(SEC323) New: Securing Web Applications with AWS WAF

2. What to expect from this session Deep dive AWS WAF Web defense strategies Automation for better security AWS WAF 301

3. What to expect from this session Web defense strategies Automation for better security Deep dive AWS WAF AWS WAF 301

4. Why AWS WAF? Application vulnerabilities Good users Bad guys Web server Database Exploit code

5. Why AWS WAF? Abuse Good users Bad guys Web server Database

6. Why AWS WAF? Application DDoS Good users Bad guys Web server Database

7. What is AWS WAF? Application DDoS Good users Bad guys Web server Database AWS WAF

8. What is AWS WAF? Application DDoS Good users Bad guys Web server Database AWS WAF AWS WAF rules: 1: BLOCK requests from bad guys. 2: ALLOW requests from good guys.

9. What is AWS WAF? Application DDoS Good users Bad guys Web server Database AWS WAF

10. Traditional WAF Setup is complex and slow

11. Traditional WAF Rules with too many false positives

12. Traditional WAF No APIs for automation

13. AWS WAF

14. Block or allow web requests Monitor security events AWS WAF

15. New API and console Protect websites and content AWS WAF Amazon CloudFront

16. Benefits of AWS WAF Practical security made easy Customizable and flexible Integrate with development

20. What to expect from this session Web defense strategies Automation for better security Deep dive AWS WAF AWS WAF 301

21. Setting Up AWS WAF 1. Create a web ACL. ALLOW requests by default, but… 2. Add a rule. BLOCK if… 3. Add match conditions. the source IP matches this list… 4. Assign to CloudFront. for any request to d123.cloudfront.net.

22. Setting Up AWS WAF <First Run Demo>

23. But wait, there’s more Match conditions • IP • String • SQLi Customizable rules • AND/OR • Block, allow, or count • Ordered conditions Fast feedback • ~1 minute for changes • 1-minute metrics • Request samples

25. Match conditions: IPSets CIDR notation on octet boundaries: • 192.0.0.0/8 – Matches 192.*.*.* • 192.168.0.0/16 • 192.168.32.0/24 • 192.168.32.64/32 – Matches a full IP address exactly

26. Match conditions: IPSets • 1,000 CIDRs per IPSet • 10,000 CIDRs per web ACL • Matches connecting IP, not XFF

27. Match conditions: Strings and bytes • Match any part of the web request • Common use case: Referrer whitelisting

28. Match conditions: Strings and bytes Match any part of the web request Host: www.example.com User-Agent: Mozilla/5.0 (Macintosh; … Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.example.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header “Referrer” Match Type: Contains Match: “example.com” Action: ALLOW Rule String match condition Good users

29. Match conditions: Strings and bytes Use transforms to stop evasion Host: www.example.com User-Agent: badbot Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.example.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header “User-Agent” Match Type: Contains Match: “badbot” Action: BLOCK Rule String match condition Scraper bot

30. Match conditions: Strings and bytes Use transforms to stop evasion Host: www.example.com User-Agent: bAdBoT Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.InTeRnEtkItTiEs.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header “User-Agent” Transform: To lower Match Type: Contains Match: “badbot” Action: BLOCK Rule String match condition Scraper bot

31. Match conditions: Strings and bytes Flexible match conditions 1. Contains 2. Exact 3. Begins with 4. Ends with 5. Contains word

32. Match conditions: Strings and bytes Malicious binary? We can find it. “iVBORw0KGgoAAAAN” 8950 4e47 0d0a 1a0a 0000 000d bad.bin 1. Select binary file 2. Base64 encode 3. Set match criteria $> base64 bad.bin iVBORw0KGgoAAAAN

33. Match conditions: Strings and bytes • 10 matches per string match set • 1,000 matches in a web ACL

34. Match conditions: SQLi Check your query strings, URL decode

35. Match conditions: SQLi /login?x=test%27%20UNION%20ALL%20select%20NULL%20-- /login?x=test’ UNION ALL select NULL -- Transform: URL Decode True Match: SQL Injection Check your query strings, URL decode

