Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

10,277 views

Published on

In this workshop, we help you understand how you can help protect your web applications from threats cost effectively by using AWS WAF and Amazon CloudFront. As attacks and attempts to exploit vulnerabilities in web applications become more sophisticated and automated, having an effective web request filtering solution becomes key to keeping your users' data safe. We will cover common attack vectors and what you can do to mitigate them. You will learn how to leverage AWS WAF in conjunction with Amazon CloudFront to detect unwanted traffic and block it using simple configurations and automations.

Prerequisites:
Participants should have an AWS account established and available for use during the workshop.
Please bring your own laptop.

Published in: Technology

AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront (SAC202)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Vlad Vlasceanu, Heitor Vital, Chris Colthurst November 29, 2016 Secure Your Web Application with AWS WAF and Amazon CloudFront SAC202 - Workshop
  2. 2. The workshop team is here to help! Chris Colthurst Sean Greathouse Assaf Namer Heitor Vital Vlad Vlasceanu Christian Williams
  3. 3. What to expect from the workshop • Each table expected to work as a team – find your number table • Content is broken up into 3 chapters: • Introduction and baseline protection • Security automation • Advanced rules and additional security controls • Team tasks: • Start with a baseline sample website (provided) • 3 tasks: implement the controls discussed in each chapter • Handout: • Contains additional guidance for each task • Find and implement the optimal solution!
  4. 4. A story of courage, friendship … and WAF
  5. 5. Prelude Your friend Bob knows that you’re great with computers and asks you to set up a website for him…
  6. 6. Setup workshop environment Follow the steps in the Prelude section of your handout to launch the AWS CloudFormation template: Checkpoint: What is AWS CloudFormation? Download the CloudFormation template from: https://s3-us-west-2.amazonaws.com/sac202-waf/sac202-cloudformation.json Launch a CloudFormation stack using the downloaded template Detailed steps are available in your handout document 1 3 Open the AWS Management Console for your account and go to CloudFormation Select the Oregon, N. Virginia or Ireland AWS regions in the top right corner 2
  7. 7. Chapter 1: Baseline website and web application protection
  8. 8. What is a web application firewall? • Web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to HTTP traffic • WAFs come in four flavors • Pure play: Standalone appliance or software • CDN: bundled with content delivery network • Load balancer: bundled with a load balancer • Universal threat manager (UTM): catch-all for misc. security
  9. 9. Why use a WAF? Application vulnerabilities: Good users Bad folks Web server Database Exploit code Your application
  10. 10. Why use a WAF? Abuse detection and prevention: Good users Bad folks Web server Database Your applicationData leaks
  11. 11. Why use a WAF? Distributed denial of service (DDOS) attacks: Good users Bad folks Web server Database Your application
  12. 12. AWS WAF Why use a WAF? AWS WAF  block the bad folks and allow the good users: Good users Bad folks Web server Database Your application
  13. 13. Why use a WAF? • WAFs help protect websites and applications against attacks that cause data breaches and downtime • General WAF use cases • Protect from SQL injection (SQLi) and cross-site scripting (XSS) • Prevent website scraping, crawlers, and BOTs • Mitigate DDOS (HTTP/HTTPS floods) • Gartner reports that main driver of WAF purchases (25- 30%) is PCI compliance
  14. 14. What about DDOS? DDOS Targeted attacks WAF Reflection and amplification Layer 4 and 7 floods Slowloris SSL abuse HTTP floods SQL injection Bots and probes Application exploits Social engineering Reverse engineering
  15. 15. Attack vectors addressed by AWS WAF • SQL injection: Attackers insert malicious SQL code into web requests in an effort to extract data from your database • Cross-site scripting (XSS): Malicious scripts are injected into otherwise benign and trusted websites • Scanners and probes: Malicious sources scan and probe Internet-facing web applications for vulnerabilities • Known attacker origins (IP reputation lists): A number of organizations maintain reputation lists of IP addresses of known attackers • Bots and scrapers: Some automated clients misrepresent themselves to bypass restrictions • Application-level exploits
  16. 16. Amazon CloudFront + AWS WAF Amazon CloudFront • 68 points of presence around the world • Improves performance by caching static content and optimizing connections for dynamic content • Disperses traffic across global edge locations • DDOS attacks (such as HTTP floods) are absorbed close to the source
  17. 17. Introducing the AWS WAF
  18. 18. Unique aspects of AWS WAF • Customizable rules created by customers to avoid false positives • Full-feature API: This is a DevOps WAF that can be deployed inline with new websites and applications • Integrated with AWS: CloudFront, CloudWatch • Integrated with partners: Alert Logic, TrendMicro, Imperva • Pay as you go pricing
