(sec323) new: securing web applications with aws waf
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Nate Dye, AWS Edge Services
October 2015
SEC323
Securing Web Applications with
AWS WAF
What to expect from this session
Deep dive
AWS WAF
Web defense
strategies
Automation for
better security
AWS WAF 301
What to expect from this session
Web defense
strategies
Automation for
better security
Deep dive
AWS WAF
AWS WAF 301
Why AWS WAF?
Application vulnerabilities
Good users
Bad guys
Web server Database
Exploit
code
Why AWS WAF?
Abuse
Good users
Bad guys
Web server Database
Why AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
What is AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
AWS
WAF
What is AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
AWS
WAF
AWS WAF rules:
1: BLOCK requests from bad guys.
2: ALLOW requests from good guys.
What is AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
AWS
WAF
Traditional WAF
Setup is complex and slow
Traditional WAF
Rules with too many false positives
Traditional WAF
No APIs for automation
AWS WAF
Block or allow web requests Monitor security events
AWS WAF
New API and console Protect websites and content
AWS WAF
Amazon CloudFront
Benefits of AWS WAF
Practical security
made easy
Customizable and
flexible
Integrate with
development
Benefits of AWS WAF
Practical security
made easy
Customizable and
flexible
Integrate with
development
Benefits of AWS WAF
Practical security
made easy
Customizable and
flexible
Integrate with
development
Benefits of AWS WAF
Practical security
made easy
Customizable and
flexible
Integrate with
development
What to expect from this session
Web defense
strategies
Automation for
better security
Deep dive
AWS WAF
AWS WAF 301
Setting Up AWS WAF
1. Create a web ACL.
ALLOW requests by default,
but…
2. Add a rule.
BLOCK if…
3. Add match
conditions.
the source IP
matches this
list…
4. Assign to
CloudFront.
for any request to
d123.cloudfront.net.
Setting Up AWS WAF
<First Run Demo>
But wait, there’s more
Match conditions
• IP
• String
• SQLi
Customizable rules
• AND/OR
• Block, allow, or
count
• Ordered
conditions
Fast feedback
• ~1 minute for
changes
• 1-minute metrics
• Request samples
But wait, there’s more
Match conditions
• IP
• String
• SQLi
Customizable rules
• AND/OR
• Block, allow, or
count
• Ordered
conditions
Fast feedback
• ~1 minute for
changes
• 1-minute metrics
• Request samples
Match conditions: IPSets
CIDR notation on octet boundaries:
• 192.0.0.0/8 – Matches 192.*.*.*
• 192.168.0.0/16
• 192.168.32.0/24
• 192.168.32.64/32 – Matches a full IP address exactly
Match conditions: IPSets
• 1,000 CIDRs per IPSet
• 10,000 CIDRs per web ACL
• Matches connecting IP, not XFF
Match conditions: Strings and bytes
• Match any part of the web request
• Common use case: Referrer whitelisting
Match conditions: Strings and bytes
Match any part of the web request
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; …
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “Referrer”
Match Type: Contains
Match: “example.com”
Action: ALLOW
Rule
String match condition
Good users
Match conditions: Strings and bytes
Use transforms to stop evasion
Host: www.example.com
User-Agent: badbot
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Match Type: Contains
Match: “badbot”
Action: BLOCK
Rule
String match condition
Scraper bot
Match conditions: Strings and bytes
Use transforms to stop evasion
Host: www.example.com
User-Agent: bAdBoT
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.InTeRnEtkItTiEs.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Transform: To lower
Match Type: Contains
Match: “badbot”
Action: BLOCK
Rule
String match condition
Scraper bot
Match conditions: Strings and bytes
Flexible match conditions
1. Contains
2. Exact
3. Begins with
4. Ends with
5. Contains word
Match conditions: Strings and bytes
Malicious binary? We can find it.
