(SEC323) New: Securing Web Applications with AWS WAF

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Nate Dye, AWS Edge Services
October 2015
SEC323
Securing Web Applications with
AWS WAF

What to expect from this session
Deep dive
AWS WAF
Web defense
strategies
Automation for
better security
AWS WAF 301

Web defense
strategies
Automation for
better security
Deep dive
AWS WAF
AWS WAF 301

Why AWS WAF?
Application vulnerabilities
Good users
Bad guys
Web server Database
Exploit
code

Why AWS WAF?
Abuse
Good users
Bad guys
Web server Database

Why AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database

What is AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
AWS
WAF

What is AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
AWS
WAF
AWS WAF rules:
1: BLOCK requests from bad guys.
2: ALLOW requests from good guys.

Traditional WAF
Setup is complex and slow

Traditional WAF
Rules with too many false positives

Traditional WAF
No APIs for automation

Block or allow web requests Monitor security events
AWS WAF

New API and console Protect websites and content
AWS WAF
Amazon CloudFront

Benefits of AWS WAF
Practical security
made easy
Customizable and
flexible
Integrate with
development

Setting Up AWS WAF
1. Create a web ACL.
ALLOW requests by default,
but…
2. Add a rule.
BLOCK if…
3. Add match
conditions.
the source IP
matches this
list…
4. Assign to
CloudFront.
for any request to
d123.cloudfront.net.

Setting Up AWS WAF
<First Run Demo>

But wait, there’s more
Match conditions
• IP
• String
• SQLi
Customizable rules
• AND/OR
• Block, allow, or
count
• Ordered
conditions
Fast feedback
• ~1 minute for
changes
• 1-minute metrics
• Request samples

Match conditions: IPSets
CIDR notation on octet boundaries:
• 192.0.0.0/8 – Matches 192.*.*.*
• 192.168.0.0/16
• 192.168.32.0/24
• 192.168.32.64/32 – Matches a full IP address exactly

Match conditions: IPSets
• 1,000 CIDRs per IPSet
• 10,000 CIDRs per web ACL
• Matches connecting IP, not XFF

Match conditions: Strings and bytes
• Match any part of the web request
• Common use case: Referrer whitelisting

Match any part of the web request
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; …
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “Referrer”
Match Type: Contains
Match: “example.com”
Action: ALLOW
Rule
String match condition
Good users

Use transforms to stop evasion
User-Agent: badbot
Referrer: http://www.example.com/
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Match: “badbot”
Action: BLOCK
Rule
Scraper bot

Use transforms to stop evasion
User-Agent: bAdBoT
Referrer: http://www.InTeRnEtkItTiEs.com/
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Transform: To lower
Match: “badbot”
Action: BLOCK
Rule
Scraper bot

Flexible match conditions
1. Contains
2. Exact
3. Begins with
4. Ends with
5. Contains word

Malicious binary? We can find it.
“iVBORw0KGgoAAAAN”
8950 4e47
0d0a 1a0a
0000 000d
bad.bin
1. Select binary file 2. Base64 encode 3. Set match criteria
$> base64 bad.bin
iVBORw0KGgoAAAAN

• 10 matches per string match set
• 1,000 matches in a web ACL

Match conditions: SQLi
Check your query strings, URL decode

Match conditions: SQLi
/login?x=test%27%20UNION%20ALL%20select%20NULL%20--
/login?x=test’ UNION ALL select NULL --
Transform: URL Decode
True
Match: SQL Injection
Check your query strings, URL decode

Combining conditions
Restrict a rule to specific URIs, such as the login page.
Public Internet
Seattle admins AWS
WAF
/admin/login.cgi
/*

Combining conditions
Restrict a rule to specific URIs, such as the login page.
IP match
String match

Adding whitelist exceptions
You can whitelist with ALLOW actions on a rule.

Reuse conditions
You can reuse any part of a web ACL.
CloudFront
distributions
Web ACL #1
Web ACL #2
Shared blacklist

Observing rules in action
Finding requests that
match your rules

Setting up detection alarms
<Example Demo>

Building blocks for web security
APIs, SDKs, and CLIs!
Java Python (boto) PHP .NET Ruby Node.js
iOS Android AWS Toolkit for
Visual Studio
AWS Toolkit
for Eclipse
AWS Tools for
Windows
PowerShell
AWS CLI
JavaScript

GetChangeToken
$ aws --endpoint-url https://waf.amazonaws.com/ waf
get-change-token
{
"ChangeToken”:"d4c4f53b-9c7e-47ce-9140-0ee5765d6bff"
}

Create*
$ aws --endpoint-url https://waf.amazon.com/ waf
create-web-acl
--name BetaTest
--metric-name BetaTest
--default-action Type=ALLOW
--change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff

GetChangeTokenStatus
get-change-token-status
{
"ChangeTokenStatus":{
”ChangeToken":"d4c4f53b-9c7e-47ce-9140-0ee5765d6bff ",
“Status”:
"PROVISIONED", OR
"PENDING", OR
"INSYNC"
]
},
}

Update*Set
update-ip-set
--ip-set-id
--updates
[
{"Action": "INSERT",
"IPSetDescriptor":
{"Type": "IPV4",
"Value": "192.168.0.0/16"}
},
{"Action": "INSERT",
"IPSetDescriptor":
{"Type": "IPV4",
"Value": "192.168.5.0/24"}
}
]