37. Combining conditions Restrict a rule to specific URIs, such as the login page. Public Internet Seattle admins AWS WAF /admin/login.cgi /*

38. Combining conditions Restrict a rule to specific URIs, such as the login page. IP match String match

39. Adding whitelist exceptions You can whitelist with ALLOW actions on a rule.

40. Reuse conditions You can reuse any part of a web ACL. CloudFront distributions Web ACL #1 Web ACL #2 Shared blacklist

42. Observing rules in action Finding requests that match your rules

43. Setting up detection alarms <Example Demo>

44. Building blocks for web security APIs, SDKs, and CLIs! Java Python (boto) PHP .NET Ruby Node.js iOS Android AWS Toolkit for Visual Studio AWS Toolkit for Eclipse AWS Tools for Windows PowerShell AWS CLI JavaScript

45. GetChangeToken $ aws --endpoint-url https://waf.amazonaws.com/ waf get-change-token { "ChangeToken”:"d4c4f53b-9c7e-47ce-9140-0ee5765d6bff" }

46. Create* $ aws --endpoint-url https://waf.amazon.com/ waf create-web-acl --name BetaTest --metric-name BetaTest --default-action Type=ALLOW --change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff

47. GetChangeTokenStatus $ aws --endpoint-url https://waf.amazonaws.com/ waf get-change-token-status --change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff { "ChangeTokenStatus":{ ”ChangeToken":"d4c4f53b-9c7e-47ce-9140-0ee5765d6bff ", “Status”: "PROVISIONED", OR "PENDING", OR "INSYNC" ] }, }

48. Update*Set $ aws --endpoint-url https://waf.amazonaws.com/ waf update-ip-set --ip-set-id --change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff --updates [ {"Action": "INSERT", "IPSetDescriptor": {"Type": "IPV4", "Value": "192.168.0.0/16"} }, {"Action": "INSERT", "IPSetDescriptor": {"Type": "IPV4", "Value": "192.168.5.0/24"} } ]

49. GetSampledRequests { "SampledRequests": [ { "Action": "BLOCK", "Timestamp": 1441839596.476, "Request": { "Country": "IE", "URI": "/", "Headers": [ { "Name": "Host", "Value": "d123abc.cloudfront.net" }, { "Name": "User-Agent", "Value": "curl/7.30.0" }, "ClientIP": "54.240.197.225", "Method": "GET", "HTTPVersion": "HTTP/1.0"

50. Pay for what you use • No upfront minimums • Use it for just an hour, or always on

51. Pay for what you use • $5 per web ACL, $1 per rule per month • Reuse across a CloudFront distribution with no additional charge • Use more rules for more visibility • $0.60 per million requests

52. Pay for what you use • Low monthly minimum, scales with volume • Typical monthly bill • Test environment (1 rule): $6 per month • Small site (6 rules, 58M views): $46 per month • Medium site (6 rules, 260M views): $167 per month

53. What to expect from this session Web defense strategies Automation for better security AWS WAF 101 Deep dive AWS WAF

54. Negative • Typical of prod deployment • ALLOW by default • BLOCK known-bad threats Rule strategy comparison Positive • Typical of restricted site • BLOCK by default • ALLOW known-good Examples • BLOCK MalwareIncIPRange • BLOCK “{;}” Examples • ALLOW SeattleOfficeIPRange • ALLOW referrer header “example.com”

55. Mitigation strategies • Static policies – For unchanging known-bad threats • Reactive policies – For dynamic emerging threats

56. Use count rules to find bad actors Count mode Alert on Amazon CloudWatch metrics Get sampled requests Add bad IPs to BlackList

