SlideShare a Scribd company logo

淺談WAF在AWS的架構

4
4ndersonLin

This document discusses WAF architecture on AWS. It begins by explaining what a WAF is and why they are used, particularly to address common attacks like SQL injection and cross-site scripting. It then covers traditional WAF architectures and their problems before detailing the AWS recommended architecture of placing a WAF like AWS WAF in front of a load balancer or CloudFront distribution. It also compares traditional, cloud-hosted, and AWS WAF options in terms of meeting compliance standards, maintenance/automation, and pricing. The document concludes with a demo of AWS WAF rules and features.

1 of 27
Download to read offline
淺談WAF在AWS的架構 SC Lin@AWSUGTW 2017/07/19
SC Lin ❖ Now: ➢ Engineer with focus on public cloud and security. ➢ Prepare for AWS Certified DevOps - Professional ❖ Experiences: ➢ System Engineer, PIC ➢ Security Engineer, PIC ❖ AWS Certification: ➢ AWS Certified Solutions Architect - Professional ➢ AWS Certified Solutions Architect - Associate ➢ AWS Certified Developer - Associate ➢ AWS Certified SysOps Administrator - Associate 2
Agenda ❖ Why WAF? Problems and expectations ❖ WAF architecture on AWS ❖ Comparisons ❖ Demo ❖ Summary This is a AWS WAF icon. 3
Why WAF? 4
Before Why WAF, What is WAF? A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. - Description of WAF from Wikipedia A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. - Description of WAF from OWASP 5
Why WAF? Problems and expectations ➢ OWASP Top 10 ➢ SQL Injection ➢ XSS ➢ CVE & NVD ➢ DDoS ➢ Compliance 6
Why WAF? - 2017 OWASP Top 10 ➢ A1-Injection ➢ A2-Broken Authentication and Session Management ➢ A3-Cross-Site Scripting (XSS) ➢ A4-Broken Access Control ➢ A5-Security Misconfiguration ➢ A6-Sensitive Data Exposure ➢ A7-Insufficient Attack Protection ➢ A8-Cross-Site Request Forgery (CSRF) ➢ A9-Using Components with Known Vulnerabilities ➢ A10-Underprotected APIs 7
DDoS Why WAF? - DDoS 8
Why WAF? - Compliance Compliance ➢ PCI DSS 3.2 requirement 6.6 choice 2 “Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.” ➢ Don’t worry, most of the solutions can help you meet PCI DSS. ➢ AWS WAF service is already certified by PCI DSS. ○ check here “https://aws.amazon.com/tw/compliance/services-in-scope/” 9
WAF architecture on AWS 10
WAF architecture on AWS - AWS best practice AWS best practice Reference: AWS Best Practices for DDoS Resiliency (June 2015) 11
WAF architecture on AWS - Traditional architecture Traditional architecture - problems XFF XFF Scale out Rule Consistency XFF Warm up XFF Warm up ELB traffic fee Traffic Out 12
WAF architecture on AWS - AWS best practices AWS best practice Reference: AWS Best Practices for DDoS Resiliency (June 2016) 13
WAF architecture on AWS - Cloud service Architecture working with cloud service 14
WAF architecture on AWS - AWS WAF Architecture - AWS WAF CloudFront WAF ALB EC2 15
Comparisons 16
Comparisons - Meet OWASP Traditional architecture 1. 使用高度自行客製化的 rule。 2. 使用品牌產品自帶的rule。 Working with cloud service 1. 上限和下限完全取於服務供應商 Working with AWS WAF 1. AWS WAF請參考Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities 17
Comparisons - Meet compliance Traditional architecture 1. 調整rule的彈性大,對於服務供應商的依賴性小。 2. 品牌產品能產出Compliance report,減少對應稽核的負擔。 Working with cloud service 1. 上限和下限完全取於服務供應商的服務 內容。 Working with AWS WAF 1. AWS WAF底層直接符合PCI,但是Rule的產出與改善... 是使用者的責任。 (AWS shared responsibility model) 18
Comparisons - Maintain & automation Traditional architecture 1. 學習的時間成本,需要維運者有較高的技術 /溝通能力。 2. 複雜的架構,管理複雜度必然增加。 3. 難以自動化,須熟悉特定廠商的 API/Command。 Working with cloud service 1. 架構單純,維運難度較低。 2. 難以自動化,須熟悉特定廠商的 API/Command。 Working with AWS WAF 1. 架構單純,維運難度較低。 2. 學習一套API打天下。 19
Comparisons - Pricing Traditional architecture 1. 養機器 = 貴 2. 專業的維運 = 貴 3. 使用知名品牌 = 貴 (License fee $1~3 hourly) Working with cloud service 1. 不需搭配CDN的專業Cloud WAF,假如包含professional service的話價格必然貴。 2. 搭配CDN的類型必須先購買CDN服務,再購買WAF模組。 Working with AWS WAF 1. AWS WAF有較低的起始費用,同時也支援 CF & ALB來賦予使用者選擇架構的彈性。 ($5 per web ACL, $1 per rule, $0.60 per million requests) 20
Demo 21
Demo SQL Injection Protect XSS Protect Rate based rule CVE 2017-5638: Strust2 22
Summary 23
Summary 1. 把WAF套進架構不是問題,如何Tuning rule才是問題。 2. 對應適合的場景/能力,使用適合架構。 3. 程式有洞就要補... 不要推給資安設備! 4. 如果有用CloudFront/ALB的, 馬上試試看AWS WAF能幫你攔到多少東西! 24
Wishlist 透明的SQLinj, XSS規則清單。 String match支援Regular Expression Rate-based rule的取樣單位是5分鐘,希望可以自由讓使用者調整。 Log只能看到最近3小時,最好能夠儲存log到S3/Cloudwatch Logs。 Rules per web ACL只能有10條... 更多的Feature… (Support case分類居然沒有feature request...) 25
References ❏ AWS Security Blog https://aws.amazon.com/blogs/security/ ❏ AWS WAF Developer Guide http://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html ❏ AWS WAF Preconfigured Rules & Tutorials https: ❏ //aws.amazon.com/waf/preconfiguredrules/AWS Security Whitepaper https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf ❏ AWS Security Best Practices https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf ❏ Overview of AWS Security - Network Security https://d0.awsstatic.com/whitepapers/Security/Networking_Security_Whitepaper.pdf ❏ AWS Best Practices for DDoS Resiliency Whitepaper https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf 26
27

