront Distribution)
4. What should I call the container of these rules? (Web Access Control Lists – Web ACLs)
5. How do I see if the rules are working? (Real Time Metrics, Sampled Web Requests)
AWS WAF: web ACLs
• Web ACLs contain a set of conditions, rules, and actions.
• Web ACLs are applied to one or many CloudFront distributions.
• Web ACLs show you Real-Time Metrics & Sampled Web Requests for each rule.
AWS WAF: Conditions
• Conditions are lists of criteria that identify components of web requests.
• Conditions include matching on the following:
• IP address i.e., /8, /16, /24, /32• Strings, i.e., URI, query string, header, etc.• SQL injection, i.e., looks for valid SQL
statements
• Conditions are logically disjoined, i.e. “OR”.
/login?x=test%20Id=10%20AND=1
/login?x=test%27%20UNION%20ALL%20select%20NULL%20--
/login?x=test’ UNION ALL select NULL --
Transform: URL Decode
True
Match: SQL Injection
False
Match Conditions: SQLi
AWS WAF: Rules
• Rules are sets of conditions with a predetermined action.
• Available actions are:– Block– Allow– Count
• Rules can logically join conditions, i.e., “AND”.
• Rules can be applied to many WebACLs.
AWS WAF: Resources
• web ACLs: applied to CloudFront distributions today• Rule R: use one Web ACL for all distributions• Flexibility: use individual Web ACL for each distribution• AWS Partners: developing integrations with AWS WAF
– Trend Micro: Deep Security– Imperva: Threat Radar– Alert Logic: Web Security Manager
AWS WAF: Reporting & Logs
• Real-Time Metrics (CloudWatch):– Blocked web requests– Allowed web requests– Counted web requests
• Adjustments to rules in response to real time analysis.
• Time period can be adjusted by sliding graph end points or via filters.
HTTP/HTTPS Request made for
content to CloudFront
WAF reviews request; instructs CF to
allow/deny
CF checks if request needs WAF inspection
WAF sends metric to CW; customer can
update rules via API
Content Delivered via CloudFrontError Page Delivered by CloudFront
AWS WAF: Request Process
DENY REQUEST
ALLOW REQUEST
AWS WAF: End to End Flow
1. Create Web ACL2. Create Conditions (IP, string match, SQL)3. Create Rules and Actions (order, rule, action)4. Associate Web ACL to CloudFront distribution5. Review and Create
AWS WAF: API & Data Types
API Actions• Create• Delete• Get• List• Update
Data Types• ChangeToken• ChangeTokenStatus• WebACL• IPSet• StringeMatchSet• SQLinjectionMatchSet• Rule
AWS WAF: APIs
1. Get Change Token – a change token can only be used once to make a change to WAF resources.
2. Use Token to Make a Change – provide the change token to the change request
3. Check Status Using Token – use token to determine the status of your changes. INSYNC means changes were propagated
AWS WAF Example: Blocking Bad Bots
AWS WAF Example: Blocking Bad Bots
What We Need…• IP Set: contains our list of blocked IP addresses• Rule: blocks requests if requests match IP in our IP Set• Web ACL: allow requests by default, contains our Ruleand…• Mechanism to detect bad bots• Mechanism to add bad bot IP address to IP Set
AWS WAF Example: Blocking Bad Bots
• Use robots.txt to specify which areas of your site or webapp should not be scraped
• Place file in your web root• Ensure there are links pointing
to non-scrapable content• Hide a trigger script that
normal users don’t see and good bots ignore
$ cat webroot/robots.txtUser-agent: *Disallow: /honeypot/
<a href="/honeypot/" class="hidden" aria-hidden="true">click me</a>
AWS WAF Example: Blocking Bad Bots
• Bad bots (ignoring your robots.txt) will request the hidden link
• Trigger script will detect the source IP of the request
• Trigger script requests change token
• Trigger script adds source IP to IP Set blacklist
• Web ACL will block subsequent request from that source
$ aws --endpoint-url https://waf.amazon.com/ waf get-change-token{ "ChangeToken": "acbc53f2-46db-4fbd-b8d5-dfb8c466927f”}$ aws --endpoint-url https://waf.amazon.com/ waf update-ip-set --cli-input-json '{ "IPSetId": ”<<IP SET ID>>", "ChangeToken": "acbc53f2-46db-4fbd-b8d5-dfb8c466927f", "Updates": [ { "Action": "INSERT", "IPSetDescriptor": { "Type": "IPV4", "Value": ”<<SOURCE IP>>/32" } } ] }’{ "ChangeToken": "acbc53f2-46db-4fbd-b8d5-dfb8c466927f”}
Pricing
Three Pricing Dimensions
• Web ACL monthly charge: $5 / Web ACL• Rule monthly charge: $1 / rule• Request Fee charge: $0.60 / million requests
Pricing is available online at: http://aws.amazon.com/waf/pricing/
Pricing Example
ACME corporation runs 5 CloudFront distributions, one for each web site. ACME sets up 1 Web ACLs, with 10 shared rules and apply the Web ACL to each website. Each website has an average HTTP / HTTPS request volume of about 5.5 million, or a total of 275 million requests.• ACME would be charged: (1 Web ACL @ $5) + (10 Rules @ $1 each)
+ (275 MM requests @ $0.60/MM)• The total charge is: $5 for Web ACL + $10 for Rules + $165 for requests
= $170/month.• This is in ADDITION to the CloudFront fees.
Which WAF Solution is Right?
1. Do you need basic WAF protection such as IP black lists or referrer checking? (3)
2. Do you need protection against SQLi and XSS? (3)3. Do you need rate based protection against attacks like
scrapers, bots, and/or HTTP floods? (1)4. Do you need configurations that support basic
customizations for your applications? (1,3)5. Do you need configurations that are highly customized
(e.g. full regex support) to your specific applications? (2)
6. Do you need to customize rules based on behavioral analysis? (2)
7. Do you need a WAF that offers a large library of rules and/or updates rules based on current and emerging threats? (2,4)
8. Do you require a third party (AWS consulting partner) to manage rules and customize your configurations? (4)
AWS WAF: Q&A