(sec323) new: securing web applications with aws waf

77
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nate Dye, AWS Edge Services October 2015 SEC323 Securing Web Applications with AWS WAF

Upload: amazon-web-services

Post on 24-Jan-2018

37.939 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: (SEC323) New: Securing Web Applications with AWS WAF

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Nate Dye, AWS Edge Services

October 2015

SEC323

Securing Web Applications with

AWS WAF

Page 2: (SEC323) New: Securing Web Applications with AWS WAF

What to expect from this session

Deep dive

AWS WAF

Web defense

strategies

Automation for

better security

AWS WAF 301

Page 3: (SEC323) New: Securing Web Applications with AWS WAF

What to expect from this session

Web defense

strategies

Automation for

better security

Deep dive

AWS WAF

AWS WAF 301

Page 4: (SEC323) New: Securing Web Applications with AWS WAF

Why AWS WAF?

Application vulnerabilities

Good users

Bad guys

Web server Database

Exploit

code

Page 5: (SEC323) New: Securing Web Applications with AWS WAF

Why AWS WAF?

Abuse

Good users

Bad guys

Web server Database

Page 6: (SEC323) New: Securing Web Applications with AWS WAF

Why AWS WAF?

Application DDoS

Good users

Bad guys

Web server Database

Page 7: (SEC323) New: Securing Web Applications with AWS WAF

What is AWS WAF?

Application DDoS

Good users

Bad guys

Web server Database

AWS

WAF

Page 8: (SEC323) New: Securing Web Applications with AWS WAF

What is AWS WAF?

Application DDoS

Good users

Bad guys

Web server Database

AWS

WAF

AWS WAF rules:

1: BLOCK requests from bad guys.

2: ALLOW requests from good guys.

Page 9: (SEC323) New: Securing Web Applications with AWS WAF

What is AWS WAF?

Application DDoS

Good users

Bad guys

Web server Database

AWS

WAF

Page 10: (SEC323) New: Securing Web Applications with AWS WAF

Traditional WAF

Setup is complex and slow

Page 11: (SEC323) New: Securing Web Applications with AWS WAF

Traditional WAF

Rules with too many false positives

Page 12: (SEC323) New: Securing Web Applications with AWS WAF

Traditional WAF

No APIs for automation

Page 13: (SEC323) New: Securing Web Applications with AWS WAF

AWS WAF

Page 14: (SEC323) New: Securing Web Applications with AWS WAF

Block or allow web requests Monitor security events

AWS WAF

Page 15: (SEC323) New: Securing Web Applications with AWS WAF

New API and console Protect websites and content

AWS WAF

Amazon CloudFront

Page 16: (SEC323) New: Securing Web Applications with AWS WAF

Benefits of AWS WAF

Practical security

made easy

Customizable and

flexible

Integrate with

development

Page 17: (SEC323) New: Securing Web Applications with AWS WAF

Benefits of AWS WAF

Practical security

made easy

Customizable and

flexible

Integrate with

development

Page 18: (SEC323) New: Securing Web Applications with AWS WAF

Benefits of AWS WAF

Practical security

made easy

Customizable and

flexible

Integrate with

development

Page 19: (SEC323) New: Securing Web Applications with AWS WAF

Benefits of AWS WAF

Practical security

made easy

Customizable and

flexible

Integrate with

development

Page 20: (SEC323) New: Securing Web Applications with AWS WAF

What to expect from this session

Web defense

strategies

Automation for

better security

Deep dive

AWS WAF

AWS WAF 301

Page 21: (SEC323) New: Securing Web Applications with AWS WAF

Setting Up AWS WAF

1. Create a web ACL.

ALLOW requests by default,

but…

2. Add a rule.

BLOCK if…

3. Add match

conditions.

the source IP

matches this

list…

4. Assign to

CloudFront.

for any request to

d123.cloudfront.net.

Page 22: (SEC323) New: Securing Web Applications with AWS WAF

Setting Up AWS WAF

<First Run Demo>

Page 23: (SEC323) New: Securing Web Applications with AWS WAF

But wait, there’s more

Match conditions

• IP

• String

• SQLi

Customizable rules

• AND/OR

• Block, allow, or

count

• Ordered

conditions

Fast feedback

• ~1 minute for

changes

• 1-minute metrics

• Request samples

Page 24: (SEC323) New: Securing Web Applications with AWS WAF

But wait, there’s more

Match conditions

• IP

• String

• SQLi

Customizable rules

• AND/OR

• Block, allow, or

count

• Ordered

conditions

Fast feedback

• ~1 minute for

changes

• 1-minute metrics

• Request samples

Page 25: (SEC323) New: Securing Web Applications with AWS WAF

Match conditions: IPSets

CIDR notation on octet boundaries:

