Más contenido relacionado La actualidad más candente (20) Similar a Introducing Managed Rules for AWS WAF (with a Customer Story) - AWS Online Tech Talks (20) Más de Amazon Web Services (20) Introducing Managed Rules for AWS WAF (with a Customer Story) - AWS Online Tech Talks1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sundar Jayashekar, Sr. Product Manager (AWS)
Jarrod Levitan, Chief Cloud Officer (TriNimbus)
Mike Fisher, Solutions Architect (TriNimbus)
January 30th, 2018
Managed Rules on AWS WAF
A Customer Story
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from this session
1. Service Introduction
2. Key Benefits
3. New Announcement!
4. Customer Story - TriNimbus
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is a WAF?
Web Application Firewall –
Monitors HTTP/S requests and protects
web applications from malicious
activities
Layer 7 inspection and mitigation tool
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What can we do with AWS WAF?
• Rate based rules
• IP Match & Geo-IP filters
• Regex & String Match
• Size constraints
• CloudWatch
Metrics/Alarms
• Sampled Logs
• Count Action mode
• SQLi
• XSS
• IP Blacklists
Malicious traffic
blocking
Web traffic filtering Active monitoring
& tuning
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threats AWS WAF can help with
Application
Layer
Bad BotsDDoS OWASP type attacks
HTTP floods
Abusive users
Content scrapers
Scanners & probes
CrawlersSQL injection
XSS
Application exploits
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF available on
Amazon CloudFront Application Load Balancer
(ALB)
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What do customers like about AWS WAF?
Fast Incidence
Response
Easy to deploy Affordable
Full API Support Managed platform
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How are Customers using AWS WAF?
1. Custom Rules 3. Security Automation2. Managed Rules
You can combine all three!
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
New capabilities since June 2017
1. Rate Based Rules
2. OWASP Top 10 templates
3. Geo IP based restriction
4. RegEx Support
5. Managed Rules
6. Additional Regions for WAF/Shield
We listen to our customers and iterate quickly
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What customers asked?
“I don’t want expensive Pro-Serv engagements to
write and tune my rules”
“I want to focus on writing web applications and
not security rules”
“I don’t have the resources to write rules that keep
up with the bad guys”
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
So at re:Invent 2017 we announced…
Managed Rules on AWS WAF
with 5 Featured Sellers and 11 new Products!
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What are Seller Managed Rules?
• A set of WAF-Rules (sometimes in the 100’s) written
and managed by trusted security vendors
• Available on AWS Marketplace and the WAF Console
• Deployed on AWS WAF
• Pay-As-You-Go pricing
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
At Launch we said …
We will continue to add security vendors and
provide more Rule choices to customers ….
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
We are happy to Pre-Announce today!
Coming soon …
3 New Products!
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Featured Sellers
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
F5 Managed Rules for AWS WAF
SQLi, XSS, command
injection, No-SQLi
injection, path traversal,
and predictable resource
Apache, Apache Struts, Bash,
Elasticsearch, IIS, JBoss, JSP,
Java, Joomla, MySQL,
Node.js, PHP, PHPMyAdmin,
Perl, Ruby On Rails, and
WordPress.
Vulnerability scanners,
web scrapers, DDoS
tools, and forum spam
tools.
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Benefits of Managed Rules
1. Rules managed by security experts
2. Choice of protections
3. Auto-updates
4. Pay as you go
5. Easy to Deploy
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deploy in 3 easy steps
Find rules on AWS WAF
console or AWS
marketplace
Click and
subscribe
Associate rules in
AWS WAF
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
TriNimbus – Customer Story
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Born in the Cloud in 2013
• AWS Premier Consulting Partner
• Offices in Vancouver, Calgary, Toronto, Montreal and
Macedonia
• Top 50 fastest growing startups in Canada (Canadian
Business Magazine)
About TriNimbus
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Our Core Capabilities
• Expert team of Solution Architects
and DevOps Engineers
• Co-sourcing: Integrating with your
Agile teams
• 24/7 DevOps and DevSecOps
managed services
• Architecture, operations,
migrations, disaster recovery, cost
optimization, compliance
About TriNimbus
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Growing the AWS User Groups
Community Across Canada
• Organize AWS User Groups in 9
cities across Canada
• 4000+ members and growing
• Education focused presentations
by AWS customers, evangelists
and best-of-breed technology
partners
• Creating opportunities to
learn, interact, and share ideas
About TriNimbus
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The ActiveDEMAND Story
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
About ActiveDEMAND
ActiveDEMAND is a marketing
technology company that provides
Marketing Automation to SMBs and
marketing agencies globally
• Call tracking
• Email marketing
• Social media marketing
• KPI dashboards
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Problem
• Suffering from intermittent DDoS attacks from a
small number of bad actors
• Attacks would quickly overwhelm their fixed
number of compute resources
• Web services would become completely
unavailable during attacks
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Original Architecture
• Amazon CloudFront in
front of static assets
only
• Elastic Load Balancer
in front of a fixed
number of Amazon
EC2 instances
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC and EC2 Best Practices
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF and Dynamic Content Delivery
29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why we Chose AWS WAF
• Very easy to add due to the
client already using Amazon
CloudFront
• DDoS were typically from a
small number of source IP
addresses; This made them
easy to block with IP match
conditions
• Very cost effective to
implement for a few rules
30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Results
• ActiveDEMAND rolled out this
updated infrastructure
architecture for all new
customers
• There have been no detected
service interruptions for any
customers on this new
platform during the year it has
been in production
31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Restrict ELB Access to
Amazon CloudFront IP Addresses
Going Forward
• AWS publishes IP ranges for
their services in JSON format
• Also publish updates to an
SNS topic they manage
• Subscribe to the SNS topic
with a Lambda function which
processes the JSON and
updates the ELB's security
group
32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Take advantage of new AWS capabilities
• Use AWS WAF rate-based rules
instead of manually updating
blacklisted IP addresses
• Dedicated DDoS protection with AWS
Shield Advanced
• Subscribe to a managed rule group
instead of manually implementing SQL
injection and size constraint conditions
Going Forward
33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Blog: Revisiting the AWS WAF
Take a look back at the all
improvements that have been
released for AWS WAF on its
journey from Minimal Viable
Product to Most Valuable Player
https://goo.gl/R37X6g
Further Reading
34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
For more details on Managed Rules
https://aws.amazon.com/mp/security/WAFManagedRules/
35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!