aws october webinar series - introducing aws waf
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Nate Dye, AWS WAF
Oct 28th, 2015
Introduction to AWS WAF
What is AWS WAF?
Good users
Bad guys
Web server Database
AWSWAF
AWS WAF rules:1: BLOCK requests from bad guys.2: ALLOW requests from good guys.
What is AWS WAF?
APIs for Security Automation
Good users
Bad guys
Server
AWS WAF
Logs
Threatanalysis
Rule updater
Notification
Security Engineer
Setting Up AWS WAF
1. Create a web ACL.
ALLOW requests by default, but…
2. Add a rule.
BLOCK if…
3. Add match conditions.
the source IP matches this list…
4. Assign to CloudFront.
for any request tod123.cloudfront.net.
But wait, there’s more
Match conditions•IP•String•SQLi
Flexible rules•AND/OR•Block, allow, or count•Ordered conditions
Fast feedback•~1 minute for changes•1-minute metrics•Request samples
But wait, there’s more
Match conditions•IP•String•SQLi
Flexible rules•AND/OR•Block, allow, or count•Ordered conditions
Fast feedback•~1 minute for changes•1-minute metrics•Request samples
Match conditions: Strings and bytesExample #1: Whitelist Referer
Host: www.example.comUser-Agent: Mozilla/5.0 (Macintosh; …Accept: image/png,image/*;q=0.8,*/*;q=0.5Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://www.example.com/Connection: keep-alive
AWSWAF
RAW request headers
CloudFront
Check: Header “Referrer”Match Type: ContainsMatch: “example.com”
Action: ALLOW
RuleString match condition
Good users
Match conditions: Strings and bytesExample #2: Blacklist User-Agents
Host: www.example.comUser-Agent: badbotAccept: image/png,image/*;q=0.8,*/*;q=0.5Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferrer: http://www.example.com/Connection: keep-alive
AWSWAF
RAW request headers
CloudFront
Check: Header “User-Agent”Match Type: ContainsMatch: “badbot”
Action: BLOCK
RuleString match condition
Scraper bot
Match conditions: Strings and bytesExample #2: Blacklist User-Agents
Host: www.example.comUser-Agent: bAdBoTAccept: image/png,image/*;q=0.8,*/*;q=0.5Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferrer: http://www.InTeRnEtkItTiEs.com/Connection: keep-alive
AWSWAF
RAW request headers
CloudFront
Check: Header “User-Agent”Transform: To lowerMatch Type: ContainsMatch: “badbot”
Action: BLOCK
RuleString match condition
Scraper bot
Match conditions: IPSetsExample #3: Blacklist IP Address
Host: www.example.comUser-Agent: bAdBoTAccept: image/png,image/*;q=0.8,*/*;q=0.5Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferrer: http://www.InTeRnEtkItTiEs.com/Connection: keep-alive
AWSWAF
RAW request headers
CloudFront
Check: Header “User-Agent”Transform: To lowerMatch Type: ContainsMatch: “badbot”
Action: BLOCK
RuleString match condition
Scraper bot
Source IP: 192.168.45.67
But wait, there’s more
Match conditions•IP•String•SQLi
Flexible rules•AND/OR•Block, allow, or count•Ordered conditions
Fast feedback•~1 minute for changes•1-minute metrics•Request samples
Reuse conditions
Example #4: Reusable IP Blacklist
Web ACL #1
Web ACL #2
Shared blacklist
CloudFrontdistributions
AND/OR multiple conditions
Example #5: Restricted Admin URLs
AWSWAF
Site Admins
/admin/login.aspx
/mainsite/images
Users
But wait, there’s more
Match conditions•IP•String•SQLi
Flexible rules•AND/OR•Block, allow, or count•Ordered conditions
Fast feedback•~1 minute for changes•1-minute metrics•Request samples
Use count rules to find bad actors
Count mode Alert on Amazon CloudWatch metrics
Get sampled requestsAdd bad IPs to BlackList
Automatic incident reports
CloudWatch
Alarm
SNS
Topic
AWS Lambda
AWS WAF
Operator
SNS
Topic
1. Alarm on count 2. Send Amazon SNS notification
4. Formatsampled requests
5. Getsampled requests
6. Send emailnotification
Thank you!
Get started with AWS WAF: https://console.aws.amazon.com/waf