WAF- A much needed Security Service for Web Applications

2021.03.01

WHAT IS AWS WAF

AWS WAF is a Web Application Firewall that provides the security against common web attacks such as SQL Injection, Cross-Site Scripting. WAF distinguishes between harmful and legitimate requests by filtering both HTTP and HTTPS requests. AWS WAF can be deployed on the Aplication Load Balancer, Amazon CloudFront and Amazon API Gateway. It allows you to filter the web traffic with Rules and thus blocking the malicious requests. The CloudFront responds to the requests either with the content requested or 403 (HTTP Status code - Forbidden), based on the conditions you specify like IP addresses or any query strings. WAF provides flexibility, Integration and affordability. AWS WAF is a pay-as-you-go service. It is based on number of rules you deploy and the number of requests received.

WAF Components

WAF Conditions

The monitoring element of the inbound request can be specified through Conditions. The conditions can be cross-site scripting match conditions, IP address(single or range of IP addresses), Geo match,  size constraints (Header, HTTP Method, Query String, URI, Body) , String matching, regex  and SQL Injection.  The requests are then either blocked or allowed based on these conditions.

WAF Rules

Rules are set of conditions which are compiled into a list. These conditions are ANDed to form a inspection criteria, where the inbound request should meet all the conditions inorder to match the rule. The rules types - Regular Rule and Rate-based Rule. Each rule contains a inspection criterian and an action to be taken if the request meets the criteria. Rules can be used to allow the matching request, block the matching request or just to count the matching requests.

WEB ACL 

Web ACL can be created by adding rules as the protecting strategy. Web Access Control List can be used to protect set of AWS services. The Web ACL can be associated with one or more AWS services. A action is set for Web ACL to allow or block request that pass through the rule.

 

How to Configure WAF to allow, block and Count the number of requests

The WAF here is deployed on Application Load Balancer with EC2 instances. Web ACL and a rule is added to count and allow requests. Later, this ACL rule is modified to block access using Managed Rule Group.

Creating EC2 Instances that are Load balanced

  • Launch 3 EC2 instances in three different subnets within the same VPC.
  • Create Security group with port 80 and 22 enabled for all the instances.
  • Install Apache in the EC2 instance using the following commands.
 yum update -y
 yum intall -y httpd
 systemctl start httpd
 systemctl enable httpd
  • Create a Test HTML page on all the EC2 instances.
  • Create an Application Load Balancers(HTTP)
  • Create a Target Group and attach the 3 instances.
  • Access the HTML page through ELB's DNS.
  • Refresh the Page and you can see the page is loaded randomly from instances.

Creating Web ACL and adding Rules

The requests is either blocked or allowed based on the specified IP addresses.

  • Go to AWS Firewall Manager and select AWS WAF.
  • Create a IP Set and add set of IP addresses that you would like allow and count requests. You can add your own IP address.
  • Create Web ACL to leverage your Load Balancer. Create Web ACL with resources as Regional resources, Select the resource type as ALB and add the your Application Load Balancer to ACL.
  • Go to your web ACL-> under Rules->select add Rule 
  • Add a rule with rule type as IP set, name, select your IP set and action as allow. If you have added your own IP address in IP set, then select the Source IP address option. Click next and select Default action as Allow. For CloudWatch metrics Select your rules Set and create Web ACL. It takes some time to create Web ACL.
  • Testing ACL for count and allowed requests through Web ACL chart or Cloudwatch.
  • Through Web ACL Chart - select your ACL-> click on overview to see the graph. Refresh the web page to see the changing count. The graph shows the count of requests, number of allowed requests.
  • Through Cloudwatch. CloudWatch -> All Metrics->WAFV2-> Web ACL and select all the rules to view the count and allowed requests.
  • Changing the rule to block the request. Edit the rule and select the action as block instead of count and save.
  • Add AWS Managed rule to the same ACL. Select Amazon IP reputation list. It is a managed rule group provided by AWS and contains rules that are based on Amazon threat intelligence. This is useful to block bots or other threats. Now When the Web Page is refreshed it shows 403 error (Forbidden).
  • Test the ACL again to see the blocked requests.

Test the ACL again to see the blocked requests.IP sets is one of the way to create IP address match condition to allow, block and count requests.  Based on the requirements, other types of conditions can be created.

Things to Know about AWS WAF

  • WAF has customizable security rules. It can also be used to protect websites not hosted on AWS.
  • It has developer's friendly API for creating rules. Rules can be reused for multiple applications.
  • WAF provides OWASP security controls.
  • It can inspect HHPTS traffic can be monitored from CloudWatch.

Conclusion

WAF helps to protect the web application from unauthorized and malicious traffic. WAF is a security service of AWS for Web applications and plays an important part of the web application opertions. Using WAF, you can create your own set of rules or add rules from AWS Managed rule.