“iVBORw0KGgoAAAAN”
8950 4e47
0d0a 1a0a
0000 000d
bad.bin
1. Select binary file 2. Base64 encode 3. Set match criteria
$> base64 bad.bin
iVBORw0KGgoAAAAN
Match conditions: Strings and bytes
• 10 matches per string match set
• 1,000 matches in a web ACL
Match conditions: SQLi
Check your query strings, URL decode
Match conditions: SQLi
/login?x=test%27%20UNION%20ALL%20select%20NULL%20--
/login?x=test’ UNION ALL select NULL --
Transform: URL Decode
True
Match: SQL Injection
Check your query strings, URL decode
But wait, there’s more
Match conditions
• IP
• String
• SQLi
Customizable rules
• AND/OR
• Block, allow, or
count
• Ordered
conditions
Fast feedback
• ~1 minute for
changes
• 1-minute metrics
• Request samples
Combining conditions
Restrict a rule to specific URIs, such as the login page.
Public Internet
Seattle adminsAWS
WAF
/admin/login.cgi
/*
Combining conditions
Restrict a rule to specific URIs, such as the login page.
IP match
String match
Adding whitelist exceptions
You can whitelist with ALLOW actions on a rule.
Reuse conditions
You can reuse any part of a web ACL.
CloudFront
distributions
Web ACL #1
Web ACL #2
Shared blacklist
But wait, there’s more
Match conditions
• IP
• String
• SQLi
Customizable rules
• AND/OR
• Block, allow, or
count
• Ordered
conditions
Fast feedback
• ~1 minute for
changes
• 1-minute metrics
• Request samples
Observing rules in action
Finding requests that
match your rules
Setting up detection alarms
<Example Demo>
Building blocks for web security
APIs, SDKs, and CLIs!
Java Python (boto) PHP .NET Ruby Node.js
iOS Android AWS Toolkit for
Visual Studio
AWS Toolkit
for Eclipse
AWS Tools for
Windows
PowerShell
AWS CLI
JavaScript
GetChangeToken
$ aws --endpoint-url https://waf.amazonaws.com/ waf
get-change-token
{
"ChangeToken”:"d4c4f53b-9c7e-47ce-9140-0ee5765d6bff"
}
Create*
$ aws --endpoint-url https://waf.amazon.com/ waf
create-web-acl
--name BetaTest
--metric-name BetaTest
--default-action Type=ALLOW
--change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff
GetChangeTokenStatus
$ aws --endpoint-url https://waf.amazonaws.com/ waf
get-change-token-status
--change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff
{
"ChangeTokenStatus":{
”ChangeToken":"d4c4f53b-9c7e-47ce-9140-0ee5765d6bff ",
“Status”:
"PROVISIONED", OR
"PENDING", OR
"INSYNC"
]
},
}
Update*Set
$ aws --endpoint-url https://waf.amazonaws.com/ waf
update-ip-set
--ip-set-id
--change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff
--updates
[
{"Action": "INSERT",
"IPSetDescriptor":
{"Type": "IPV4",
"Value": "192.168.0.0/16"}
},
{"Action": "INSERT",
"IPSetDescriptor":
{"Type": "IPV4",
"Value": "192.168.5.0/24"}
}
]
GetSampledRequests{
"SampledRequests": [
{
"Action": "BLOCK",
"Timestamp": 1441839596.476,
"Request": {
"Country": "IE",
"URI": "/",
"Headers": [
{
"Name": "Host",
"Value": "d123abc.cloudfront.net"
},
{
"Name": "User-Agent",
"Value": "curl/7.30.0"
},
"ClientIP": "54.240.197.225",
"Method": "GET",
"HTTPVersion": "HTTP/1.0"
Pay for what you use
• No upfront minimums
• Use it for just an hour, or always on
Pay for what you use
• $5 per web ACL, $1 per rule per month
• Reuse across a CloudFront distribution with no additional charge
• Use more rules for more visibility
• $0.60 per million requests
Pay for what you use
• Low monthly minimum, scales with volume
• Typical monthly bill
• Test environment (1 rule): $6 per month
• Small site (6 rules, 58M views): $46 per month
• Medium site (6 rules, 260M views): $167 per month
What to expect from this session
Web defense
strategies
Automation for
better security
AWS WAF 101
Deep dive
AWS WAF
Negative
• Typical of prod deployment