Recommended

淺談WAF在AWS的架構_20171027
淺談WAF在AWS的架構_20171027淺談WAF在AWS的架構_20171027
淺談WAF在AWS的架構_20171027
4ndersonLin
 
Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about security
LibbySchulze
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
Aleksandr Maklakov
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
Amazon Web Services
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example
Deborah Schalm
 
Real World Cloud Application Security
Real World Cloud Application SecurityReal World Cloud Application Security
Real World Cloud Application SecurityJason Chan
 
Aws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic ScaleAws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic Scale
Puppet
 

Recommended

淺談WAF在AWS的架構_20171027
淺談WAF在AWS的架構_20171027淺談WAF在AWS的架構_20171027
淺談WAF在AWS的架構_20171027
4ndersonLin
 
Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about security
LibbySchulze
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
Aleksandr Maklakov
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
Amazon Web Services
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example
Deborah Schalm
 
Real World Cloud Application Security
Real World Cloud Application SecurityReal World Cloud Application Security
Real World Cloud Application SecurityJason Chan
 
Aws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic ScaleAws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic Scale
Puppet
 
Leveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IPLeveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IP
Perforce
 
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
VMware Tanzu
 
Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...
Lucy Huh Kerner
 
Demystifying Service Mesh
Demystifying Service MeshDemystifying Service Mesh
Demystifying Service Mesh
Mitchell Pronschinske
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
Akash Mahajan
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017
CodeOps Technologies LLP
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Puma Security, LLC
 
Getting Started with OpenStack
Getting Started with OpenStackGetting Started with OpenStack
Getting Started with OpenStack
Cisco DevNet
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep dive
Cisco DevNet
 
