In this session, we will introduce you to the new AWS WAF service. We will show you how to use the service to block Amazon CloudFront requests that originate from IP addresses that you specify and block requests based on request content, such as header values or SQL queries. We will walk you through working code samples that automate security operations and demonstrate the flexibility of AWS WAF web ACLs.
7. What is AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
AWS
WAF
8. What is AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
AWS
WAF
AWS WAF rules:
1: BLOCK requests from bad guys.
2: ALLOW requests from good guys.
9. What is AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
AWS
WAF
14. Block or allow web requests Monitor security events
AWS WAF
15. New API and console Protect websites and content
AWS WAF
Amazon CloudFront
16. Benefits of AWS WAF
Practical security
made easy
Customizable and
flexible
Integrate with
development
17. Benefits of AWS WAF
Practical security
made easy
Customizable and
flexible
Integrate with
development
18. Benefits of AWS WAF
Practical security
made easy
Customizable and
flexible
Integrate with
development
19. Benefits of AWS WAF
Practical security
made easy
Customizable and
flexible
Integrate with
development
20. What to expect from this session
Web defense
strategies
Automation for
better security
Deep dive
AWS WAF
AWS WAF 301
21. Setting Up AWS WAF
1. Create a web ACL.
ALLOW requests by default,
but…
2. Add a rule.
BLOCK if…
3. Add match
conditions.
the source IP
matches this
list…
4. Assign to
CloudFront.
for any request to
d123.cloudfront.net.
23. But wait, there’s more
Match conditions
• IP
• String
• SQLi
Customizable rules
• AND/OR
• Block, allow, or
count
• Ordered
conditions
Fast feedback
• ~1 minute for
changes
• 1-minute metrics
• Request samples
24. But wait, there’s more
Match conditions
• IP
• String
• SQLi
Customizable rules
• AND/OR
• Block, allow, or
count
• Ordered
conditions
Fast feedback
• ~1 minute for
changes
• 1-minute metrics
• Request samples
25. Match conditions: IPSets
CIDR notation on octet boundaries:
• 192.0.0.0/8 – Matches 192.*.*.*
• 192.168.0.0/16
• 192.168.32.0/24
• 192.168.32.64/32 – Matches a full IP address exactly
26. Match conditions: IPSets
• 1,000 CIDRs per IPSet
• 10,000 CIDRs per web ACL
• Matches connecting IP, not XFF
27. Match conditions: Strings and bytes
• Match any part of the web request
• Common use case: Referrer whitelisting
28. Match conditions: Strings and bytes
Match any part of the web request
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; …
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “Referrer”
Match Type: Contains
Match: “example.com”
Action: ALLOW
Rule
String match condition
Good users
29. Match conditions: Strings and bytes
Use transforms to stop evasion
Host: www.example.com
User-Agent: badbot
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Match Type: Contains
Match: “badbot”
Action: BLOCK
Rule
String match condition
Scraper bot
30. Match conditions: Strings and bytes
Use transforms to stop evasion
Host: www.example.com
User-Agent: bAdBoT
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.InTeRnEtkItTiEs.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Transform: To lower
Match Type: Contains
Match: “badbot”
Action: BLOCK
Rule
String match condition
Scraper bot
31. Match conditions: Strings and bytes
Flexible match conditions
1. Contains
2. Exact
3. Begins with
4. Ends with
5. Contains word
32. Match conditions: Strings and bytes
Malicious binary? We can find it.
“iVBORw0KGgoAAAAN”
8950 4e47
0d0a 1a0a
0000 000d
bad.bin
1. Select binary file 2. Base64 encode 3. Set match criteria
$> base64 bad.bin
iVBORw0KGgoAAAAN
44. Building blocks for web security
APIs, SDKs, and CLIs!
Java Python (boto) PHP .NET Ruby Node.js
iOS Android AWS Toolkit for
Visual Studio
AWS Toolkit
for Eclipse
AWS Tools for
Windows
PowerShell
AWS CLI
JavaScript
50. Pay for what you use
• No upfront minimums
• Use it for just an hour, or always on
51. Pay for what you use
• $5 per web ACL, $1 per rule per month
• Reuse across a CloudFront distribution with no additional charge
• Use more rules for more visibility
• $0.60 per million requests
52. Pay for what you use
• Low monthly minimum, scales with volume
• Typical monthly bill
• Test environment (1 rule): $6 per month
• Small site (6 rules, 58M views): $46 per month
• Medium site (6 rules, 260M views): $167 per month
53. What to expect from this session
Web defense
strategies
Automation for
better security
AWS WAF 101
Deep dive
AWS WAF
54. Negative
• Typical of prod deployment
• ALLOW by default
• BLOCK known-bad threats
Rule strategy comparison
Positive
• Typical of restricted site
• BLOCK by default
• ALLOW known-good
Examples
• BLOCK MalwareIncIPRange
• BLOCK “{;}”
Examples
• ALLOW SeattleOfficeIPRange
• ALLOW referrer header “example.com”
55. Mitigation strategies
• Static policies – For unchanging known-bad threats
• Reactive policies – For dynamic emerging threats
56. Use count rules to find bad actors
Count mode
Alert on Amazon CloudWatch metrics
Get sampled requests
Add bad IPs to BlackList
58. Customer example: Finding bad requestors
ConnectWise
1. Uses negative security model
2. Monitors known-bad activity
3. Reactively bans bad requests
59.
60. Users
APIs
CloudFront
Auto Scaling
Elastic Load Balancing
Amazon EC2 Amazon EC2 Amazon EC2
Amazon EC2 Amazon EC2 Amazon EC2
API calls made into
the environment
ConnectWise API architecture
61. AWS WAF
ConnectWise API with AWS WAF
Users
APIs
CloudFront
Auto Scaling
Elastic Load Balancing
Amazon EC2
Amazon EC2
71. Bad Bot Demo
Step 1: Robots.txt – “Don’t index /honeypot”
Step 2: Create a rule: Count /honeypot
Step 3: Ban Bad Bots
See it in action:
STG205 - Secure Content Delivery Using Amazon CloudFront
OR
AWS New Services Booth
72. Automatic behavioral analysis
Amazon is not the only one…
Repsheet open-source behavioral analysis
• http://www.slideshare.net/abedra/knock-knock-24105973
• https://github.com/repsheet/repsheet