• 192.0.0.0/8 – Matches 192.*.*.*

• 192.168.0.0/16

• 192.168.32.0/24

• 192.168.32.64/32 – Matches a full IP address exactly

Page 26: (SEC323) New: Securing Web Applications with AWS WAF

Match conditions: IPSets

• 1,000 CIDRs per IPSet

• 10,000 CIDRs per web ACL

• Matches connecting IP, not XFF

Page 27: (SEC323) New: Securing Web Applications with AWS WAF

Match conditions: Strings and bytes

• Match any part of the web request

• Common use case: Referrer whitelisting

Page 28: (SEC323) New: Securing Web Applications with AWS WAF

Match conditions: Strings and bytes

Match any part of the web request

Host: www.example.com

User-Agent: Mozilla/5.0 (Macintosh; …

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referrer: http://www.example.com/

Connection: keep-alive

AWS

WAF

RAW request headers

CloudFront

Check: Header “Referrer”

Match Type: Contains

Match: “example.com”

Action: ALLOW

Rule

String match condition

Good users

Page 29: (SEC323) New: Securing Web Applications with AWS WAF

Match conditions: Strings and bytes

Use transforms to stop evasion

Host: www.example.com

User-Agent: badbot

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referrer: http://www.example.com/

Connection: keep-alive

AWS

WAF

RAW request headers

CloudFront

Check: Header “User-Agent”

Match Type: Contains

Match: “badbot”

Action: BLOCK

Rule

String match condition

Scraper bot

Page 30: (SEC323) New: Securing Web Applications with AWS WAF

Match conditions: Strings and bytes

Use transforms to stop evasion

Host: www.example.com

User-Agent: bAdBoT

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referrer: http://www.InTeRnEtkItTiEs.com/

Connection: keep-alive

AWS

WAF

RAW request headers

CloudFront

Check: Header “User-Agent”

Transform: To lower

Match Type: Contains

Match: “badbot”

Action: BLOCK

Rule

String match condition

Scraper bot

Page 31: (SEC323) New: Securing Web Applications with AWS WAF

Match conditions: Strings and bytes

Flexible match conditions

1. Contains

2. Exact

3. Begins with

4. Ends with

5. Contains word

Page 32: (SEC323) New: Securing Web Applications with AWS WAF

Match conditions: Strings and bytes

Malicious binary? We can find it.

“iVBORw0KGgoAAAAN”

8950 4e47

0d0a 1a0a

0000 000d

bad.bin

1. Select binary file 2. Base64 encode 3. Set match criteria

$> base64 bad.bin

iVBORw0KGgoAAAAN

Page 33: (SEC323) New: Securing Web Applications with AWS WAF

Match conditions: Strings and bytes

• 10 matches per string match set

• 1,000 matches in a web ACL

Page 34: (SEC323) New: Securing Web Applications with AWS WAF

Match conditions: SQLi

Check your query strings, URL decode

Page 35: (SEC323) New: Securing Web Applications with AWS WAF

Match conditions: SQLi

/login?x=test%27%20UNION%20ALL%20select%20NULL%20--

/login?x=test’ UNION ALL select NULL --

Transform: URL Decode

True

Match: SQL Injection

Check your query strings, URL decode

Page 36: (SEC323) New: Securing Web Applications with AWS WAF

But wait, there’s more

Match conditions

• IP

• String

• SQLi

Customizable rules

• AND/OR

• Block, allow, or

count

• Ordered

conditions

Fast feedback

• ~1 minute for

changes

• 1-minute metrics

• Request samples

Page 37: (SEC323) New: Securing Web Applications with AWS WAF

Combining conditions

Restrict a rule to specific URIs, such as the login page.

Public Internet

Seattle adminsAWS

WAF

/admin/login.cgi

/*

Page 38: (SEC323) New: Securing Web Applications with AWS WAF

Combining conditions

Restrict a rule to specific URIs, such as the login page.

IP match

String match

Page 39: (SEC323) New: Securing Web Applications with AWS WAF

Adding whitelist exceptions

You can whitelist with ALLOW actions on a rule.

Page 40: (SEC323) New: Securing Web Applications with AWS WAF

Reuse conditions

You can reuse any part of a web ACL.

CloudFront

distributions

Web ACL #1

Web ACL #2

Shared blacklist

Page 41: (SEC323) New: Securing Web Applications with AWS WAF

But wait, there’s more

Match conditions

• IP

• String

• SQLi

Customizable rules

• AND/OR

• Block, allow, or

count

• Ordered

conditions

Fast feedback

• ~1 minute for

changes

• 1-minute metrics

• Request samples

Page 42: (SEC323) New: Securing Web Applications with AWS WAF

Observing rules in action

Finding requests that

match your rules

Page 43: (SEC323) New: Securing Web Applications with AWS WAF

Setting up detection alarms

<Example Demo>

Page 44: (SEC323) New: Securing Web Applications with AWS WAF

Building blocks for web security

APIs, SDKs, and CLIs!