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
VMware Tanzu
 
OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015
Lora O'Haver
 
Digitální transformace: zabezpečení agilních prostředí
Digitální transformace: zabezpečení agilních prostředíDigitální transformace: zabezpečení agilních prostředí
Digitální transformace: zabezpečení agilních prostředí
MarketingArrowECS_CZ
 
Resilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIsResilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIs
VMware Tanzu
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Amazon Web Services
 
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Amazon Web Services
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
Evident.io
 
Webinar: Skytap & Jenkins
Webinar: Skytap & JenkinsWebinar: Skytap & Jenkins
Webinar: Skytap & Jenkins
Skytap Cloud
 
Seven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit NetworkSeven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit Network
Khash Nakhostin
 
Creating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudCreating Complete Test Environments in the Cloud
Creating Complete Test Environments in the Cloud
Erika Barron
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
Amazon Web Services
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
 

More Related Content

What's hot

Leveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IPLeveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IP
Perforce
 
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
VMware Tanzu
 
Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...
Lucy Huh Kerner
 
Demystifying Service Mesh
Demystifying Service MeshDemystifying Service Mesh
Demystifying Service Mesh
Mitchell Pronschinske
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
Akash Mahajan
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017
CodeOps Technologies LLP
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Puma Security, LLC
 
Getting Started with OpenStack
Getting Started with OpenStackGetting Started with OpenStack
Getting Started with OpenStack
Cisco DevNet
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep dive
Cisco DevNet
 
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
VMware Tanzu
 
OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015
Lora O'Haver
 
Digitální transformace: zabezpečení agilních prostředí
Digitální transformace: zabezpečení agilních prostředíDigitální transformace: zabezpečení agilních prostředí
Digitální transformace: zabezpečení agilních prostředí
MarketingArrowECS_CZ
 
Resilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIsResilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIs
VMware Tanzu
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Amazon Web Services
 
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Amazon Web Services
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
Evident.io
 
Webinar: Skytap & Jenkins
Webinar: Skytap & JenkinsWebinar: Skytap & Jenkins
Webinar: Skytap & Jenkins
Skytap Cloud
 
Seven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit NetworkSeven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit Network
Khash Nakhostin
 
Creating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudCreating Complete Test Environments in the Cloud
Creating Complete Test Environments in the Cloud
Erika Barron
 

What's hot (20)

Leveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IPLeveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IP
 
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
 
Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...
 
Demystifying Service Mesh
Demystifying Service MeshDemystifying Service Mesh
Demystifying Service Mesh
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
 
Getting Started with OpenStack
Getting Started with OpenStackGetting Started with OpenStack
Getting Started with OpenStack
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep dive
 
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
 
OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015
 
Digitální transformace: zabezpečení agilních prostředí
Digitální transformace: zabezpečení agilních prostředíDigitální transformace: zabezpečení agilních prostředí
Digitální transformace: zabezpečení agilních prostředí
 
Resilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIsResilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIs
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
 
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
 
Webinar: Skytap & Jenkins
Webinar: Skytap & JenkinsWebinar: Skytap & Jenkins
Webinar: Skytap & Jenkins
 
Seven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit NetworkSeven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit Network
 
Creating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudCreating Complete Test Environments in the Cloud
Creating Complete Test Environments in the Cloud
 

Similar to 淺談WAF在AWS的架構

Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
Amazon Web Services
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
 
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesSetup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Amazon Web Services
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
Running Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWSRunning Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWS
Shiva Narayanaswamy
 
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
Amazon Web Services
 
網路安全自動化 - 縮短應用維安的作業時間
網路安全自動化 - 縮短應用維安的作業時間網路安全自動化 - 縮短應用維安的作業時間
網路安全自動化 - 縮短應用維安的作業時間
Amazon Web Services
 
Application Deployment on AWS - Startup Talks June 2015
Application Deployment on AWS - Startup Talks June 2015Application Deployment on AWS - Startup Talks June 2015
Application Deployment on AWS - Startup Talks June 2015
Amazon Web Services
 