  19. 19. AWS WAF components 1. Conditions: • IP match • String match • SQL injection match • Cross-site scripting match • Size constraints 2. Rules: Precedence / rule / action 3. Web access control lists (web ACL) 4. AWS resource: CloudFront distribution 5. Reporting: Real-time metrics, sampled web requests
  20. 20. • Conditions are lists of criteria that identify components of web requests • Conditions include matching on the following: • IP address i.e., /8, /16, /24, /32 • Strings, i.e., URI, query string, header, etc. • SQL injection, i.e., looks for valid SQL statements • Conditions are logically disjoined • Conditions are reusable elements • Filter targets and transformations • Positional constraints (contains, exact,…) AWS WAF: Conditions
  21. 21. AWS WAF: Rules • Rules are sets of conditions with a predetermined action • Available actions are: • Block • Allow • Count • Rules can logically join conditions • Rules are reusable elements
  22. 22. AWS WAF: Web ACL • Web ACLs contain a set of conditions, rules, and actions • Web ACLs are applied to one or many CloudFront distributions • Web ACLs show you real-time metrics and sampled web requests for each rule • Web ACLs evaluate rules in order • Whitelisting or blacklisting behavior
  23. 23. AWS WAF: Resource Web ACLs are applied to CloudFront distributions • Rule reusability: use one web ACL for all distributions • Flexibility: use individual web ACL for each distribution
  24. 24. AWS WAF: Reporting and logs • Real-time metrics (CloudWatch): • Blocked web requests • Allowed web requests • Counted web requests • Adjustments to rules in response to real-time metrics and sampled requests • Time period can be adjusted by sliding graph endpoints or via filters.
  25. 25. AWS WAF request process
  26. 26. Example: Whitelisting good users Verify that a valid referrer is present Host: www.example.com User-Agent: Mozilla/5.0 (Macintosh; … Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.example.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header “Referrer” Match Type: Contains Match: “example.com” Action: ALLOW Rule String match condition Good users
  27. 27. Example: Blacklisting bad bots Block unwanted user agent headers and use transforms to stop evasion: Host: www.example.com User-Agent: bAdBoT Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.InTeRnEtkItTiEs.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header “User-Agent” Transform: To lower Match Type: Contains Match: “badbot” Action: BLOCK Rule String match condition Scraper bot
  28. 28. Bob runs for city council and is worried
  29. 29. Task 1: Protect Bob’s campaign website from threats
  30. 30. Chapter 2: AWS WAF security automation
  31. 31. The story so far We have a website (or web application) operational✓ Able to monitor it and analyze logs✓ Able to filter basic common attack vectors✓
  32. 32. Bob won the election and is busy improving the lives of his constituency
  33. 33. The threat landscape is evolving Dynamically reconfigure the WAF rules and conditions to better adapt to changing threats • React to changing sources of malicious traffic • React to changing signatures of malicious requests • Leverage reputation lists and keep them updated • Predictive analysis
  34. 34. Integration with DevOps  Analyzer AWS WAF Logs Threat analysis Rule updater Notification Security engineer Web serverGood users Bad folks
  35. 35. Integration with DevOps  Scheduled Threat database Scheduler AWS WAF Web serverGood users Bad folks Rule updater
  36. 36. Building blocks Amazon S3 AWS Lambda Amazon CloudWatch AWS CloudFormation Amazon API Gateway AWS WAF Amazon CloudFront Amazon Machine Learning Amazon Kinesis Amazon SNS Logs 1. Analyzer 2. Rule updater Metrics & Alarms Pack solution HTTP/S endpointRule engine Entry point Advanced analysis Log streamingAlerts
  37. 37. Security automation examples HTTP floods Scanners and probes IP reputation lists Bots and scrapers
  38. 38. Security automation examples HTTP floods Scanners and probes IP reputation lists Bots and scrapers
  39. 39. Log parser HTTP flood Scanner & probe protection new access log files a Amazon CloudFront Amazon S3 Bucket AWS Lambda Log Parser AWS WAF b c
  40. 40. Security automation examples HTTP floods Scanners and probes IP reputation lists Bots and scrapers
  41. 41. IP reputation lists known-attacker protection hourly a Amazon CloudFront AWS Lambda IP Lists Parser AWS WAF b c Amazon CloudWatch event Third-party IP reputation lists
  42. 42. Security automation examples HTTP floods Scanners and probes IP reputation lists Bots and scrapers
  43. 43. Bots and scrapers bad bot scraper protection Amazon CloudFront AWS Lambda Access Handler AWS WAF b c d web application resources <a href="/v1/name/" style="display: none" aria-hidden="true">honeypot link</a> a
  44. 44. Bob runs for state senate and is very worried
  45. 45. Task 2: Protect Bob’s campaign website from changing threats
  46. 46. AWS WAF Good users Hands-On: HTTP/S protection Bad folks Runs for state senate
  47. 47. Chapter 3: Additional security controls
  48. 48. The story so far We have a website (or web application) operational✓ Able to monitor it and analyze logs✓ Able to filter basic common attack vectors✓ Able to automate and react to dynamic security conditions ✓
  49. 49. Bob won the election and is busy improving the lives of his constituency
  50. 50. Where do we go from here? What can we do to further improve security? Restrict content to the geography of our audience✓ Securing our specific application profile✓ Prevent CDN bypass✓ Comprehensive look at web app security – OWASP Top 10✓
