Estimated reading time: 6 minutes
This post was last updated on 3 September 2019.
As a modern enterprise, a single defense is not the only defense you need today. Hackers are continually reinventing ways and means to break through cyber defenses. There is a constant stream of news on data breaches such as the one at Equifax and attacks on cryptocurrency exchanges. Discussions of cybersecurity have now considering how it affects us all. In this three-part series, let’s take a closer look at how companies are safeguarding their assets from these attacks.
The DDoS attack is the weapon of choice for many intruders and has alarmingly risen in the recent past. Classic examples of the DDoS attack are the denial of service by DNS provider Dyn in 2016 and the attack on Github that took down its service for more than 10 minutes. Downtime has a widespread impact on businesses, not just in terms of money but also via reduced customer affinity. 8% of customers stopped using Dyn after the attack, and Equifax faced a bevy of lawsuits.
AWS WAF and AWS Shield
Network layer firewalls and traditional security tools cannot detect and counter today’s sophisticated threats. To meet this growing need for advanced threat detection engines, AWS introduced the Web Application Firewall (WAF) and the AWS Shield.
AWS WAF is a web application firewall service that monitors HTTP and HTTPS requests for Amazon CloudFront distributions and Application Load balancer to secure your traffic. It lets you filter web traffic with custom Rules, can block malicious requests and also monitor and tune web applications. For additional protection against DDoS attacks, AWS offers AWS Shield Advanced. This service provides expanded DDoS attack protection for your CloudFront distributions, Amazon Route 53 hosted zones, and Elastic Load Balancers. AWS WAF offers easy AWS integration, affordability, and flexibility, among other benefits.
AWS WAF and Shield provides a list of vulnerabilities i.e., Rules. These rules are a set of conditions with predefined access control list actions (Block/Allow/Count). Users create a Rule and specify the conditions that AWS WAF searches for in incoming web requests.If you add more than one condition to a Rule, the web request must match ALL conditions in the Rule for AWS WAF to allow or block requests based on that ACL.
For instance, AWS WAF can watch for IP addresses from where the requests originate. It can also monitor strings in these requests, where they appear, or if they appear to contain malicious code.
AWS WAF works with Amazon CloudFront and Amazon ELB, i.e., Elastic Load Balancer. Essentially, to avoid web attacks, you need to monitor HTTP and HTTPS requests. Using CloudFront or ELB helps analyze distributed network traffic for easy understanding.The Open Web Application Security Projects (OWASP) provides a list of standard vulnerabilities (threats) such as cross-site scripting, IP blocks, DDoS, Geo-location specification, etc. Top vulnerabilities include,
Cross-Site Scripting (XSS)
XSS occurs when the attacker uses a web application to send malicious code. This code can be in the form of browser-side scripts such as HTML tags – BODY, URL, Query String, or the HEADER of a Cookie to a different end-user.
Geo-location or Geographic Match Condition
Cybercriminals use Geolocation before expanding their attacks into a targeted region.
Bad-Bot Rule
Bad Bot can take data from websites without permission and allow misuse, high-speed abuse, and attacks on the websites and APIs. Most account thefts and frauds using user information that is available online.
SQL Injection
SQL injections are malicious SQL queries that attackers execute to harm and exploit a database server.
Scans Probes Rule
Port scanning is one of the predominantly used technique that attackers use to exploit and break into systems. With the help of this technique, they can find information about running services, which user owns those services and anonymous login details.
If your application is not able to handle these vulnerabilities, there are high chances of data loss and theft, resulting in massive damage to the business.
AWS WAF and AWS Shield Architecture
For you to be able to distribute the traffic of the web application, you must see the architecture of AWS WAF and use AWS ELB. You can use the same configuration for AWS Shield Advanced for protection against DDoS attacks.
As shown below, the WAF sits behind a load balancer. It works as per configured Rules and Access Control Lists (ACL) in the WAF. With this, it is easy to allow or block APIs requests using the access control list (ACL) in WAF.
Implementation of AWS WAF with CloudFront or ELB
The process is as follows:
- Create ELB or Cloudfront for handling HTTP or HTTPS requests for network firewalls
- If the user distributes traffic using ELB, then you need to select Application Load Balancer with S3 buckets
- If you want to use CloudFront, then you need to choose Web and Originate from S3 bucket.
- Create WAF Rules which could be a list of probable attacks, from web attackers, using automation solutions for AWS WAF template of CloudFormation. You can download the following templates:
- AWS WAF security automation solution template for Cloudformation using CloudFront
- And, the AWS WAF security automation solution template for Cloudformation using ELB
- AWS recently announced a new feature of WAF integration with API Gateways to protect web applications and APIs from attacks governed by a set of web ACL rules. A detailed guide at the end of this post shows WAF integration for API gateways.
- Cloudformation can use these downloaded templates. It takes approximately 10-15 minutes to create all the resources for use in WAF.
- AWS’ default security template Rule list can configure nine Rules. Rules are predefined configurations for securing your web applications from standard vulnerabilities. Users can further customize these Rules based on their requirements.
