Advanced Techniques for Securing Web Applications

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Advanced techniques for securing web
applications
Sundar Jayashekar, Sr. Product Manager
(Perimeter Protection: AWS WAF, AWS Shield)
March, 2018

What to expect from this session
1. Biggest Threats today
2. AWS WAF Introduction
3. What customer like
4. Recent Launches
5. Popular deployment models
6. Demo
7. Customer references
8. Q&A

Biggest Threats to Applications today
Application
Layer
HTTP floods
Abusive users
Content scrapers
Scanners & probes
CrawlersSQL injection
XSS
Application exploits
DDoS OWASP Top 10 Bad Bots

What is a WAF?
Web Application Firewall –
Monitors HTTP/S requests and protects
web applications from malicious
activities
Layer 7 inspection and mitigation tool

What can we do with an AWS WAF?
• Rate based rules
• IP Match & Geo-IP filters
• Regex & String Match
• Size constraints
• Action: Allow/Block
• CloudWatch
Metrics/Alarms
• Sampled Logs
• Count Action mode
• SQLi
• XSS
• IP Blacklists
1. Malicious traffic
blocking
2. Web traffic filtering 3. Active monitoring
& tuning

AWS WAF available on
Amazon CloudFront
(Amazon’s CDN)
Application Load Balancer
(ALB)

What do customers like about AWS WAF?
2. Fast Incidence
Response
1. Easy to deploy 3. Affordable
4. Full API Support 5. Managed Service

How are Customers using AWS WAF?
1. Custom Rules 3. Security Automation2. Managed Rules

We listen to our customers and iterate quickly
In the last 6 months we have added …
1. Rate Based Rules
2. OWASP Top 10 templates
3. Geo IP based restriction
4. RegEx Support
5. Managed Rules
6. Additional Regions for WAF/Shield
7. More Rule Products for Managed Rules

Biggest Threats to Applications today
Application
Layer
3. Bad Bots1. DDoS 2. OWASP Top 10
HTTP floods
Abusive users
Content scrapers
Scanners & probes
CrawlersSQL injection
XSS
Application exploits

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo

WAF concepts for the demo …
1. Web Access Control Lists (WebACL)
2. Rules: Precedence / Rule / Action
3. Conditions:
• IP Match
• String Match
• SQLi, XSS Match
• Geo-IP
• Size Constraints etc
4. AWS Resource: CloudFront, ALB (more coming soon …)
5. Reporting: Real Time Metrics, Sampled Web Requests

Bad bots

Bad Bot Protections
1. Managed Rules from Fortinet or F5
2. Honey Pot URL (via Security Automations)
3. Managed Rules + Honey Pot
4. Managed Rules + Honey Pot + IP Reputational lists
5. Managed Rules + Honey Pot + Suspicious user-agents

Bots and scrapers
bad bot
scraper protection
Amazon
CloudFront
AWS Lambda
Access Handler
AWS WAF
b
c
d
web application
resources
<a href="/v1/name/" style="display: none"
aria-hidden="true">honeypot link</a>
a
Honey Pot URL technique

DoS / DDoS / Abusive-users

DoS/DDoS: Rate Based Rules (RBR)
1. Block DoS from a IP
2. Block DoS from an IP with an user-agent
3. Set different Rates for different Geolocations
4. Brute Force on Login or Admin page
 Credential Stuffing

OWASP Top 10 Protections

OWASP Top 10 Protection
1. AWS OWASP Whitepaper with Rules
2. Managed Rules
3. Managed Rules + Augment with custom rules

Managed Rules from Top Security vendors
Amazon Confidential
https://aws.amazon.com/mp/security/WAFManagedRules/

AWS WAF Managed Rules available today
1. Alert Logic Managed Rules for AWS WAF - OWASP Top 10 for WordPress
2. F5 Bot Detection Signatures For AWS WAF
3. F5 Web Application CVE Signatures For AWS WAF
4. F5 - Web Exploits Rules for AWS WAF
5. Fortinet Managed Rules for AWS WAF - Malicious Bots
6. Fortinet Managed Rules for AWS WAF - SQLi/XSS
7. Fortinet Managed Rules for AWS WAF - General and Known Exploits
8. Fortinet Managed Rules for AWS WAF - Complete OWASP Top 10
9. Imperva’s Managed Rules for WordPress Protection
10. Imperva - Managed Rules for IP Reputation on AWS WAF
11. Trend Micro Managed Rules for AWS WAF - Webserver (Apache, Nginx)
12. Trend Micro Managed Rules for AWS WAF - Content Management System (CMS)
13. Trustwave Managed Rules for AWS WAF - ModSecurity Virtual Patching
14. Trustwave Managed Rules for AWS WAF - CMS Virtual Patches

Key Benefits of Managed Rules
 Rules managed by security experts
 Choice of protections
 Auto-updates
 Pay as you go
 Easy to Deploy
Amazon Confidential

Deploy in 3 easy steps
Find rules on AWS WAF
console or AWS
marketplace
Click and
subscribe
Associate rules in
AWS WAF
Amazon Confidential

Positive and Negative
Security Models

Example: Whitelisting good users
Verify that a valid referrer is present
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; …
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “Referrer”
Match Type: Contains
Match: “example.com”
Action: ALLOW
Rule
String match condition
Good users

Example: Blacklisting bad bots
Block unwanted user agent headers and use transforms to stop evasion:
Host: www.example.com
User-Agent: bAdBoT
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.InTeRnEtkItTiEs.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Transform: To lower
Match Type: Contains
Match: “badbot”
Action: BLOCK
Rule
String match condition
Scraper bot

Visibility, Dashboards and Alarms

Visibility and Dashboard

Sampled Requests (logs)

Metrics and Alarms (CloudWatch Alarms)

SIEM | SOC Integrations

Incident Reports and SOC workflows
CloudWatch
Alarm
SNS
Topic
AWS Lambda
AWS WAF
Operator
SES
Topic
1. Alarm on count 2. Send
Amazon SNS
notification
4. Format
sampled requests
5. Get
sampled requests
6. Send email
notification

Customers using AWS WAF (referenceable)

AWS WAF customers

“AWS WAF has been a huge success for our business..
Having literally no website downtime has saved us hundreds
of thousands of dollars”
Customer References (AWS WAF)

TriNimbus Blog (a customer story)
Testament to: We have come along way …
http://www.trinimbus.com/blog/revisiting-amazon-web-services-web-application-firewall-aws-waf/

“[AWS WAF] is a fantastic new service that you should be looking to add
to your deployment asap.” – Mark Nunnikhoven (Vice President, Cloud Research), Trend Micro
What are people saying about AWS WAF?
“Protecting our open sites and even API's is of course great in protecting and
blocking attacks, however what it does more is a dramatically improvement to the
reliability of our monitoring and alert systems. The attacks and hacking efforts are creating noise in our
system that often leads to false positives. Integrating WAF allows us to focus on the real issues.– Roi
Ginat (Co-founder), Glide Talk
“With AWS WAF we have been able to completely hand these
[traffic] concerns to Amazon. When we detect anomalies in our traffic we can
protect our quality of service by blocking this traffic at the edge nodes across the world. This traffic no
longer touches our infrastructure at all and is handled by CloudFront near the point that the traffic is
generated.”– Robert Isaacs (Co-founder), Chief Software Architect, ConnectWise

Questions?

Advanced Techniques for Securing Web Applications

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Advanced Techniques for Securing Web Applications

Semelhante a Advanced Techniques for Securing Web Applications (20)

Mais de Amazon Web Services

Mais de Amazon Web Services (20)

Advanced Techniques for Securing Web Applications