WAF or web application firewall helps protect your web
applications from common web exploits such as SQL injection, Cross site
scripting or XSS, HTTP flood attacks etc. These types of attacks can compromise
security and data, affect availability of the web application or allow
attackers to use resources without your knowledge and incur exorbitant amounts
of usage bills. AWS WAF can be deployed on either Amazon CloudFront as part of
your CDN solution, the Application Load Balancer (ALB) that fronts your web servers
or origin servers running on EC2, or Amazon API Gateway for your APIs.
All components required for this available in a form of a
CloudFormation template, from which users can select from a set of
preconfigured rules for a web ACL (Access control list) according to their
requirement. The CloudFormation can be deployed and customized as shown below:
The CloudFormation deploys an architecture similar to the one
shown below including an AWS WAF with rules, S3 bucket, AWS lambda etc.
Image courtesy: Amazon Web Services (AWS)
This solution protects web applications against:
SQL
injection: Attackers use malicious SQL insert operations in web requests to try
and extract sensitive data from your SQL databases. The solution blocks any
potentially malicious web requests.
Cross
site scripting (XSS): In this type of attack, attackers use vulnerabilities in
a benign website to inject malicious client-side scripts to a user’s browsers,
which in turn compromises the infected user’s security.
HTTP
flood attacks: This mostly pertains to a class of attacks called Distributed
denial of service or DDOS, where attackers send a unhand able number of packets
to a web application to bring it down. The solution triggers a rate-based rule
if a threshold of web requests is met.
Scanners
and probes: Scanners and probes act as the initial form of reconnaissance for
attackers where they probe a web facing server and figure out the ports and
tools/software on the server. In this solution, there is an AWS Lambda function
that looks at the history of bad requests and blocks IP addresses from
performing further scans.
Known
attacker origins: By using third party web reputation lists/ databases of known
malicious IP attackers we can prevent them from accessing our resources. This
solution automatically blocks requests from such entities.
Bots
and scrapers: content scrapers and bad bots are prevalent in the web and try to
access your content in ways that are not indented. The solution blocks any such
type of request.
The solution
mentioned above can be integrated into your existing AWS ACL/WAF solution and
can be modified to protect multiple types of web applications.
We hope this helped. Please let us know if you have any questions at solutions at stackArmor dot com.