GetSampledRequests
{
"SampledRequests": [
{
"Action": "BLOCK",
"Timestamp": 1441839596.476,
"Request": {
"Country": "IE",
"URI": "/",
"Headers": [
{
"Name": "Host",
"Value": "d123abc.cloudfront.net"
},
{
"Name": "User-Agent",
"Value": "curl/7.30.0"
},
"ClientIP": "54.240.197.225",
"Method": "GET",
"HTTPVersion": "HTTP/1.0"

Pay for what you use
• No upfront minimums
• Use it for just an hour, or always on

• $5 per web ACL, $1 per rule per month
• Reuse across a CloudFront distribution with no additional charge
• Use more rules for more visibility
• $0.60 per million requests

• Low monthly minimum, scales with volume
• Typical monthly bill
• Test environment (1 rule): $6 per month
• Small site (6 rules, 58M views): $46 per month
• Medium site (6 rules, 260M views): $167 per month

Web defense
strategies
Automation for
better security
AWS WAF 101
Deep dive
AWS WAF

Negative
• Typical of prod deployment
• ALLOW by default
• BLOCK known-bad threats
Rule strategy comparison
Positive
• Typical of restricted site
• BLOCK by default
• ALLOW known-good
Examples
• BLOCK MalwareIncIPRange
• BLOCK “{;}”
Examples
• ALLOW SeattleOfficeIPRange
• ALLOW referrer header “example.com”

Mitigation strategies
• Static policies – For unchanging known-bad threats
• Reactive policies – For dynamic emerging threats

Use count rules to find bad actors
Count mode
Alert on Amazon CloudWatch metrics
Get sampled requests
Add bad IPs to BlackList

Putting it all together
Rule Order:
1. WhiteListed IPs – ALLOW
2. BlackListed IPs – BLOCK
3. BlackListedSignatures – BLOCK
4. SQLInjection – COUNT
5. SuspiciousActivity - COUNT
Default: ALLOW

Customer example: Finding bad requestors
ConnectWise
1. Uses negative security model
2. Monitors known-bad activity
3. Reactively bans bad requests

Users
APIs
CloudFront
Auto Scaling
Elastic Load Balancing
Amazon EC2 Amazon EC2 Amazon EC2
Amazon EC2 Amazon EC2 Amazon EC2
API calls made into
the environment
ConnectWise API architecture

AWS WAF
ConnectWise API with AWS WAF
Users
APIs
CloudFront
Auto Scaling
Elastic Load Balancing
Amazon EC2
Amazon EC2

Example of an old API call
API
Version

Create a rule to block old versions
Check: Header “Contains”
Match: “/v2015_3/”
Action: Block
Rule
String Match Condition
API VersionAPI Version
byteset.json
{
"ByteMatchSetId": "e13d4ed4-2b47-4313-8173-d0370e58ac20",
"ChangeToken": "fab95c78-c969-4845-876f-6f2bc8283ea3",
"Updates": [
{
"Action": "INSERT",
"ByteMatchTuple": {
"FieldToMatch": {
"Type": "URI"
},
"PositionalConstraint": "CONTAINS",
"TargetString": "/v2015_3/",
"TextTransformation": "LOWERCASE"
}
}
]
}

Old requests are blocked
Access Denied

Example of a invalid user request
Cookie Value of
Invalid User

Create a rule to block invalid users
cookie-byte-match-set.json
{
"Updates": [
{
"ByteMatchTuple": {
"TextTransformation": "LOWERCASE",
"TargetString": "companyname=cwqaman_p",
"PositionalConstraint": "CONTAINS",
"FieldToMatch": {
"Type": "HEADER",
"Data": "Cookie"
}
},
"Action": "INSERT"
}
],
"ChangeToken": "988120ac-9040-4a26-bbe0-3282bc5410ce",
"ByteMatchSetId": "2fdd991d-9b44-4d41-9231-7aa92dfe5ffe"
}
Rule
String Match Condition
Action: Block
Check: Header “Contains”
Match: “companyname=cwqaman_p”
Cookie Value of
Invalid User
Cookie Value of
Invalid User

Savings.
• Decrease amounts of machines
• Currently saving 20% during peak hours
Results

Automatic behavioral analysis
AWS WAF automated blacklists
Good users
Bad guys
Server
AWS
WAF
Logs
Threat
analysis
Rule updater

Bad Bot Demo
Step 1: Robots.txt – “Don’t index /honeypot”
Step 2: Create a rule: Count /honeypot
Step 3: Ban Bad Bots
See it in action:
STG205 - Secure Content Delivery Using Amazon CloudFront
OR
AWS New Services Booth

Amazon is not the only one…
Repsheet open-source behavioral analysis
• http://www.slideshare.net/abedra/knock-knock-24105973
• https://github.com/repsheet/repsheet

Automatic reactive mitigations
AWS WAF partners

Alert Logic Proof of Concept
Good users
Bad guys
Server
AWS WAF
Update
blacklist

Automatic incident reports
CloudWatch
Alarm
SNS
Topic
AWS Lambda
AWS WAF
Operator
SNS
Topic
1. Alarm on count 2. Send
Amazon SNS
notification
4. Format
sampled requests
5. Get
sampled requests
6. Send email
notification

Remember to complete
your evaluations!

Thank you!
Get started with AWS WAF:
https://console.aws.amazon.com/waf

(SEC323) New: Securing Web Applications with AWS WAF

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (12)

Similar to (SEC323) New: Securing Web Applications with AWS WAF

Similar to (SEC323) New: Securing Web Applications with AWS WAF (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

(SEC323) New: Securing Web Applications with AWS WAF