• ALLOW by default
• BLOCK known-bad threats
Rule strategy comparison
Positive
• Typical of restricted site
• BLOCK by default
• ALLOW known-good
Examples
• BLOCK MalwareIncIPRange
• BLOCK “{;}”
Examples
• ALLOW SeattleOfficeIPRange
• ALLOW referrer header “example.com”
Mitigation strategies
• Static policies – For unchanging known-bad threats
• Reactive policies – For dynamic emerging threats
Use count rules to find bad actors
Count mode
Alert on Amazon CloudWatch metrics
Get sampled requests
Add bad IPs to BlackList
Putting it all together
Rule Order:
1. WhiteListed IPs – ALLOW
2. BlackListed IPs – BLOCK
3. BlackListedSignatures – BLOCK
4. SQLInjection – COUNT
5. SuspiciousActivity - COUNT
Default: ALLOW
Customer example: Finding bad requestors
ConnectWise
1. Uses negative security model
2. Monitors known-bad activity
3. Reactively bans bad requests
Users
APIsCloudFront
Auto Scaling
Elastic Load Balancing
Amazon EC2 Amazon EC2 Amazon EC2
Amazon EC2 Amazon EC2 Amazon EC2
API calls made into
the environment
ConnectWise API architecture
AWS WAF
ConnectWise API with AWS WAF
Users
APIsCloudFront
Auto Scaling
Elastic Load Balancing
Amazon EC2
Amazon EC2
Example of an old API call
API
Version
Create a rule to block old versions
Check: Header “Contains”Match Type: Contains
Match: “/v2015_3/”
Action: Block
Rule
String Match Condition
API VersionAPI Version
byteset.json
{
"ByteMatchSetId": "e13d4ed4-2b47-4313-8173-d0370e58ac20",
"ChangeToken": "fab95c78-c969-4845-876f-6f2bc8283ea3",
"Updates": [
{
"Action": "INSERT",
"ByteMatchTuple": {
"FieldToMatch": {
"Type": "URI"
},
"PositionalConstraint": "CONTAINS",
"TargetString": "/v2015_3/",
"TextTransformation": "LOWERCASE"
}
}
]
}
Old requests are blocked
Access Denied
Example of a invalid user request
Cookie Value of
Invalid User
Create a rule to block invalid users
cookie-byte-match-set.json
{
"Updates": [
{
"ByteMatchTuple": {
"TextTransformation": "LOWERCASE",
"TargetString": "companyname=cwqaman_p",
"PositionalConstraint": "CONTAINS",
"FieldToMatch": {
"Type": "HEADER",
"Data": "Cookie"
}
},
"Action": "INSERT"
}
],
"ChangeToken": "988120ac-9040-4a26-bbe0-3282bc5410ce",
"ByteMatchSetId": "2fdd991d-9b44-4d41-9231-7aa92dfe5ffe"
}
Rule
String Match Condition
Action: Block
Check: Header “Contains”Match Type: Contains
Match: “companyname=cwqaman_p”
Cookie Value of
Invalid User
Cookie Value of
Invalid User
Invalid users are blocked
Savings.
• Decrease amounts of machines
• Currently saving 20% during peak hours
Results
What to expect from this session
Web defense
strategies
Automation for
better security
AWS WAF 101
Deep dive
AWS WAF
Automatic behavioral analysis
AWS WAF automated blacklists
Good users
Bad guys
Server
AWS
WAF
Logs
Threat
analysis
Rule updater
Bad Bot Demo
Step 1: Robots.txt – “Don’t index /honeypot”
Step 2: Create a rule: Count /honeypot
Step 3: Ban Bad Bots
See it in action:
STG205 - Secure Content Delivery Using Amazon CloudFront
OR
AWS New Services Booth
Automatic behavioral analysis
Amazon is not the only one…
Repsheet open-source behavioral analysis
• http://www.slideshare.net/abedra/knock-knock-24105973
• https://github.com/repsheet/repsheet
Automatic reactive mitigations
AWS WAF partners
Automatic behavioral analysis
Alert Logic Proof of Concept
Good users
Bad guys
Server
AWS WAF
Update
blacklist
Automatic incident reports
CloudWatch
Alarm
SNS
Topic
AWS Lambda
AWS WAF
Operator
SNS
Topic
1. Alarm on count 2. Send
Amazon SNS
notification
4. Format
sampled requests
5. Get
sampled requests
6. Send email
notification
Remember to complete
your evaluations!
Thank you!
Get started with AWS WAF:
https://console.aws.amazon.com/waf