Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

(SEC323) New: Securing Web Applications with AWS WAF

60.917 visualizaciones

Publicado el

In this session, we will introduce you to the new AWS WAF service. We will show you how to use the service to block Amazon CloudFront requests that originate from IP addresses that you specify and block requests based on request content, such as header values or SQL queries. We will walk you through working code samples that automate security operations and demonstrate the flexibility of AWS WAF web ACLs.

Publicado en: Tecnología
  • Sé el primero en comentar

(SEC323) New: Securing Web Applications with AWS WAF

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nate Dye, AWS Edge Services October 2015 SEC323 Securing Web Applications with AWS WAF
  2. 2. What to expect from this session Deep dive AWS WAF Web defense strategies Automation for better security AWS WAF 301
  3. 3. What to expect from this session Web defense strategies Automation for better security Deep dive AWS WAF AWS WAF 301
  4. 4. Why AWS WAF? Application vulnerabilities Good users Bad guys Web server Database Exploit code
  5. 5. Why AWS WAF? Abuse Good users Bad guys Web server Database
  6. 6. Why AWS WAF? Application DDoS Good users Bad guys Web server Database
  7. 7. What is AWS WAF? Application DDoS Good users Bad guys Web server Database AWS WAF
  8. 8. What is AWS WAF? Application DDoS Good users Bad guys Web server Database AWS WAF AWS WAF rules: 1: BLOCK requests from bad guys. 2: ALLOW requests from good guys.
  9. 9. What is AWS WAF? Application DDoS Good users Bad guys Web server Database AWS WAF
  10. 10. Traditional WAF Setup is complex and slow
  11. 11. Traditional WAF Rules with too many false positives
  12. 12. Traditional WAF No APIs for automation
  13. 13. AWS WAF
  14. 14. Block or allow web requests Monitor security events AWS WAF
  15. 15. New API and console Protect websites and content AWS WAF Amazon CloudFront
  16. 16. Benefits of AWS WAF Practical security made easy Customizable and flexible Integrate with development
  17. 17. Benefits of AWS WAF Practical security made easy Customizable and flexible Integrate with development
  18. 18. Benefits of AWS WAF Practical security made easy Customizable and flexible Integrate with development
  19. 19. Benefits of AWS WAF Practical security made easy Customizable and flexible Integrate with development
  20. 20. What to expect from this session Web defense strategies Automation for better security Deep dive AWS WAF AWS WAF 301
  21. 21. Setting Up AWS WAF 1. Create a web ACL. ALLOW requests by default, but… 2. Add a rule. BLOCK if… 3. Add match conditions. the source IP matches this list… 4. Assign to CloudFront. for any request to d123.cloudfront.net.
  22. 22. Setting Up AWS WAF <First Run Demo>
  23. 23. But wait, there’s more Match conditions • IP • String • SQLi Customizable rules • AND/OR • Block, allow, or count • Ordered conditions Fast feedback • ~1 minute for changes • 1-minute metrics • Request samples
  24. 24. But wait, there’s more Match conditions • IP • String • SQLi Customizable rules • AND/OR • Block, allow, or count • Ordered conditions Fast feedback • ~1 minute for changes • 1-minute metrics • Request samples
  25. 25. Match conditions: IPSets CIDR notation on octet boundaries: • 192.0.0.0/8 – Matches 192.*.*.* • 192.168.0.0/16 • 192.168.32.0/24 • 192.168.32.64/32 – Matches a full IP address exactly
  26. 26. Match conditions: IPSets • 1,000 CIDRs per IPSet • 10,000 CIDRs per web ACL • Matches connecting IP, not XFF
  27. 27. Match conditions: Strings and bytes • Match any part of the web request • Common use case: Referrer whitelisting
  28. 28. Match conditions: Strings and bytes Match any part of the web request Host: www.example.com User-Agent: Mozilla/5.0 (Macintosh; … Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.example.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header “Referrer” Match Type: Contains Match: “example.com” Action: ALLOW Rule String match condition Good users
