The document discusses auto-scaling security for web applications in Amazon Web Services. It finds that web applications are among the top 3 attack vectors in both enterprise and cloud environments. It then provides an overview of how to auto-scale a web application firewall (WAF) in AWS, including using features like Elastic Load Balancing, Amazon S3 for configuration data, and Auto Scaling groups. It demonstrates deploying the WAF across multiple Availability Zones for high availability and discusses sizing examples.
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS re:Invent 2013
1. Auto-Scaling Web Application Security in
Amazon Web Services
Misha Govshteyn, Chief Strategy Officer & Co-Founder, AlertLogic
Zack Fox, Architect Web Security Manager, AlertLogic
November 14, 2013
2. Spring 2013 Report
Key Findings
•
•
•
Higher attack frequency in enterprise data centers
than in cloud deployments
Web applications are among Top 3 attack vectors
in both enterprise and cloud environments
Threats levels are consistent across industries and
verticals
Full Report Available at alrt.co/Spring2013CSR
1,800+ Customers Environments
2 Years of Threat Data Published
150k+ Security Incidents Analyzed
6. Web Application Firewall Fundamentals
• Blocks common web application attacks
– SQL injection, cross-site scripting, command insertion
• Most commonly deployed inline as a reverse proxy
in front of web servers
browser
sql
injection
WAF
reverse proxy
legitimate
traffic
www
server
7. What Makes a WAF Work?
Blacklisting
Whitelisting
• Filter known attacks
• All requests allowed by
default, unless explicitly
denied
• Provides immediate
baseline security
• Dynamic analysis of web
application
• Allow wanted transactions
• Everything else is denied
• Implicit security against
new or unknown attacks
(Zero Day Attacks)
Necessary fundamental
Flexible adaptive model
model that provides rulethat enhances security
based protection
beyond well-known threats
8. Auto Scaling Principles
• Designed for failure
– Horizontally scaled
– Fast bootstrap
– Health/load conditions
as scaling triggers
• Loosely coupled
– Independent
components
– As stateless as
possible
– Minimal interactions
web tier is easiest to scale…
but good design decisions are essential
9. Common Web Tier Auto Scaling Tools
• Elastic Load Balancing Auto Scaling groups
• Health monitoring
– Amazon CloudWatch
• Bootstrapping/configuration automation
– AWS CloudFormation
– Chef/Puppet/Cfengine
10. Why Auto-Scaling a WAF is Difficult
•
WAF
Appliances
CDN WAFs
•
•
•
•
•
significant capital
investment
difficult to maintain &
tune
invasive deployment
model
“one size fits all”
latency
limited protection
• Native support not
available for autoscaling capabilities.
• “Learned” data not
easily shared across
appliances
• Management and
processing planes are
too tightly coupled
11. Our Approach to Auto Scaling Web Security
Worker
Worker
Browser
Alert Logic
ELB - Public
ELB - Public
Worker
Worker
WSM Worker
WSM Master
ELB - Internal
Worker
Worker
Web server
S3/EBS
• Designed from the ground-up
for Elastic Load Balancing
integration
– Decoupled management and
data processing planes
– Amazon S3/Amazon EBS used
to maintain configuration/state
data and logs
– Assumes Amazon VPC
deployments
• Native support for auto-scaling
driven by CloudWatch metrics
12. Deployment for Auto Scaling and
High Availability in AWS VPC
Amazon Web Services
Overview
• 1 Master AS group with 1 master at all times
• 1 Worker AS group with 2-n workers at all times
Elastic Load Balancing Master
• External interface for WSM Master
• Management and monitoring (https and ssh)
Elastic Load Balancing Worker
• SSL Termination
• Load balances web traffic to worker AS group
Amazon S3 Bucket
• Persists configuration data
NAT Instances
• Required for Amazon S3 access from private subnets
WSM Master
• Acts as management node for configuration
• Queues and transports logs, stats from workers
Amazon EBS Log Volume
• Persists Deny Log and Stats data for master
• Attached at instance start up
WSM Worker
• Retrieves configuration on instance launch
• Protects web traffic in front of internal load balancing
• Transports logs, stats to master queue
14. Web Traffic Flow
• Browser clients connect to
worker load balancer
• Traffic is load balanced to
WSM appliances
• WSM appliances connect to
backend load balancer
15. Auto Scaling Options
Auto Scaling Group Master
• Min-size 1
• Max-size 1
• Uses Elastic Load Balancing health
check to ensure an instance is up
• Will recreate itself from
configuration data in Amazon S3
Auto Scaling Group Worker
• Min-size 2 recommended for
availability
• Max-size TBD
• Uses Auto Scaling policy to scale
on-demand
16. Default Auto Scaling Parameters
• Defaults set in AWS CloudFormation templates
• User configurable and tunable for specific requirements
Setting
Default
Scale up CPU utilization threshold
80%
Scale up when CPU is above threshold for more than
120 seconds
Scale down CPU utilization threshold
50%
Scale down when CPU is below threshold for more than
600 seconds
17. Configuration Data Flow
Web Services
Configuration Data
• Master instance stores data in
Amazon S3
• Worker instances retrieve
configuration
Redundancy
• Configuration also transmitted
to Alert Logic
18. Logs and Statistics Collection
Log Data
• Queued on Master for transport
Statistics Data
• Queued on Master for transport
• Aggregated for all workers before
transport
Alert Logic
• Data stored for search, correlation,
alerting, and reporting
Amazon EBS Log Volume
• Stores log and statistics data for
master instance
• Persists queued data in case of
master instance termination
19. Default Auto Scaling Parameters
• Defaults set in AWS CloudFormation templates
• User configurable and tunable for specific requirements
22. Building a Test WSM Stack
with AWS CloudFormation
Web Services
Basic testing stack in two Availability
Zones
• Amazon VPC
• Internet Gateway
• 2 public subnets
• 2 private subnets
• Public load balancer for test backend
web servers
• 2 NAT instances
• 2 web server instances
Additional AWS components are created
(not pictured):
• Amazon VPC gateway attachment
• Security groups
• Network ACL
• Routes and route tables
• Launch configuration and auto scaling
group
• CloudWatch alarms
• Auto Scaling policies