57. Putting it all together Rule Order: 1. WhiteListed IPs – ALLOW 2. BlackListed IPs – BLOCK 3. BlackListedSignatures – BLOCK 4. SQLInjection – COUNT 5. SuspiciousActivity - COUNT Default: ALLOW

58. Customer example: Finding bad requestors ConnectWise 1. Uses negative security model 2. Monitors known-bad activity 3. Reactively bans bad requests

59. Users APIs CloudFront Auto Scaling Elastic Load Balancing Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 API calls made into the environment ConnectWise API architecture

60. AWS WAF ConnectWise API with AWS WAF Users APIs CloudFront Auto Scaling Elastic Load Balancing Amazon EC2 Amazon EC2

61. Example of an old API call API Version

62. Create a rule to block old versions Check: Header “Contains” Match Type: Contains Match: “/v2015_3/” Action: Block Rule String Match Condition API VersionAPI Version byteset.json { "ByteMatchSetId": "e13d4ed4-2b47-4313-8173-d0370e58ac20", "ChangeToken": "fab95c78-c969-4845-876f-6f2bc8283ea3", "Updates": [ { "Action": "INSERT", "ByteMatchTuple": { "FieldToMatch": { "Type": "URI" }, "PositionalConstraint": "CONTAINS", "TargetString": "/v2015_3/", "TextTransformation": "LOWERCASE" } } ] }

63. Old requests are blocked Access Denied

64. Example of a invalid user request Cookie Value of Invalid User

65. Create a rule to block invalid users cookie-byte-match-set.json { "Updates": [ { "ByteMatchTuple": { "TextTransformation": "LOWERCASE", "TargetString": "companyname=cwqaman_p", "PositionalConstraint": "CONTAINS", "FieldToMatch": { "Type": "HEADER", "Data": "Cookie" } }, "Action": "INSERT" } ], "ChangeToken": "988120ac-9040-4a26-bbe0-3282bc5410ce", "ByteMatchSetId": "2fdd991d-9b44-4d41-9231-7aa92dfe5ffe" } Rule String Match Condition Action: Block Check: Header “Contains” Match Type: Contains Match: “companyname=cwqaman_p” Cookie Value of Invalid User Cookie Value of Invalid User

66. Invalid users are blocked

67. Savings. • Decrease amounts of machines • Currently saving 20% during peak hours Results

68. What to expect from this session Web defense strategies Automation for better security AWS WAF 101 Deep dive AWS WAF

69. Automatic behavioral analysis AWS WAF automated blacklists Good users Bad guys Server AWS WAF Logs Threat analysis Rule updater

70. Bad Bot Demo Step 1: Robots.txt – “Don’t index /honeypot” Step 2: Create a rule: Count /honeypot Step 3: Ban Bad Bots See it in action: STG205 - Secure Content Delivery Using Amazon CloudFront OR AWS New Services Booth

71. Automatic behavioral analysis Amazon is not the only one… Repsheet open-source behavioral analysis • http://www.slideshare.net/abedra/knock-knock-24105973 • https://github.com/repsheet/repsheet

72. Automatic reactive mitigations AWS WAF partners

73. Automatic behavioral analysis Alert Logic Proof of Concept Good users Bad guys Server AWS WAF Update blacklist

74. Automatic incident reports CloudWatch Alarm SNS Topic AWS Lambda AWS WAF Operator SNS Topic 1. Alarm on count 2. Send Amazon SNS notification 4. Format sampled requests 5. Get sampled requests 6. Send email notification

75. Remember to complete your evaluations!

76. Thank you! Get started with AWS WAF: https://console.aws.amazon.com/waf

(SEC323) New: Securing Web Applications with AWS WAF

You are reading a preview.

Check these out next

(SEC323) New: Securing Web Applications with AWS WAF

More Related Content

Slideshows for you (20)

Viewers also liked (12)

Similar to (SEC323) New: Securing Web Applications with AWS WAF (20)

More from Amazon Web Services (20)

Recently uploaded (20)