  29. 29. Match conditions: Strings and bytes Use transforms to stop evasion Host: www.example.com User-Agent: badbot Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.example.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header “User-Agent” Match Type: Contains Match: “badbot” Action: BLOCK Rule String match condition Scraper bot
  30. 30. Match conditions: Strings and bytes Use transforms to stop evasion Host: www.example.com User-Agent: bAdBoT Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.InTeRnEtkItTiEs.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header “User-Agent” Transform: To lower Match Type: Contains Match: “badbot” Action: BLOCK Rule String match condition Scraper bot
  31. 31. Match conditions: Strings and bytes Flexible match conditions 1. Contains 2. Exact 3. Begins with 4. Ends with 5. Contains word
  32. 32. Match conditions: Strings and bytes Malicious binary? We can find it. “iVBORw0KGgoAAAAN” 8950 4e47 0d0a 1a0a 0000 000d bad.bin 1. Select binary file 2. Base64 encode 3. Set match criteria $> base64 bad.bin iVBORw0KGgoAAAAN
  33. 33. Match conditions: Strings and bytes • 10 matches per string match set • 1,000 matches in a web ACL
  34. 34. Match conditions: SQLi Check your query strings, URL decode
  35. 35. Match conditions: SQLi /login?x=test%27%20UNION%20ALL%20select%20NULL%20-- /login?x=test’ UNION ALL select NULL -- Transform: URL Decode True Match: SQL Injection Check your query strings, URL decode
  36. 36. But wait, there’s more Match conditions • IP • String • SQLi Customizable rules • AND/OR • Block, allow, or count • Ordered conditions Fast feedback • ~1 minute for changes • 1-minute metrics • Request samples
  37. 37. Combining conditions Restrict a rule to specific URIs, such as the login page. Public Internet Seattle admins AWS WAF /admin/login.cgi /*
  38. 38. Combining conditions Restrict a rule to specific URIs, such as the login page. IP match String match
  39. 39. Adding whitelist exceptions You can whitelist with ALLOW actions on a rule.
  40. 40. Reuse conditions You can reuse any part of a web ACL. CloudFront distributions Web ACL #1 Web ACL #2 Shared blacklist
  41. 41. But wait, there’s more Match conditions • IP • String • SQLi Customizable rules • AND/OR • Block, allow, or count • Ordered conditions Fast feedback • ~1 minute for changes • 1-minute metrics • Request samples
  42. 42. Observing rules in action Finding requests that match your rules
  43. 43. Setting up detection alarms <Example Demo>
  44. 44. Building blocks for web security APIs, SDKs, and CLIs! Java Python (boto) PHP .NET Ruby Node.js iOS Android AWS Toolkit for Visual Studio AWS Toolkit for Eclipse AWS Tools for Windows PowerShell AWS CLI JavaScript
  45. 45. GetChangeToken $ aws --endpoint-url https://waf.amazonaws.com/ waf get-change-token { "ChangeToken”:"d4c4f53b-9c7e-47ce-9140-0ee5765d6bff" }
  46. 46. Create* $ aws --endpoint-url https://waf.amazon.com/ waf create-web-acl --name BetaTest --metric-name BetaTest --default-action Type=ALLOW --change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff
  47. 47. GetChangeTokenStatus $ aws --endpoint-url https://waf.amazonaws.com/ waf get-change-token-status --change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff { "ChangeTokenStatus":{ ”ChangeToken":"d4c4f53b-9c7e-47ce-9140-0ee5765d6bff ", “Status”: "PROVISIONED", OR "PENDING", OR "INSYNC" ] }, }
  48. 48. Update*Set $ aws --endpoint-url https://waf.amazonaws.com/ waf update-ip-set --ip-set-id --change-token d4c4f53b-9c7e-47ce-9140-0ee5765d6bff --updates [ {"Action": "INSERT", "IPSetDescriptor": {"Type": "IPV4", "Value": "192.168.0.0/16"} }, {"Action": "INSERT", "IPSetDescriptor": {"Type": "IPV4", "Value": "192.168.5.0/24"} } ]
  49. 49. GetSampledRequests { "SampledRequests": [ { "Action": "BLOCK", "Timestamp": 1441839596.476, "Request": { "Country": "IE", "URI": "/", "Headers": [ { "Name": "Host", "Value": "d123abc.cloudfront.net" }, { "Name": "User-Agent", "Value": "curl/7.30.0" }, "ClientIP": "54.240.197.225", "Method": "GET", "HTTPVersion": "HTTP/1.0"
  50. 50. Pay for what you use • No upfront minimums • Use it for just an hour, or always on
  51. 51. Pay for what you use • $5 per web ACL, $1 per rule per month • Reuse across a CloudFront distribution with no additional charge • Use more rules for more visibility • $0.60 per million requests