Configure each Rule as per requirement. For example, Geo-location
- List of Rules and predicting theft attacks also helps in deciding the choice of service to be used
- Adding an ACL is dependent on whether you take action to allow or block the request. Based on this configuration, the load balancer either allows the request or blocks it with the message ‘HTTP 403 Status Code (Forbidden)’.
- Testing customized Rules and manage Alerts for theft
- You can test these Rules using JMeter or Postman
- The user is made aware of attacks using Cloudwatch that can configure an Alert for a WAF metric
Implementation of AWS WAF Integration for API Gateways
Pre-requisites: API Gateways require regional web ACLs.
Associate an AWS WAF regional web ACL with an API Gateway API Stage using the API gateway console
To use the API Gateway console to associate an AWS WAF regional web ACL with an existing API Gateway API stage, use the following steps:
- Sign in to the API Gateway console
- In the APIs navigation pane, choose the API, and then Stages
- While on the Stages pane, choose the name of the stage
- In the Stage Editor pane, choose the Settings tab
- To associate a regional web ACL with the API stage:
- In the AWS WAF Web ACL dropdown list, choose the regional web ACL that you wish to associate with this stage.
- Note: If the Web ACL you need doesn’t exist yet, choose Create WebACL and then choose Go to AWS WAFto open the WAF console in a new browser tab and create a regional web ACL. Then return to the API Gateway console to associate the web ACL with the stage.
- Choose Save Changes.
In the next parts of this series, we talk about the newly launched AWS Firewall Manager. This Firewall Manager helps us centrally configure and manage AWS WAF rules across multiple accounts and applications. Later, we will cover testing for these vulnerabilities and ensure that our WAF works as intended. Stay tuned!
Here are some blogs you may enjoy
“Synerzip team is very responsive & quick to adopt new technologies. Team naturally follows best practices, does peer reviews and delivers quality output, thus exceeding client expectations.”
“Synerzip’s agile processes & daily scrums were very valuable, made communication & time zone issues work out successfully.”
“Synerzip’s flexible and responsible team grew to be an extension to the StepOne team. Typical concerns of time zone issues did not exist with Synerzip team.”
“Synerzip worked in perfect textbook Agile fashion – releasing working demos every two weeks. Though aggressive schedules, Synerzip was able to deliver a working product in 90 days, which helped Zimbra stand by their commitment to their customers.”
“Outstanding product delivery and exceptional project management, comes from DNA of Synerzip.”
“Studer product has practically taken a 180% turn from what it was, before Synerzip came in. Synerzip cost is very reasonable as compared to the work they do.”
“Synerzip makes the timezone differences work FOR the customer, enabling a positive experience for us. ‘Seeing is believing’, so we decided to give it a shot and the project was very successful.”
“The Synerzip team seamlessly integrates with our team. We started seeing results within the first sprint. And due to the team’s responsiveness, we were able to get our product to the sales cycle within 7 months.”
“Product management team from Synerzip is exceptional and has a clear understanding of Studer’s needs. Synerzip team gives consistent performance and never misses a deadline.”
“Synerzip is different because of the quality of their leadership, efficient team and clearly set methodologies. Studer gets high level of confidence from Synerzip along with significant cost advantage of almost 50%”
“Synerzip’s hiring approach and practices are worth applauding. Working with Synerzip is like
“What you see is what you get”.”
“Synerzip has dedicated experts for every area. Synerzip helped Tangoe save a lot of cost, still giving a very high quality product.”
“Synerzip gives tremendous cost advantage in terms of hiring and growing the team to be productive verses a readymade team. Synerzip is one company that delivers “co –development” to the core!”
“Synerzip is a great company to work with. Good leadership and a warm, welcoming attitude of the team are additional plus points.”
“Our relationship with Synerzip is very collaborative, and they are our true partners as our values match with theirs.”
“Synerzip has proven to be a great software product co-development partner. It is a leader because of its great culture, its history, and its employee retention policies. ExamSoft’s clients are happy with the product, and that’s how ExamSoft measures that all is going well.”
“They possess a great technical acumen with a burning desire to solve problems. The team always takes the initiative and ownership in all the processes they follow. Synerzip has played a vital role in our scaling up and was a perfect partner in cost, efficiency, and schedules.”
“As we are a startup, things change on a weekly basis, but Synerzip team has been flexible in adapting the same”
“Synerzip team has been very proactive in building the best quality software, bringing in best practices, and cutting edge innovation for our company.”
“We’ve been working for more than six years with Synerzip and its one of the better, if not the best, experience I’ve had working with an outsourcing company.”
“My experience with Synerzip is that they have the talent. You throw a problem at them, and someone from that team helps to solve the issue.”
“The breadth and depth of technical abilities that Synerzip brings on the table and the UX work done by them for this project exceeded my expectations!”
“Synerzip UX designers very closely represent their counterparts in the US in terms of their practice, how they tackle problems, and how they evangelize the value of UX.”
“Synerzip team understood the requirements well and documented them to make sure they understood them rightly.”
“Synerzip is definitely not a typical offshore company. Synerzip team is incredibly communicative, agile, and delivers on its commitments.”
“Working with Synerzip helped us accelerate our roadmap in ways we never thought possible!”
“While working with Synerzip, I get a feeling of working with a huge community of resources, who can jump in with the skills as needed.”