AWS CodeDeploy Getting Started
AWS CodeDeploy Getting StartedAWS CodeDeploy Getting Started
AWS CodeDeploy Getting Started
Amazon Web Services
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
Amazon Web Services
 
Top 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the CloudTop 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the Cloud
Amazon Web Services
 
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
Amazon Web Services
 
AWS Lunch and Learn - Security
AWS Lunch and Learn - SecurityAWS Lunch and Learn - Security
AWS Lunch and Learn - Security
Amazon Web Services
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack Security
Amazon Web Services
 
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
Amazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
Amazon Web Services
 
What's New VMware NSX Advanced Load Balancer (Avi Networks)
What's New VMware NSX Advanced Load Balancer (Avi Networks)What's New VMware NSX Advanced Load Balancer (Avi Networks)
What's New VMware NSX Advanced Load Balancer (Avi Networks)
Avi Networks
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
Amazon Web Services
 

Similar to 淺談WAF在AWS的架構 (20)

Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
 
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesSetup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Running Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWSRunning Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWS
 
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
 
網路安全自動化 - 縮短應用維安的作業時間
網路安全自動化 - 縮短應用維安的作業時間網路安全自動化 - 縮短應用維安的作業時間
網路安全自動化 - 縮短應用維安的作業時間
 
Application Deployment on AWS - Startup Talks June 2015
Application Deployment on AWS - Startup Talks June 2015Application Deployment on AWS - Startup Talks June 2015
Application Deployment on AWS - Startup Talks June 2015
 
AWS CodeDeploy Getting Started
AWS CodeDeploy Getting StartedAWS CodeDeploy Getting Started
AWS CodeDeploy Getting Started
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
 
Top 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the CloudTop 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the Cloud
 
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
 
AWS Lunch and Learn - Security
AWS Lunch and Learn - SecurityAWS Lunch and Learn - Security
AWS Lunch and Learn - Security
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack Security
 
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
What's New VMware NSX Advanced Load Balancer (Avi Networks)
What's New VMware NSX Advanced Load Balancer (Avi Networks)What's New VMware NSX Advanced Load Balancer (Avi Networks)
What's New VMware NSX Advanced Load Balancer (Avi Networks)
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
 

Recently uploaded

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 

Recently uploaded (20)