  52. 52. Pay for what you use • Low monthly minimum, scales with volume • Typical monthly bill • Test environment (1 rule): $6 per month • Small site (6 rules, 58M views): $46 per month • Medium site (6 rules, 260M views): $167 per month
  53. 53. What to expect from this session Web defense strategies Automation for better security AWS WAF 101 Deep dive AWS WAF
  54. 54. Negative • Typical of prod deployment • ALLOW by default • BLOCK known-bad threats Rule strategy comparison Positive • Typical of restricted site • BLOCK by default • ALLOW known-good Examples • BLOCK MalwareIncIPRange • BLOCK “{;}” Examples • ALLOW SeattleOfficeIPRange • ALLOW referrer header “example.com”
  55. 55. Mitigation strategies • Static policies – For unchanging known-bad threats • Reactive policies – For dynamic emerging threats
  56. 56. Use count rules to find bad actors Count mode Alert on Amazon CloudWatch metrics Get sampled requests Add bad IPs to BlackList
  57. 57. Putting it all together Rule Order: 1. WhiteListed IPs – ALLOW 2. BlackListed IPs – BLOCK 3. BlackListedSignatures – BLOCK 4. SQLInjection – COUNT 5. SuspiciousActivity - COUNT Default: ALLOW
  58. 58. Customer example: Finding bad requestors ConnectWise 1. Uses negative security model 2. Monitors known-bad activity 3. Reactively bans bad requests
  59. 59. Users APIs CloudFront Auto Scaling Elastic Load Balancing Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 API calls made into the environment ConnectWise API architecture
  60. 60. AWS WAF ConnectWise API with AWS WAF Users APIs CloudFront Auto Scaling Elastic Load Balancing Amazon EC2 Amazon EC2
  61. 61. Example of an old API call API Version
  62. 62. Create a rule to block old versions Check: Header “Contains” Match Type: Contains Match: “/v2015_3/” Action: Block Rule String Match Condition API VersionAPI Version byteset.json { "ByteMatchSetId": "e13d4ed4-2b47-4313-8173-d0370e58ac20", "ChangeToken": "fab95c78-c969-4845-876f-6f2bc8283ea3", "Updates": [ { "Action": "INSERT", "ByteMatchTuple": { "FieldToMatch": { "Type": "URI" }, "PositionalConstraint": "CONTAINS", "TargetString": "/v2015_3/", "TextTransformation": "LOWERCASE" } } ] }
  63. 63. Old requests are blocked Access Denied
  64. 64. Example of a invalid user request Cookie Value of Invalid User
  65. 65. Create a rule to block invalid users cookie-byte-match-set.json { "Updates": [ { "ByteMatchTuple": { "TextTransformation": "LOWERCASE", "TargetString": "companyname=cwqaman_p", "PositionalConstraint": "CONTAINS", "FieldToMatch": { "Type": "HEADER", "Data": "Cookie" } }, "Action": "INSERT" } ], "ChangeToken": "988120ac-9040-4a26-bbe0-3282bc5410ce", "ByteMatchSetId": "2fdd991d-9b44-4d41-9231-7aa92dfe5ffe" } Rule String Match Condition Action: Block Check: Header “Contains” Match Type: Contains Match: “companyname=cwqaman_p” Cookie Value of Invalid User Cookie Value of Invalid User
  66. 66. Invalid users are blocked
  67. 67. Savings. • Decrease amounts of machines • Currently saving 20% during peak hours Results
  68. 68. What to expect from this session Web defense strategies Automation for better security AWS WAF 101 Deep dive AWS WAF
  69. 69. Automatic behavioral analysis AWS WAF automated blacklists Good users Bad guys Server AWS WAF Logs Threat analysis Rule updater
  70. 70. Bad Bot Demo Step 1: Robots.txt – “Don’t index /honeypot” Step 2: Create a rule: Count /honeypot Step 3: Ban Bad Bots See it in action: STG205 - Secure Content Delivery Using Amazon CloudFront OR AWS New Services Booth
  71. 71. Automatic behavioral analysis Amazon is not the only one… Repsheet open-source behavioral analysis • http://www.slideshare.net/abedra/knock-knock-24105973 • https://github.com/repsheet/repsheet
  72. 72. Automatic reactive mitigations AWS WAF partners
  73. 73. Automatic behavioral analysis Alert Logic Proof of Concept Good users Bad guys Server AWS WAF Update blacklist
  74. 74. Automatic incident reports CloudWatch Alarm SNS Topic AWS Lambda AWS WAF Operator SNS Topic 1. Alarm on count 2. Send Amazon SNS notification 4. Format sampled requests 5. Get sampled requests 6. Send email notification
  75. 75. Remember to complete your evaluations!
  76. 76. Thank you! Get started with AWS WAF: https://console.aws.amazon.com/waf

×