bomonike

Web Application Firewalls.

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   Napali   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

waf.png The idea for this article came to me while re-watching the TV series Mr. Robot (from 2015) now streaming on Amazon Prime.

I think a big reason for the popularity of the show (rated 8.5/10) is due to its technical advisor – cybersecurity superstar Michael Bazzell, whose https://inteltechniques.com is my most useful and thorough resource on defending privacy.

Are You Dead Yet?

Minutes into the psycho-technical series’ first episode, one asks about a “R.U.D.Y. attack”.

Below is how I would “mansplain” what that means (to excruiciating detail) before going back to watch the show.

R.U.D.Y. is an acronymn for “aRe yoU Dead Yet” – the name of a tool hackers use to create Denial of Service attacks. An example is at https://github.com/darkweak/rudy, written in the Go language.

A similar tool is at https://github.com/gkbrk/slowloris, written in the Python language. The program is named after slow lorises, a group of primates known for their slow movement. It’s exhausting watching them.

A single hacker machine can use the tools to take down even a large targeted Apache web server because the attack requires minimal bandwidth.

Low and Slow

Unlike “volumetric” DoS (Denial of Service) attacks which seek to overwhelm (flood) target servers with traffic from many malicious clients, “low and slow” attack aims to exhaust server resources through long-running, incomplete requests.

“Low and slow” attacks are difficult to detect using conventional DDoS detection mechanisms which expect a high volume and fast rate of traffic.

The exploit “sends long HTTP POST requests to the target server, but breaks the request body into small packets sent at a very slow rate (e.g. one byte every 10 seconds). This slow rate of exchange prevents the server from closing the connection, forcing it to wait for the full request.”

Each Apache web server has a finite pool of processing threads available to handle connections with the clients it serves. When the maximum number of possible connections that a server can handle is reached, additional connections cannot be established. And thus a denial-of-service attack is successful.

Increasing capacity may not help

Administrators can buy some time by adding additional servers and, on each Apache server, increase the number of MaxRequestWorkers in the mpm_prefork.conf configuration file.

However the number of attackers can also increase. In a DDoS (Distributed Denial of Service) attack, hackers use thousands of devices that have been compromised to direct traffic toward a single site.

In late March 2015, China directed its botnet (dubbed “Great Canon”) toward GitHub (a web-based code hosting service) as well as GreatFire (a service dedicated to monitoring websites blocked by China).

Mitigation: Upgrade the Tech

Articles by reverse proxy vendors Cloudflare and Wallarm do not mention tech upgrades to more advanced technologies to stop the attacks.

  1. Upgrade web server technology from Apache to NGINX or lightpd which were not designed to be limited with maximum connections. Instead, they use worker threads which has no limit on the number of connections they can handle.

    Unlike with Apache, NGINX/Lighttpd ignore incomplete requests by letting them run in the background, which does not use up system resources.

  2. Upgrade from use of HTTP protocol 1.1 to HTTP 2, which does not hold sessions open.

The above advances were available.

Dead Inside

“Low and Slow” attacks are not within a supply chain that’s beyond the ability for a company to mitigate.

PROTIP: And that’s the genius of the “Mr Robot” writers in selecting RUDY as the mechanism for compromise. RUDY can succeed because the company did not implement available mitigations. Why? Top executives in the dystopian “Evil Corp” were too focused on bullying others.

“Low and slow” attacks on an organization take advantage of that organization’s inability to modernize quickly enough. Implementing the above involves changes to application programming code.

Collaborate to modernize

The job of a CTO is to recognize this and rally the organization.

PROTIP: A common root cause enabling vulnerabilities within enterprises is complacencydue to a lack of the collaboration needed to be proactive toward preparing for war, manifested as DoS (Denial of Service) attacks.

At the end of this deep-dive article, the key takeaway from this article should be about how Developers, Security, Network Engineers, Performance Engineers, Operations, Customer Support, and others must go out of their way to help each other rather than being isolated cogs who don’t feel a need to actively collaborate with others.

This article identifies where collaboration can occur.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

The rest of this article examines what can be done to mitigate attacks on legacy Apache web server software. That’s because there are likely other systems also vulnerable.x`

Monitoring needed

On the road to collapse, low-level attacks run up a large server bill for those attacked.