Java Python (boto) PHP .NET Ruby Node.js

iOS Android AWS Toolkit for

Visual Studio

AWS Toolkit

for Eclipse

AWS Tools for

Windows

PowerShell

AWS CLI

JavaScript

Page 45: (SEC323) New: Securing Web Applications with AWS WAF

GetChangeToken

$ aws --endpoint-url https://waf.amazonaws.com/ waf

get-change-token

{

"ChangeToken”:"d4c4f53b-9c7e-47ce-9140-0ee5765d6bff"

}

Page 46: (SEC323) New: Securing Web Applications with AWS WAF

Create*

$ aws --endpoint-url https://waf.amazon.com/ waf

create-web-acl

--name BetaTest

--metric-name BetaTest

--default-action Type=ALLOW

--change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff

Page 47: (SEC323) New: Securing Web Applications with AWS WAF

GetChangeTokenStatus

$ aws --endpoint-url https://waf.amazonaws.com/ waf

get-change-token-status

--change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff

{

"ChangeTokenStatus":{

”ChangeToken":"d4c4f53b-9c7e-47ce-9140-0ee5765d6bff ",

“Status”:

"PROVISIONED", OR

"PENDING", OR

"INSYNC"

]

},

}

Page 48: (SEC323) New: Securing Web Applications with AWS WAF

Update*Set

$ aws --endpoint-url https://waf.amazonaws.com/ waf

update-ip-set

--ip-set-id

--change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff

--updates

[

{"Action": "INSERT",

"IPSetDescriptor":

{"Type": "IPV4",

"Value": "192.168.0.0/16"}

},

{"Action": "INSERT",

"IPSetDescriptor":

{"Type": "IPV4",

"Value": "192.168.5.0/24"}

}

]

Page 49: (SEC323) New: Securing Web Applications with AWS WAF

GetSampledRequests{

"SampledRequests": [

{

"Action": "BLOCK",

"Timestamp": 1441839596.476,

"Request": {

"Country": "IE",

"URI": "/",

"Headers": [

{

"Name": "Host",

"Value": "d123abc.cloudfront.net"

},

{

"Name": "User-Agent",

"Value": "curl/7.30.0"

},

"ClientIP": "54.240.197.225",

"Method": "GET",

"HTTPVersion": "HTTP/1.0"

Page 50: (SEC323) New: Securing Web Applications with AWS WAF

Pay for what you use

• No upfront minimums

• Use it for just an hour, or always on

Page 51: (SEC323) New: Securing Web Applications with AWS WAF

Pay for what you use

• $5 per web ACL, $1 per rule per month

• Reuse across a CloudFront distribution with no additional charge

• Use more rules for more visibility

• $0.60 per million requests

Page 52: (SEC323) New: Securing Web Applications with AWS WAF

Pay for what you use

• Low monthly minimum, scales with volume

• Typical monthly bill

• Test environment (1 rule): $6 per month

• Small site (6 rules, 58M views): $46 per month

• Medium site (6 rules, 260M views): $167 per month

Page 53: (SEC323) New: Securing Web Applications with AWS WAF

What to expect from this session

Web defense

strategies

Automation for

better security

AWS WAF 101

Deep dive

AWS WAF

Page 54: (SEC323) New: Securing Web Applications with AWS WAF

Negative

• Typical of prod deployment

• ALLOW by default

• BLOCK known-bad threats

Rule strategy comparison

Positive

• Typical of restricted site

• BLOCK by default

• ALLOW known-good

Examples

• BLOCK MalwareIncIPRange

• BLOCK “{;}”

Examples

• ALLOW SeattleOfficeIPRange

• ALLOW referrer header “example.com”

Page 55: (SEC323) New: Securing Web Applications with AWS WAF

Mitigation strategies

• Static policies – For unchanging known-bad threats

• Reactive policies – For dynamic emerging threats

Page 56: (SEC323) New: Securing Web Applications with AWS WAF

Use count rules to find bad actors

Count mode

Alert on Amazon CloudWatch metrics

Get sampled requests

Add bad IPs to BlackList

Page 57: (SEC323) New: Securing Web Applications with AWS WAF

Putting it all together

Rule Order:

1. WhiteListed IPs – ALLOW

2. BlackListed IPs – BLOCK

3. BlackListedSignatures – BLOCK

4. SQLInjection – COUNT

5. SuspiciousActivity - COUNT

Default: ALLOW

Page 58: (SEC323) New: Securing Web Applications with AWS WAF

Customer example: Finding bad requestors

ConnectWise

1. Uses negative security model

2. Monitors known-bad activity

3. Reactively bans bad requests

Page 59: (SEC323) New: Securing Web Applications with AWS WAF
Page 60: (SEC323) New: Securing Web Applications with AWS WAF