  51. 51. OWASP top 10 (2013) Represents a broad consensus about what the most critical web application security flaws are A1 Injection A2 Broken auth. And session mgmt. A3 Cross-site scripting (xss) A4 Insecure direct object references A5 Security misconfiguration A6 Sensitive data exposure A7 Missing function level access ctrl. A8 Cross-site request forgery (csrf) A9 Using components with known vulnerabilities A10 Unvalidated redirects and forwards
  52. 52. OWASP top 10 (2013) Not all OWASP top 10 flaws can be addressed with a WAF Security flaws that AWS WAF can help mitigate to varying degrees: A1 Injection (E.G. Sql injection) A2 Broken auth. And session mgmt. A3 Cross-site scripting (xss) A4 Insecure direct object references A5 Security misconfiguration A6 Sensitive data exposure A7 Missing function level access ctrl. A8 Cross-site request forgery (csrf) A9 Using components with known vulnerabilities A10 Unvalidated redirects and forwards ✓ ✓ ✓ ✓ ✓
  53. 53. Securing our specific application profile Know your application in-depth, even is it’s a open source/commercial off-the-shelf product What services/URL paths does it expose to the web? Keep them all up-to-date, and install security patches timely Keep exposure footprint low 1 3 Know the packages, libraries, components your application is leveraging Additional features and services they exposed 2
  54. 54. Limit access to nonpublic features Does your website/application have a control/admin interface? • Whitelist access to only known IP sources At risk for vulnerable platform runtime/middleware? • Block suspect requests by string matching Does your app or runtime server-side include web accessible components? • Block access to such component URLs via string matching Wordpress Admin: http://<my_domain>/wp-admin/ http://<my_domain>/?_SERVER[DOCUMENT_ROOT]=http://<bad_domain>/bad.txt? http://<your_joomla_cms>/components/com_mojo/wp-comments-post.php
  55. 55. Example: Using string match sets { "ByteMatchSet": { "ByteMatchSetId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "Name": "my-string-filters", "ByteMatchTuples": [ { "TargetString": "/wp-admin", "PositionalConstraint": "STARTS_WITH", "TextTransformation": ”URL_DECODE", "FieldToMatch": { "Type": "URI" } } ] } }
  56. 56. CloudFront geo restrictions Geo restrictions or geoblocking: prevent users in specific geographic locations from accessing content • Amazon CloudFront supports geo restrictions at the country level • Whitelisting or blacklisting approach • Most commonly used to limit access to content to locations where a distribution right exists • Security perspective: limit exposure footprint and potentially increase cost of launching attacks against your website
  57. 57. CloudFront geo restrictions in depth • CloudFront distribution level restrictions • CloudFront uses a third-party GeoIP database • 99.8% accurate source IP geolocation • Based on distribution restrictions, edge location decides to allow or block • Blocked requests return a 403 (Forbidden) status code
  58. 58. Prevent CDN bypassing Deploying a WAF filtering at the edge is effective ... as long as bad folks can’t bypass your CloudFront distribution • Configure origins to only accept traffic from the CloudFront edge locations • Set up S3 origins to use an origin access identity (OAI) and configure S3 bucket policies to accept GetObject API calls from the OAI principal • Configure firewall rules on custom origins to accept traffic only from CloudFront IP ranges
  59. 59. Getting the AWS IP ranges AWS publishes its current IP address ranges in JSON format: • Both IPV4 and IPV6 ranges are published • Filter the service attribute by the CLOUDFRONT value • Track changes in list via the createDate attribute • Subscribe to the following Amazon SNS topic to receive notifications when AWS IP address ranges change: https://ip-ranges.amazonaws.com/ip-ranges.json Topic ARN: arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged
  60. 60. Automatic VPC security group updates Blog post: How to Automatically Update Your Security Groups for Amazon CloudFront and AWS WAF by Using AWS Lambda http://amzn.to/2fj4Q8e Create a VPC security group Use tagging to designate they can be autoupdated Create the AWS Lambda function Using the provided code and execution role 1 3 Create an IAM policy and AWS Lambda execution role Grant the function permission to change the security group 2 Create the function trigger Using the Amazon SNS AmazonIpSpaceChanges topic 4
  61. 61. Bob runs for congress and is extremely worried
  62. 62. Task 3: Add additional security controls to bob’s campaign website
  63. 63. Thank you!
  64. 64. Useful resources AWS WAF Security Automations https://aws.amazon.com/answers/security/aws-waf-security-automations/ AWS Best Practices for DDOS Resiliency https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
  65. 65. Remember to complete your evaluations!
  66. 66. Related sessions CTD204 – Offload Security Heavy-lifting to the AWS Edge - Nihar Bihani, Sr. Manager, AWS Product Management SAC304 - Predictive Security: Using Big Data to Fortify Your Defenses - Michael Capicotto and Matt Nowina, AWS Solutions Architects SAC316 - Security Automation: Spend Less Time Securing Your Applications - Venkat Vijayaraghavan, AWS Sr. Product Manager; Nathan Dye, AWS Software Development Manager

×