PROTIP: Track monthly spend by service within each region to identify trends and anomalies using AWS Cost Explorer against a budget. Investigate the root cause of upward trends and sudden spikes: are they due to higher rates? Are costs consistent with the amount of work processed?

PROTIP: Security Red Teams: you would be wise to see what impact the “low and slow” attack mechanisms might have and whether (and how fast) defensive mechanisms perform against them.

Pair up with Performance Engineers who know how to setup large-scale systems running with insightful metrics and visualizations.

This would be the case even after the organization upgrades to newer technologies, to verify whether the changes really can block the attacks.

Within AWS, a CloudWatch metric name is specified when creating Web ACL (Access Control List) rules.

Metrics

QUESTION: How do you know whether a low-level attack is not already at work on your system?

One sign of such an attack are connection log entries containing HTTP 408 error codes in the server log (“-“ 408 156 “-“ “-“).

PROTIP: The circumstances when a server becomes exhausted can be predicted by watching the relationship between three metrics captured about each system:

L = the average number of connections being used by the system

λ (lambda) = the average arrival rate of new requests arriving

W - the average dwell time a customer spends in the system

Knowing two enables the third to be calculated using the formula L = λ * W (called “Little’s Law”).

The longer each customer spends in a system, the less connections are possible.

QUESTION: Are such metrics obtained for your servers?

PROTIP: Automatically sound an alarm when a spike occurs in connections, rates, dwell time, and spend.

SIEM tool New Relic has a “application response time” metric that includes “Request Queue”. To collect “request queuing time”, each HTTP request must be marked with a timestamp when queuing starts by adding an HTTP header by configuring the Apache httpd.conf file:

Apache Server Configuration

Several vendors and commenters offer ways to reduce the effectiveness of “low and slow” attacks:

  1. Limit the maximum number of connections each IP address is allowed to make

  2. Limit the maximum time a client is allowed to stay connected

  3. Restrict connections with slow transfer speeds

Notice that this assumes that each individual client connection is analyzed and managed. And there can be thousands of them at once.

Individual servers can be configured, but hackers have gotten wise to them:

  1. Apache module “mod_antiloris” rejects a same IP that creates more than, by default, 10/20+ connections.

    “But the IP in the attack here are only creating 3-4 connections max.”

  2. From Apache version 2.2.15, Apache module “mod_reqtimeout” is enabled with default:

    RequestReadTimeout header=20-40,minrate=500 body=10,minrate=500

    Rather than being held open indefinitely, servers can be configured to timeout connections automatically based on a threshold.

  3. QUESTION: What can be done to restrict connections with slow transfer speeds?

    This would require a program that can track and analyze the behavior of each IP address, which is a daunting task explained below.

But we have an IPS

An Intrusion Protection System (IPS) does not detect and mitigate against “low and slow” attacks because IPS works on ISO network layer 3 and 4 (switching, routing, and transport), which differentiate the “signatures” among different sessions and users.

Reverse Proxies

A Reverse Proxy provides broader functionality beyond just security, such as load balancing, caching, SSL termination, and routing requests to different backend servers.

Proxying servers and caching accelerators such as Varnish, nginx, and Squid mitigate this particular kind of attack.

Cloudflare is a cloud-based service that functions as a “reverse proxy” protecting the origin server. When all traffic goes first to their 248 Tbps network, working servers would receive traffic only from Cloudflare’s IP-ranges. The working network can then disallow all access EXCEPT those that belong to CloudFlare.

A similar service is Corero’s SmartWall ONE™ appliance which slots “behind” edge routers to sample and inspect traffic. If DDoS is detected, it orchestrates mitigation directly on the routers.

Many organizations use both Reverse Proxies also use a WAF as part of a layered security approach for their web infrastructure.

DDoS Resiliance Architecture

The AWS Best Practices for DDoS Resiliency uses this DDoS-resilient reference architecture diagram:

waf-aws-ddos-ref-arch-1164x667.png

Prepatory services to WAF:

Using your default browser to establish Administrator:

  1. Create a Root AWS account using your email.
  2. aws-ref-arch-1086x1352.pngLock down the root account and configure IAM users to login with. The AWS Security Reference Architecture (SRA) prescribes 5 Organizational Units (OUs) and Accoutns:
    1. Organization Management account
    2. Security Tooling account
    3. Security Tooling Log Archive accounts
    4. Workloads account
    5. Infrastructure Network Shared Services accounts
    6. Infrastructure Network Account

  3. Setup AWS Route 53 for DNS of a custom host name.

  4. Optionally, setup AWS Global Accelerator service to route traffic among the AWS global network of 100 edge locations to the closest healthy endpoint. This improves performance by up to 60% compared to routing over the public internet. It can also protect applications from DDoS attacks by absorbing traffic closer to the source.

