How to quick start AWS WAF to protect your critical workload.

Introduction

This blog post is to help AWS customers to do a quick start of AWS WAF (Web Application Firewall) adoption ?to their architecture by understanding the bare minimum policy sets to start with.

Overview

In the modern age of sophisticated cyberattacks and digital innovation, it is vital for businesses to understand their threats and what their security defense need to be.?A perimeter firewall was a stronger defense mechanism in later 2000. Cyber criminals have modernized their strategy and tools, hence there is an absolute need for modern security tools for protection.?

Although modern methodologies and attack vectors are increasing, according to hackerone.com, Cross-site Scripting (XSS) continues to be the most awarded vulnerability type with US$4.2 million in total bounty awards, up 26% from the previous year.

Source:- https://www.hackerone.com/top-ten-vulnerabilities.

According to geekflare , web application threats list, Injection attacks is in the 3rd position of common threat space for web applications.

Source:- https://geekflare.com/common-web-application-threats/.

Web Application Firewall (WAF) was protection suits actively part of the network and security stream since last couple of years which enriches the protection mechanisms.???

The probability of you in the limelight of cyber criminals are very high if you host your workloads in public cloud, as bad actors know the cloud providers hosting IP space and knowledgeable on existence of your critical data in the cloud. Hence deploying all required security levers in Day 0 is crucial for any workload hosting in Cloud and WAF should be the minimum required control among them.

What is WAF

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration. In cloud hosting era, WAF has become increasingly integral part of IT security where most of the applications are Web or API exposed to the Internet.?

AWS WAF

AWS WAF is a service offered in security domain which is highly integrable with AWS Application Load Balancers (ALBs), Amazon CloudFront (CDN),?Amazon API Gateway?or AWS AppSync for your GraphQL APIs. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that control bot traffic and block common attack patterns, such as SQL injection or cross-site scripting.?

Since WAF is offered as a services, it can be started quickly using Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers to address issues like the OWASP Top 10 security risks and automated bots that consume excess resources, skew metrics, or can cause downtime.

AWS WAF rules are curated and maintained by the AWS Threat Research Team. These rules are self-sufficient to block most of the advanced attacks like OWASP Top 10 security risks, Malicious IP address, BoT requests , threats specific to Content Management Systems (CMS), or emerging Common Vulnerabilities and Exposures (CVE). Since these are managed rules, AWS periodically upgrades them to cater emerging security threat detections in the backend. The given URL provides the capabilities/enhancements AWS made on managed WAF rules.

https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groupschangelog.html

AWS WAF Architecture

The above diagram is a representation of AWS WAF in the architecture. AWS WAF is an inline service which adds minimal/negligible latency for the application access. The first line defense provided with WAF and other security solutions scrub most unwanted/malicious requests from entering your network in AWS cloud. When inspected HTTP requests are allowed by AWS WAF, the request is passed through to the associated resourcse for further processing on the request.?

WAF can be placed in front of AWS Cloud Front, ALB, API Gateway and AWS AppSync for your GraphQL APIs which are mostly the front-end interfaces of your applications.?

AWS WAF Feature set

?IT can be used to protect against below set security threats

??OWASP Top 10 security risks

??Common Vulnerabilities and Exposures (CVE)

??AWS WAF Bot Control, :- visibility and control over common and pervasive bot traffic to your applications.

??Your Own Whitelist and Black list IP :- You can create own IP Set list that can contain one or more IP addresses to allow or blocks .

??Custom Filtering rules:- filter web traffic based on conditions that include IP addresses, HTTP headers and body, or custom URI

??Rate Limit:- allowing you to specify the number of web requests that are allowed by a client IP in a trailing, continuously updated, 5 minute period.

??Known bad inputs:- Contains rules that allow you to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities

??Linux operating system:- Contains rules that block request patterns associated with exploitation of vulnerabilities specific to Linux, including LFI attacks

??PHP application:- Contains rules that block request patterns associated with exploiting vulnerabilities specific to the use of the PHP, including injection of unsafe PHP functions

??POSIX operating system:- Contains rules that block request patterns associated with exploiting vulnerabilities specific to POSIX/POSIX-like OS, including LFI attacks

??SQL Database:- Contains rules that allow you to block request patterns associated with exploitation of SQL databases, like SQL injection attacks

??Windows operating system:- Contains rules that block request patterns associated with exploiting vulnerabilities specific to Windows, (e.g., PowerShell commands).The WordPress Applications group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to WordPress sites.