Users

APIsCloudFront

Auto Scaling

Elastic Load Balancing

Amazon EC2 Amazon EC2 Amazon EC2

Amazon EC2 Amazon EC2 Amazon EC2

API calls made into

the environment

ConnectWise API architecture

Page 61: (SEC323) New: Securing Web Applications with AWS WAF

AWS WAF

ConnectWise API with AWS WAF

Users

APIsCloudFront

Auto Scaling

Elastic Load Balancing

Amazon EC2

Amazon EC2

Page 62: (SEC323) New: Securing Web Applications with AWS WAF

Example of an old API call

API

Version

Page 63: (SEC323) New: Securing Web Applications with AWS WAF

Create a rule to block old versions

Check: Header “Contains”Match Type: Contains

Match: “/v2015_3/”

Action: Block

Rule

String Match Condition

API VersionAPI Version

byteset.json

{

"ByteMatchSetId": "e13d4ed4-2b47-4313-8173-d0370e58ac20",

"ChangeToken": "fab95c78-c969-4845-876f-6f2bc8283ea3",

"Updates": [

{

"Action": "INSERT",

"ByteMatchTuple": {

"FieldToMatch": {

"Type": "URI"

},

"PositionalConstraint": "CONTAINS",

"TargetString": "/v2015_3/",

"TextTransformation": "LOWERCASE"

}

}

]

}

Page 64: (SEC323) New: Securing Web Applications with AWS WAF

Old requests are blocked

Access Denied

Page 65: (SEC323) New: Securing Web Applications with AWS WAF

Example of a invalid user request

Cookie Value of

Invalid User

Page 66: (SEC323) New: Securing Web Applications with AWS WAF

Create a rule to block invalid users

cookie-byte-match-set.json

{

"Updates": [

{

"ByteMatchTuple": {

"TextTransformation": "LOWERCASE",

"TargetString": "companyname=cwqaman_p",

"PositionalConstraint": "CONTAINS",

"FieldToMatch": {

"Type": "HEADER",

"Data": "Cookie"

}

},

"Action": "INSERT"

}

],

"ChangeToken": "988120ac-9040-4a26-bbe0-3282bc5410ce",

"ByteMatchSetId": "2fdd991d-9b44-4d41-9231-7aa92dfe5ffe"

}

Rule

String Match Condition

Action: Block

Check: Header “Contains”Match Type: Contains

Match: “companyname=cwqaman_p”

Cookie Value of

Invalid User

Cookie Value of

Invalid User

Page 67: (SEC323) New: Securing Web Applications with AWS WAF

Invalid users are blocked

Page 68: (SEC323) New: Securing Web Applications with AWS WAF

Savings.

• Decrease amounts of machines

• Currently saving 20% during peak hours

Results

Page 69: (SEC323) New: Securing Web Applications with AWS WAF

What to expect from this session

Web defense

strategies

Automation for

better security

AWS WAF 101

Deep dive

AWS WAF

Page 70: (SEC323) New: Securing Web Applications with AWS WAF

Automatic behavioral analysis

AWS WAF automated blacklists

Good users

Bad guys

Server

AWS

WAF

Logs

Threat

analysis

Rule updater

Page 71: (SEC323) New: Securing Web Applications with AWS WAF

Bad Bot Demo

Step 1: Robots.txt – “Don’t index /honeypot”

Step 2: Create a rule: Count /honeypot

Step 3: Ban Bad Bots

See it in action:

STG205 - Secure Content Delivery Using Amazon CloudFront

OR

AWS New Services Booth

Page 72: (SEC323) New: Securing Web Applications with AWS WAF

Automatic behavioral analysis

Amazon is not the only one…

Repsheet open-source behavioral analysis

• http://www.slideshare.net/abedra/knock-knock-24105973

• https://github.com/repsheet/repsheet

Page 73: (SEC323) New: Securing Web Applications with AWS WAF

Automatic reactive mitigations

AWS WAF partners

Page 74: (SEC323) New: Securing Web Applications with AWS WAF

Automatic behavioral analysis

Alert Logic Proof of Concept

Good users

Bad guys

Server

AWS WAF

Update

blacklist

Page 75: (SEC323) New: Securing Web Applications with AWS WAF

Automatic incident reports

CloudWatch

Alarm

SNS

Topic

AWS Lambda

AWS WAF

Operator

SNS

Topic

1. Alarm on count 2. Send

Amazon SNS

notification

4. Format

sampled requests

5. Get

sampled requests

6. Send email

notification

Page 76: (SEC323) New: Securing Web Applications with AWS WAF

Remember to complete

your evaluations!

Page 77: (SEC323) New: Securing Web Applications with AWS WAF

Thank you!

Get started with AWS WAF:

https://console.aws.amazon.com/waf