A customer environment in AWS has to meet the internal compliance standards. The application layer security needs to be enabled to secure the environment from DDos attacks and application vulnerabilities.

To solve this problem, Cloudifyops implemented a Web Application Firewall (WAF). This blog will explain how to set up WAF and scan for vulnerabilities.

WAF helps protect web applications by filtering and monitoring HTTP traffic between a web application and the internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks.

How does it work? By deploying a WAF for a web application, a shield is placed between the web application and the internet. While a proxy server protects a client machine’s identity by using an intermediary, a WAF is a type of reverse-proxy, protecting the server from exposure by having clients pass through the WAF before reaching the server.

A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies.

AWS WAF supports and can be used to control how resources like Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer (ALB), or AWS AppSync GraphQL API respond to web requests.

Web Access Control List (Web ACL) is used to protect a set of AWS resources. You create a Web ACL and define its protection strategy by adding rules. Rules define criteria for inspecting web requests and specify how to handle requests that match the criteria. A default action for the Web ACL is set that indicates whether to block or allow requests that pass the rules inspections.

Rules contain a statement that defines the inspection criteria, and an action to take if a web request meets the criteria. When a web request meets the criteria, it is a match. We can use rules to block or allow matching requests. We can also count matching requests using rules.

Rules groups are reusable. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups. We can also define our own rule groups.

Priority of Rules — If we define more than one Rule in a Web ACL, AWS WAF evaluates each request against the Rules in order based on the Priority value. AWS WAF processes rules with lower priority first. The priorities need not be consecutive, but they must all be different.

AWS Managed Rule groups

AWS WAF Bot control — protection against automatic bots, provides additional visibility through cloudwatch and generates labels that you can use to control bot traffic to your applications (paid rule group, Capacity 50)

Free rule groups

• Admin protection — Contains rules that allow blocking external access to admin pages
• Amazon IP reputation list — Contains rules based on Amazon threat Intelligence. Useful if you want to block sources associated with bots or other threats
• Anonymous IP list — Used to filter out viewers that may try to hide their identity from your applications (eg: block request from VPN, proxies, Tor nodes, and hosting providers)
• Core rule set — Generally applicable to web applications. This provides protection against a wide range of vulnerabilities, including those described in OWASP publications
• Known Bad inputs — Rules that allow blocking of request patterns that are known to be invalid and associated with exploitations.
• Linux operating system — Rules that block request patterns associated with exploitation of vulnerabilities specific to Linux. Prevent file content exposing and execution of codes by attackers.

Custom rules can be created to block, allow or count traffic/access which

• Originates from a country
• Originates from a CIDR range
• Requests with a specific header, URI path or body,
• And also set whether the traffic that does not match any of the Web ACL rules should be blocked, allowed or counted.

WAF Setup for ALB

Sample WAF Setup

Here a sample WAF is set up associated with an application load balancer. We have enabled some custom rules and managed rule groups.

Setting up WAF

In the WAF and shield dashboard, create a Web ACL and associate it with the load balancer of the application. It is possible to connect or link with CloudFront, API gateway and AppSync.

Select add resource from the Associated AWS resources.

Select ALB and click next. We will be able to configure rules now.

Once we set the rules, we can set the rule priorities in the next tab.

Click next and the metrics configuration tab will appear.

Configure the CloudWatch metrics and click next. You will be prompted to review the WAF details before clicking create.

WAF Dashboard

Here is a sample dashboard of WAF with the metrics as per the rules we specified.

Rules and Priorities

Rules work on priorities. Consider we add a rule1 allowing traffic from a particular IP address and a rule2 denying access if the URL has a particular path/string. If rule1 is set to be prior than rule2, then a request coming from an IP address that is denied in rule2 but is allowed in rule1 will not be denied.

Requests and status in WAF Dashboard

Here, the drop-down on the right side shows all the rules and rule groups, which can be used to filter out the requests. In this drop down india and pathbase are metrics of custom rules and other metrics starting with AWS are managed rule groups from AWS.

To learn more about these cutting edge technologies & real time industry applied best practices, follow our LinkedIn Page. To explore our services, visit our website.