??Wordpress application:-?

What are baseline rules to start with (Minimum security Rules).

The above paragraphs describe capabilities of AWS WAF, the actual intention of this block in described in the following section.?

Since there are plenty of options available for the customers to customize WAF protection, there is always confusion on the Day 0 controls, which can be called as the bare minimum controls. However, as a best practice, it is advised to test these prior to enable in production as a Block rule which may adversely impact user access.

Below are a set of rules which I believe can be considered as Day 0 control set .

1. AWS Managed WAF Rule Set:- AWS Managed Rules for AWS WAF is a managed service that provides protection against common application vulnerabilities or other unwanted traffic, without having to write your own rules. There are rules that can protect your specific application stack which might not wanted to enable on Day 0.?Below list provides protection suits, which can be selected individually for your Access control list.

However, the choice of selection is yours, you may still enable detailed protection like PHP application and SQL Database once you understand your application stack . How to enable AWS Managed WAF Rule Set:- https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups.html

2.??????Rate rule:- This rule type protects customer websites and APIs from threats such as web-layer DDoS attacks, brute force login attempts and bad bots. Rate Based Rules are automatically triggered when web requests from a client exceed a certain configurable threshold.

For example, if threshold for the rate-based rule is set to 2,000, the rule will block all IPs that are making more than 2,000 requests in a rolling 5-minute period. Rate based Rule will help to prevent from HTTP flood attacks.

How to enable Rate Rule:- https://docs.aws.amazon.com/waf/latest/developerguide/classicweb-acl-rules-creating.html

3.??????AWS WAF Bot Control:- Bot Control helps you manage bot activity to your site by categorizing and identifying common bots, verifying generally desirable bots, and detecting high confidence signatures of bots. With Bot Control, you can easily monitor, block, or rate-limit bots such as scrapers, scanners, and crawlers. You can also allow common bots like status monitors and search engines as well as?the bot traffic is generated by unwanted bots: scripts probing for vulnerabilities, or

How ?????????to ???enable Bot ???????Controls:?????????????https://aws.amazon.com/blogs/aws/reduceunwanted-traffic-on-your-web-site-with-aws-bot-control/.

?4.??????Enable Cloud Watch and WAF Logs:- Once you enabled WAF Rules, relevant metrics gets populated in CloudWatch as well as all activities will be logged in the WAF Logs, It is essential to watch these logs to enhance protection level.??

?Day 1.

Once you settled down with your Day 0 rules and start analyzing traffic patterns from the logs, fine tuning can be done to enrich the protection AWS have given plenty of options for this, I would like to recommend some of them which can be implemented in phased manner?

?1.?????AWS Managed WAF Rule Set:- After understanding application platforms, curated rules in AWS Managed Rule set like PHP , Linux Operating System, SQL Database etc can be enabled . These can complement existing Day 0 controls .

?2.?????URI-specific rate-based rule:-?Some application URI endpoints typically receive a high request volume, but for others it would be unusual and suspicious to see a high request count. For example, multiple requests in a 5-minute period to an application’s login page is suspicious and indicates a potential brute force or credential-stuffing attack against the application. A URI-specific rule can prevent a single source IP address from connecting to the login page as few as 100 times per 5-minute period, while still allowing a much higher request volume to the rest of the application. Some applications naturally have computationally expensive URIs that, when called, require considerably more resources to process the request.

More details. <https://aws.amazon.com/about-aws/whats-new/2018/06/waf-new-features-queryargs-cidr/> ?

3.?????enhanced pattern matching against Query String arguments:= A query string match condition identifies the string that you want to search for and the part of web requests, such as a specified header or the query string, that you want AWS WAF?to inspect for .?

For example, suppose you create two conditions. One matches web requests that contain the value BadBot in the User-Agent header. The other matches web requests that contain the value BadParameter in query strings. When you add both conditions to the same rule and add the rule to a web ACL, AWS WAF allows or blocks requests only when they contain both values.?