    Setup Web Application Firewall

  5. A WAF typically operates behind a DNS (AWS Route 53) about in front of a load balancer which allocates traffic among several physical servers, analyzing all communications before they reach the app or the end-user.

    waf-aws-icon-1600x1600.webp

    A WAF (Web Application Firewall) works at the “Application” level (at what ISO called Level 7) where the program can examine various protocols, including HTTP headers and body text.

    waf-flow-1124x626.png

    HANDS-ON: Let’s create the above within the AWS cloud so we have a practical understanding.

  6. This video by Rahul Wagh describes how to, step-by-step, manually to setup a VPC, Internet gateway, Subent, Route table. Launch an Ubuntu t2.micro EC2 Instances with an Apache web server invoking these commands on start:

    #!/bin/bash
yes | sudo apt update
yes | sudo apt install apache2
echo "<h1>Server Details</h1><p><strong>Hostname:</strong> $ hostname\}
</p><p><strong>IP Address:</strong> $(hostname -l | cut -d' ' -f1)</p>" > /var/www/html/index.html
sudo systemctl restart apache2

    WARNING: This is the simplest verification of the simplest mitigation. See the section about enterprise-level Mitigation Testing below.

  7. 10:50 - Implement EC2 Target Group (using HTTP 1.1)

  8. Create internet-facing IPv4 Application Load Balancer with a Security Group for unencrypted HTTP traffic through port 80 and SSH for TCP 22 remote Terminal access.

    WARNING: Production environments need to always use HTTPS with a TLS certificate.

  9. Copy and paste the DNS Name as the URL to reach the test environment.

  10. PROTIP: In the Amazon Console GUI, VIDEO: instead of searching for WAF, bring up the “WAF & Shield” AWS service with this URL:

    https://console.aws.amazon.com/wafv2/homev2/web-acls

    NOTE: AWS automatically adds the default AWS Region of your account to the URL.

    If the region appearing is not your default region, change it on the upper-right of the screen. REMEMBER: When fronting Amazon CloudFront applications, you must use the API endpoint listed for us-east-1 = US East (N. Virginia).

    AWS WAF, Shield, Firewall Manager

    Within the AWS (Amazon Web Services) cloud are several security services:

    • AWS WAF - see https://aws.amazon.com/waf

    • AWS Firewall Manager applies a central configuration across several accounts and resources. For a $100 per month per region per policy ($110 in UAE, $120 in Jakarta and Zurich).

    • AWS Shield Advanced (at a subscription fee of $3,000/month per organization) is an AWS-managed service that comes with dedicated support from the AWS Shield Response Team (SRT). AWS handles the provisioning, configuration, and ongoing management of DDoS protection, reducing operational overhead. It enhance WAF with advanced event visibility for important websites using Amazon EC2 instances, Elastic Load Balancing load balancers, CloudFront distributions, Route 53 hosted zones, and AWS Global Accelerator standard accelerators.

    PROTIP: Do not select both AWS Firewall manager AND AWS Shield Advanced.

  11. waf-menu-240502-356x866.pngAWS has a “classic” WAF. But we use “WAF” on the top of the menu, which is referenced in AWS documentation as WAFv2 (version 2).

  12. Although Web ACLs are global, the region where resources the WAF acts on needs to be specified.

  13. Click “Create Web ACL”.

    REMEMBER: The Web ACL Name and Metric Name cannot be changed after creation.

    PROTIP: Include in the Name the date, such as “241231” for December 31, 2024.

  14. Click “Add AWS resources” to attach the downline service. Notice there are two categories:

    • AWS CloudFront CDN distribution
    • “Regional resources” (does not work with AWS Outposts)

    In the sample video, select “Regional resources” for the Application Load Balancer defined earlier. Next.