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 

淺談WAF在AWS的架構

  • 2. SC Lin ❖ Now: ➢ Engineer with focus on public cloud and security. ➢ Prepare for AWS Certified DevOps - Professional ❖ Experiences: ➢ System Engineer, PIC ➢ Security Engineer, PIC ❖ AWS Certification: ➢ AWS Certified Solutions Architect - Professional ➢ AWS Certified Solutions Architect - Associate ➢ AWS Certified Developer - Associate ➢ AWS Certified SysOps Administrator - Associate 2
  • 3. Agenda ❖ Why WAF? Problems and expectations ❖ WAF architecture on AWS ❖ Comparisons ❖ Demo ❖ Summary This is a AWS WAF icon. 3
  • 5. Before Why WAF, What is WAF? A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. - Description of WAF from Wikipedia A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. - Description of WAF from OWASP 5
  • 6. Why WAF? Problems and expectations ➢ OWASP Top 10 ➢ SQL Injection ➢ XSS ➢ CVE & NVD ➢ DDoS ➢ Compliance 6
  • 7. Why WAF? - 2017 OWASP Top 10 ➢ A1-Injection ➢ A2-Broken Authentication and Session Management ➢ A3-Cross-Site Scripting (XSS) ➢ A4-Broken Access Control ➢ A5-Security Misconfiguration ➢ A6-Sensitive Data Exposure ➢ A7-Insufficient Attack Protection ➢ A8-Cross-Site Request Forgery (CSRF) ➢ A9-Using Components with Known Vulnerabilities ➢ A10-Underprotected APIs 7
  • 9. Why WAF? - Compliance Compliance ➢ PCI DSS 3.2 requirement 6.6 choice 2 “Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.” ➢ Don’t worry, most of the solutions can help you meet PCI DSS. ➢ AWS WAF service is already certified by PCI DSS. ○ check here “https://aws.amazon.com/tw/compliance/services-in-scope/” 9
  • 11. WAF architecture on AWS - AWS best practice AWS best practice Reference: AWS Best Practices for DDoS Resiliency (June 2015) 11
  • 12. WAF architecture on AWS - Traditional architecture Traditional architecture - problems XFF XFF Scale out Rule Consistency XFF Warm up XFF Warm up ELB traffic fee Traffic Out 12
  • 13. WAF architecture on AWS - AWS best practices AWS best practice Reference: AWS Best Practices for DDoS Resiliency (June 2016) 13
  • 14. WAF architecture on AWS - Cloud service Architecture working with cloud service 14
  • 15. WAF architecture on AWS - AWS WAF Architecture - AWS WAF CloudFront WAF ALB EC2 15
  • 17. Comparisons - Meet OWASP Traditional architecture 1. 使用高度自行客製化的 rule。 2. 使用品牌產品自帶的rule。 Working with cloud service 1. 上限和下限完全取於服務供應商 Working with AWS WAF 1. AWS WAF請參考Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities 17
  • 18. Comparisons - Meet compliance Traditional architecture 1. 調整rule的彈性大,對於服務供應商的依賴性小。 2. 品牌產品能產出Compliance report,減少對應稽核的負擔。 Working with cloud service 1. 上限和下限完全取於服務供應商的服務 內容。 Working with AWS WAF 1. AWS WAF底層直接符合PCI,但是Rule的產出與改善... 是使用者的責任。 (AWS shared responsibility model) 18
  • 19. Comparisons - Maintain & automation Traditional architecture 1. 學習的時間成本,需要維運者有較高的技術 /溝通能力。 2. 複雜的架構,管理複雜度必然增加。 3. 難以自動化,須熟悉特定廠商的 API/Command。 Working with cloud service 1. 架構單純,維運難度較低。 2. 難以自動化,須熟悉特定廠商的 API/Command。 Working with AWS WAF 1. 架構單純,維運難度較低。 2. 學習一套API打天下。 19
  • 20. Comparisons - Pricing Traditional architecture 1. 養機器 = 貴 2. 專業的維運 = 貴 3. 使用知名品牌 = 貴 (License fee $1~3 hourly) Working with cloud service 1. 不需搭配CDN的專業Cloud WAF,假如包含professional service的話價格必然貴。 2. 搭配CDN的類型必須先購買CDN服務,再購買WAF模組。 Working with AWS WAF 1. AWS WAF有較低的起始費用,同時也支援 CF & ALB來賦予使用者選擇架構的彈性。 ($5 per web ACL, $1 per rule, $0.60 per million requests) 20
  • 22. Demo SQL Injection Protect XSS Protect Rate based rule CVE 2017-5638: Strust2 22
  • 24. Summary 1. 把WAF套進架構不是問題,如何Tuning rule才是問題。 2. 對應適合的場景/能力,使用適合架構。 3. 程式有洞就要補... 不要推給資安設備! 4. 如果有用CloudFront/ALB的, 馬上試試看AWS WAF能幫你攔到多少東西! 24
  • 25. Wishlist 透明的SQLinj, XSS規則清單。 String match支援Regular Expression Rate-based rule的取樣單位是5分鐘,希望可以自由讓使用者調整。 Log只能看到最近3小時,最好能夠儲存log到S3/Cloudwatch Logs。 Rules per web ACL只能有10條... 更多的Feature… (Support case分類居然沒有feature request...) 25
  • 26. References ❏ AWS Security Blog https://aws.amazon.com/blogs/security/ ❏ AWS WAF Developer Guide http://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html ❏ AWS WAF Preconfigured Rules & Tutorials https: ❏ //aws.amazon.com/waf/preconfiguredrules/AWS Security Whitepaper https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf ❏ AWS Security Best Practices https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf ❏ Overview of AWS Security - Network Security https://d0.awsstatic.com/whitepapers/Security/Networking_Security_Whitepaper.pdf ❏ AWS Best Practices for DDoS Resiliency Whitepaper https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf 26
  • 27. 27