Monday, 2 May 2016

AWS WAF

Web Application Firewall

Model
  • Integrates with CloudFront
    • Before hitting Origin server
    • Can inspect HTTPS traffic
  • Protects against
    • SQL Injection (SQLi)
    • XSS
    • Custom rules
      • User Agents (bad bots)
      • Content scrapers
  • CloudWatch metric is published 
  • Runs on the edge servers
  • Testing
    • Count how many requests would be affected
    • View sample of requests forwarded to AWS

Condition
  • Predicate about request
    • URI
    • Query String
    • HTTP Header
    • IP address
  • Transformations (attackers often try to camouflage requests)
    • Strip whitespaces
    • Simplify HTML tagging
    • Convert to lowercase
    • Simplify command line
    • URL decode
  • Filter
    • StringMatch
    • SqlInjection Match
    • "Match at least one"

Rule
  • Collections of conditions (1+)
  • AND'ed to together
  • Action
    • allow - content
    • deny - 403 or custom error page
    • count - testing (see how many apply)

Web ACL

  • ordered list of rules (1+)
  • First match wins
  • Default - what if none matches
  • block or allow
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)