    NOTE: The WAF can handle HTTP protocol Requests going into several other AWS services not applicable to this example:

    • Amazon API Gateway REST API (to mobile apps) for FSBP, which limit access based on API keys it issues.
    • AWS App Runner service
    • AWS AppSync GraphQL API
    • Amazon Cognito user pool
    • AWS Verified Access instances

    waf-resc-types-1596x366.png

    Rule Groups

  15. Click “Add rules and rule groups”, then within Rules: Add Rules pull-down, select “Add managed rule groups”: VIDEO:

    BLOG: By default, AWS WAF doesn’t provide rules.

    Rule groups is the “beating heart” of any WAF. Rule Group s are reusable collections of rules that can be used within WAF ACLs.

    PROTIP: Selection of rule groups is not a trivial decision because it involves complex triangulation among several tradeoffs: affordability, vendor trust, what vulnerabilities to mitigate.

  16. Click “AWS managed rule group”. Don’t click “Add to web ACL” yet. We’ll come back to these:

    waf-aws-list-1140x1352.png

    QUESTION: How does “Account takeover prevention” work and why is is necessary when there are Role-based permissions? This mitigates adversaires who VIDEO: use the Burp Suite FoxyProxy browser extension to inject passwords from the list of popular passwords.

    QUESTION: What is the difference between “Common” and “Targeted”?

  17. If you are experimenting, scroll down to “Free role groups”. By “free” AWS means no additional vendor charges.

    waf-aws-free-1114x1508.png

  18. Toggle the “Add to web ACL” associated with each Rule set applicable to your environment.

    • Amazon IP reputation list is compiled by the “Amazon Threat Intelligence” group protecting the amazon.com shopping site.

      PROTIP: Whether a particular IP addresses is malicious is a dynamic situation, changing all the time.

    • Core rule set for what OWASP has identified among Top 10 vulnerabilities in web applications. Notice that the 700 units make it among the most compute intensive of choices.

    • Know bad inputs - QUESTION: how does that work?

    • Activate one for the operating system (POSIX, Windows).

    • Activate one for the language you use (PHP, WordPress, etc.).

    • PROTIP: Before blocking traffic from VPNs, survey everyone in your organization to see if they use one to protect themselves from someone in Starbucks listening in which they login to work or their bank. If so, specify a specific VPN they can use and put that VPN’s addresses in the allowlist.

  19. Consider capacity limits.

    Among many Quotas related to WAF, there is a limit of up to 100 Web ACLs, 100 Rule Groups, and IP Sets each for each region.

    WARNING: 100 Web ACLs is not very many.

    One million requests divided by 30 days in the month is 33,333 per day.

    Divided by the 100 rule limit, that’s 333 requests per rule per day with a region. That’s not many.

    QUESTION: Please correct me if I’m wrong with this.

    Alerts when limits are reached

    PROTIP: Raise an alert about incoming requests which AWS WAF is not able to fully analyze due to it being limited on how much it can process at one time:

    • Maximum 64 KB in the web request body that can be inspected for CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access protections
    • Maximum 4 KB in the custom response body content for a single custom response definition
    • Maximum 50K in the combined size of all response body content for a single rule group or a single web ACL
    • Maximum 10 custom headers for a single custom response definition

    REMEMBER: AWS has defined a Quota for the Maximum number of calls of

    • 5 request per second to any individual Get or List action, if no other quota is defined for it
    • 1 request per second specifically to GetWebACLForResource and ListResourcesForWebACL (which can return a lot of information)
    • 1 request per second to any individual Create, Put, or Update action, if no other quota is defined for it
    • 2 request every 2 seconds specifically to AssociateWebACL and DisassociateWebACL

  20. Consider costs.

    PROTIP: Please refer to the spreadsheet I created, available on Gumroad. ???

    AWS charges for each ACL processed within each hour at the equivalent of $5 per month per region, or $0.0925925925926 (about 1 cent) per hour, assuming processing occuring 18 hours each of 30 days (540 hours). At the maximum of 100 WAF ACLs, that’s $50/month for each region.

    Additionally,

    AWS charges each Rule processed at $1 per month. Assuming 100 rules firing for 540 hours during the month, that’s $540 per month per region.

    On top of that, published charges by Rule vendors are, for example:

    • Charge per month in each available region (pro-rated by the hour) $25 / unit

    • Charge per million requests in each available region $1 / unit

    The “unit” refers to WCUs (WAF Capacity Units) unique to AWS.