Options in string methods can elevate the capabilities to multiple folds that you can filter out/look-ups more granular level.

4.?????Black and White List:- You can create own custom Black and White lists which you learned from browsing pattern from the Internet. You can have many approaches like Traditional firewall rules while applying these, example:- Allow your critical applications to the known IP addresses or Block certain IP address based on their behaviors.?

You can create a Golden Blacklist IP address list which can be re-used in multiple ?firewall ACLs.

How to create a IP address set:-https://docs.aws.amazon.com/waf/latest/developerguide/waf-ip-set-creating.html

5.?????Geographic match rule:- This condition type allows you to use AWS WAF to restrict application access based on the geographic location of your viewers. With geo match conditions you can choose the countries from which AWS WAF should allow access. For example, legal and licensing requirements restrict some customers from delivering their applications outside certain countries. These customers can now configure a whitelist that allows only viewers in those countries.

6.?????Own rules and rule groups :- You can create your own rule group to reuse collections of rules that you either don't find in the managed rule group offerings or that you prefer to handle on your own. AWS WAF has provided deep customization capabilities in this area where many permutation combinations can be used to create custom rules.

Examples:-?

a.??????can use a size constraint condition to look for query strings that are longer than 100 bytes.

b.??????SQL injection attack rule statement:- An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect.

Custom rule statement options:-

https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statementslist.html

7.?????Regex:- Regex complements the string match conditions previously available in AWS WAF, allowing you to match more sophisticated request patterns when inspecting and filtering web requests. For instance, you can now use regex to block certain known bad bots by looking for patterns like B[a@]dB[o0]t in the User-Agent header. You can also apply multiple regex patterns to a single request, allowing you, for example, to block requests that match B[a@]dB[o0]t or C[r@]al[e0]rs[1-2]*. Once created, regex patterns can be reused across multiple AWS WAF rules, allowing you to look for the same expression across different parts of a web request such as the Header, QueryString, or Body.

8.?????Third party vendor rules:- There are many AWS Marketplace Sellers who published curated firewall rules that are quickly integrable in AWS WAF. They can complement and provide sophisticated and wide protection

?Few use cases:-

a.??????managed rules targeting common vulnerabilities such as code injection techniques (SQLi, NoSQLi, OScommandi, etc), XSS, directory traversal and known exploits involving web-applications using technologies such as Apache Struts2/ Apache Tomcat/ Oracle WebLogic/ WordPress/ Drupal/ Joomla! and Malicious Bots rulesets.

b.??????Protect against common vulnerabilities and exposures (CVE). CVE Rules for AWS WAF provides protection for high profile CVEs targeting the following systems: Apache, Apache Struts, Bash, Elasticsearch, IIS, JBoss, JSP, Java, Joomla, MySQL, Node.js, PHP, PHPMyAdmin, Perl, Ruby On Rails, and WordPress.

c.???????Protects against API attacks, web attacks (such as XML external entity attacks) and server side request forgery. The rule set includes support for XML and JSON payloads, and common web API frameworks

Why AWS WAF is higher adopted than traditional WAF in AWS Cloud.

?WAF is provided as a service in AWS, there are plenty of advantages to choose this service instead of deploying a complete third party solution. Couple of the advantages are

??No capacity management on the WAF device needed

??Quick enablement without any hurdles of configuration.?

??Managed Firewall rules for quick enablement of protection suits.

??Zero infrastructure and software management needed. ? The service can scale to accommodate larger user access base ? Zero / minimal latency added in the data round trip.

??No routing changes needed in the Network layer to accommodate WAF

?WAF Automation

This solution automatically deploys a set of AWS WAF (web application firewall) rules that filter common web-based attacks. Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL). Once deployed, AWS WAF protects your Amazon CloudFront distributions or Application Load Balancers by inspecting web requests.

https://aws.amazon.com/solutions/implementations/aws-waf-security-automations/

?Conclusion ?

It has been evident that your defensive system needs WAF as a bare minimum protection suits for your internet facing workloads. There are plenty of options available to do a quick start and enrich the security postures to best aligned protection to your workload. Through this blog, I intended to give some guidance on Day 0 and Day 1 Access Control Rules that can be adopted.?