  21. Calculate WCUs.

    WAF ACL Capacity Unit (WCU) Control

    This sentence caused my brow to wrinkle and my head to spin:

    “The WCUs used by the web ACL will be less than or equal to the sum of the capacities for all of the rules in the web ACL.”

    What that means to me is that each rule is assigned a WAF Capacity Units (WCUs) used to manage capacity. The more complex a rule, the higher the WCU for that rule. For example, a simple size constraint rule statement uses fewer WCUs than a statement that inspects requests using a regex pattern set</a> at: https://console.aws.amazon.com/wafv2/homev2/regex-pattern-sets/new

    QUESTION: I’m baffled as to how many WCUs to assign each rule.

  22. Consider overage charges.

    When more than 1,500 WCUs are incurred, instead of charging customers
    $0.60 per million requests per month, customers are charged
    $0.80 per million requests per month.

    WARNING: The AWS Price Calculator does not consider such overage costs.

    On April 11, 2023 AWS upped the limit eligible for overage charges at 5,000 WCUs per web ACL. But customers can request a limit increase. QUESTION: What is the error message when that happens?

    IP Sets

    >IP Sets refer to a simple list of (up to 10,000) IP addresses to be allowed or blocked.

    Bogon IP addresses

    The WAF should ignore (filter out) “Bogon” or bogus IP addresses which should not be used over the public internet. But they are used in denial-of-service attacks.

    There are now no more unallocated IP addresses, so Bogon now refers to use of addresses which RFC 5735 reserved for special use and “Martian” packets received by the kernel on a specific interface, while routing tables indicate that the source IP is expected on another interface (according to RFC 1812 routing rules).

    VIDEO: Netgate documentation.

    Other WAF vendors

  23. Click the toggle icon for each rule group you want to add to your Web ACL, then click the orange “Add rule” at the bottom.

    PROTIP: I’ve added to each vendor name a link to its Gartner Peer Insights page for Cloud Web Application and API Protection and TrustRadius, Upcity summarizes reviews of cybersecurity companies (everyone gets 5 stars).etc.

    PROTIP: The above vendors are also listed among “AWS Marketplace managed rules” to buy rule groups maintained professionally by cybersecurity firms:

    https://console.aws.amazon.com/wafv2/homev2/marketplace

    Other Vendors

    PROTIP: Not on the list are famous vendors

    • Akamai
    • Cloudflare
    • Fastly
    • Rapid7 VIDEO: vs RASP (Runtime Application Self-Protection) that monitors built into the application itself provide detailed visibility to detect and actively block attacks in real-time, such as terminating a user session, shutting down the application, or alerting security teams.

    • AppTrana WAAP by Indusface

    • Atomicorp’s open-sourced Atomic ModSecurity Rules for $225 per server per year, and WAF with GUI for $300/IP/server/year. They also have a free version. PDF

    • Atomic offers enhancements of OSSEC, the most widely used open source host-based intrusion detection system

    Mitigation Testing

    PROTIP: Verify each mitigation you add to ensure it actually works. For example, use the “known-bad” app DVWA (Damn Vulnerable Web Application) described in my article on OWASP Testing to VIDEO: verify whether F5’s WAF works.

    PROTIP: Many security standards, including AWS Well-Architected Foundational Security Best Practices (FSBP) standard require that simulations to mimic threat actors’ tactics, techniques, and procedures (TTPs) be repeated on a regular schedule. This is to verify your organization’s incident investigation response capabilities.

  24. Scroll down to the “Default web ACL action for requests that don’t match any rule”.

    PROTIP: The selection of default “Allow” or “Block” is fundamental to the maturity level of the organization running AWS. It’s the “red pill or the blue pill”.

    Selecting “Allow” by default means relying completely on Rules defined to safeguard traffic. That’s not terrific but also terrifying. Miss one and you open your whole operation to hackers.

    Many organizations CANNOT choose this because it viloates a key part of Zero Trust mandates by government standards and customer agreements.

    Selecting “Block” by default means that each user and app must be specifically specified, and unspecified quickly as each user leaves the team or organization. Those who use VPNs would change the IP address frequently. That also will likely result in some complaints from developers and users. That requires more automation and staffing of a 24/7 operation. But mistakes with this approach doesn’t open your whole environment to hackers.

    PROTIP: This is a good discussion prompt in an interview. How did the candidate’s previous employer collect IP addresses dynamically to open up the network to each downline service and user?

    NOTE: The words “Allowlist” and “Blocklist” has replaced “Whitelist” and “Blacklist” for more cultural sensitivity.

    PROTIP: Selecting Count is a good move to analyze the impact of rules defined before productive use. Use this for general monitoring and also to test your new web request handling rules. A toggle can be defined in Terraform to easily select this.

    Distinguish Friend from Foe

    To avoid slamming the door on legitimate (but slow moving) actual users, blanket automatic timeouts need to be set based on observations of real traffic patterns by emulating the full mix of users under load.

    That’s the job of Performance Engineers. The cutoff threshold can vary depending on the efficiency of the hardware and the processing mix.

    PROTIP: Here is an opportunity for proactive collaboration: when a slow connection is identified to a real customer, have Customer Service reach out to that customer to investigate whether it’s a bad network, slow computer, or not enough training.

    This would require storing the IPs of known-slow users can be tracked so that they are exempted when blocking IP addresses which respond slower than a cutoff threshold.

  25. Set Rule Priority. Drag and drop the highest priority rule on top of the list.

  26. Click the orange “Create Web ACL”.

    More than HTTP/IP traffic

    WAF can examine all protocols to detect exploits of vulnerabilities in network protocol handling:

    • DNS per-request login (see https://www.f5.com/glossary/web-application-firewall-waf)

    • FTP (File Transfer Protocol)

    • SMTP time protocol UTP flood

    • TCP (layer 4) “Syn Flood” with a large number of TCP connection requests but doesn’t complete the connection handshake. Done to fill the server’s connection queue to prevent it from accepting legitimate connections.

    • UDP (layer 4) “UDP Flood” with a high volume of UDP packets to overwhelm network resources, causing the server to become unresponsive to legitimate traffic.

    • ICMP server status (layer 3) “Ping of Death” sendds oversized or malformed ICMP packets

  27. Select the vulnerabilities to catch.

    WAF ACL Rules for OWASP

    Fortinet, Cloudbric Corp., Cyber Security Cloud Inc., F5 provide WAF rules to identity some of the attacks identified among the OWASP Top 10 listing the most seen web application vulnerabilities. As of 2022:

    • SQL Injection attacks target databases by inserting malicious code into website input fields. This can allow hackers to delete, change or take control of the database, leading to data loss and system compromise.

    • XML External Entities (XXE)

    • Cross Site Scripting (XSS) VIDEO by Styx

    WARNING: Looking at Customer Reviews of the above reveal a common complaint:

    “Why did that particular IP address get blocked? I can’t correlate the rule id that shows up in a log file with a rule name that’s understandable by a human.”

    “False positives” take time and expertise to resolve.

    Rule criteria

    Within each rule, the criteria in such rules include known malicious IP addresses, geographical origins, length of query strings, SQL code, etc.

    ???

  28. Run with “Check”.

  29. Configure CloudFront to “Enable Security protections”. Select “Use monitor mode” and “Use existing WAF configuration”. See VIDEO by Justin Kurpius

    Analyze Logs

    Within “Web ACL” GUI there is a Query editor. For example: VIDEO:

    fields action, @timestamp, @message
| filter httpRequest.clientIp="220.255.215.130"
| sort @timestamp desc
| limit 20

  30. Switch to a Terminal to check WCU requirements for a set of rules:

    aws wafv2 check-capacity

    Run the above AFTER running my mac-setup bash script to setup the aws command and support utilities.

Other vidoes about AWS WAF:

Manual GUI Console forbidden

More and more enterprises do not allow manual use of GUI on production resources.

This is despite tracking of changes made.

That’s because changes using the web Console GUI are not repeatable. It’s difficult for one person to create the same exact configuration. Accurace and precise documentation are difficult to follow. It’s too easy to miss a step.

IaC Automation

Instead, storage of Infrastructure as Code (IaC) specifications in GitHub enables collaboration and tracking of who made what change, and when. There are two approaches:

They both reference the (at last count) 54 actions defined for AWS WAFV2 API from ovember, 2019 and 128 datatypes. See the AWS WAF Developer Guide.

Terraform for AWS WAF

In his article on Medium, Prashant Bhatasana explains his
https://github.com/LazziBear/terraform-aws-WAFv2 which setups up a WAF service using Terraform.

So in this article we present links to documentation about use of each Terraform module associated with each GUI menu item shown above:

| AWS WAF Menu Item | Terraform module | Notes | | —————– | —————- | —– | | Web ACLs (Access Control Lists) | aws_wafv2_web_acl | - | | Bot Control | aws_wafv2_web_acl_association &
aws_wafv2_web_acl_logging_configuration | VIDEO | | IP sets | aws_wafv2_ip_set | - | | RegEx pattern sets | aws_wafv2_regex_pattern_set | - | | Rule groups | aws_wafv2_rule_group | - |

with a set of AWS WAF rules that filters traffic for web-based attacks. blocks requests that don’t match the rules.

This solution uses logs for the ALB resource. The Scanner & Probe Protection rule in this solution inspect these logs.

The specify protective features to include are defined in https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl Terraform HCL</a> or

We require AWS IAM API keys (access and secret keys) with full access to create AWS WAF/ AWS WAF rules.

In front of a Load Balancer which allocates traffic among various web services.

Need the

variable "region" {
  description = "AWS Deployment region.."
  default = "us-east-1"
}
variable "aws_lb_arn" {
  description = "ARN of your LoadBalance that you want to attach with WAF.."
}

??? aws_wafv2_web_acl.WafWebAcl

The Terraform module contains (for FSBP)

resource "aws_cloudwatch_log_group" "WafWebAclLoggroup" {
  name = "aws-waf-logs-wafv2-web-acl"
  retention_in_days = 30
}
resource "aws_wafv2_web_acl_logging_configuration" "WafWebAclLogging" {
  log_destination_configs = [aws_cloudwatch_log_group.WafWebAclLoggroup.arn]
  resource_arn = aws_wafv2_web_acl.WafWebAcl.arn
  depends_on = [
    aws_wafv2_web_acl.WafWebAcl,
    aws_cloudwatch_log_group.WafWebAclLoggroup
  ]
}
resource "aws_wafv2_web_acl_association" "WafWebAclAssociation" {
  resource_arn = var.aws_lb_arn
  web_acl_arn  = aws_wafv2_web_acl.WafWebAcl.arn
  depends_on = [
    aws_wafv2_web_acl.WafWebAcl,
    aws_cloudwatch_log_group.WafWebAclLoggroup
  ]
}

Dynamic Lambda

This diagram summarizes how a website’s traffic can be monitored to dynamically create WAF rules necessary using AWS Lambda “serverless” functions.

waf-aws-flow-simp-777x517.png

w

Security Automations for AWS WAF

AWS offers a managed service: “Security Automations for AWS WAF” to deploy AWS WAF rules and IP Sets (preconfigured by AWS people) to filter common web-based attacks.

The diagram below shows the solution using Python-driven Lambda functions:

waf-aws-cf-arch-1019x1029.png

To get the solution working:

  1. Make “OS-level configuration” by installing Python.

  2. git clone the solution’s GitHub repo (containing AWS CloudFormation templates) to:

    https://github.com/aws-solutions/aws-waf-security-automations/tree/main/deployment

  3. Setup Python and run unit test of Python modules in the source folder:

    ./run-unit-tests.sh

  4. Identify the version-code of the package at:

    https://github.com/aws-solutions/aws-waf-security-automations/releases

  5. Define variables for build-s3-dist.sh:

    
# The S3 bucket location where the templates are stored:
template-bucket=""
# Name for location where the Lambda source code is deployed, with '-[region_name]' appended to the bucket name:
source-bucket-base-name=""
# Name of the solution (for consistency):
trademarked-solution-name="Security Automations"
# Version of the package
version-code="4.0.3"

  6. Run build-s3-dist.sh

    cd deployment
chmod +x build-s3-dist.sh
./build-s3-dist.sh "$source-bucket-base-name" "$trademarked-solution-name" "$version-code"

References:

Other Cloud Vendors

https://www.gartner.com/reviews/market/cloud-web-application-and-api-protection/vendor/microsoft/product/azure-front-door

https://www.gartner.com/reviews/market/cloud-web-application-and-api-protection/vendor/google/product/google-cloud-armor

References:

VIDEO: The Largest Botnet Ever (GreatCanon) Mantis

References