Are you currently experiencing an attack?

Are you currently experiencing an attack?

AWS WAF: A Deep Dive, Part 1

For any organization with web-facing applications running in the cloud, a cloud web application firewall (WAF) should be the first and best line of defense against malicious actors. For that reason, it’s critical to get the implementation correct, but it’s not just about choosing the right tool. Being able to effectively and correctly configure a WAF means the difference between a solid defensive posture and an application that is open to being compromised.

For AWS users, Amazon offers AWS WAF, an integrated, managed application firewall service. Along with AWS Shield, it’s one of the primary native security tools for AWS. Although it’s a viable option for application teams that want to take advantage of their existing platform, it still has a number of downsides.

CISOs and other executives who wish to use AWS securely need to correctly understand the capabilities of its WAF used alone, as compared to an AWS-integrated web security solution that extends AWS WAF to provide complete protection. So is Amazon’s WAF service really the best choice for protecting cloud application infrastructure?

What Are the Goals of a Web Application Firewall?

To quantify the value of a given WAF solution, you have to first understand the goals of a WAF. What does a functional, effective solution look like? We review some key features below, but being able to get it up and running fast is also critical since this can deliver better time to value.

Risk Prevention

At a high level, the goal is simple: Prevent attacks and compromises from happening. Different features and capabilities are tailored to different attack vectors. One of the most common evaluation criteria is the OWASP Top 10, an expert consensus on “the most critical security risks to web applications.” 

A vulnerability or risk listed here indicates it is frequently exploited against live systems. Given that the OWASP Top 10 encompasses some of the most serious and commonly encountered vulnerabilities, it makes for an excellent benchmark for security tools like WAFs.

Traffic Filtering

This is another capability that is a must-have for any modern WAF, as it enables users to define rules that allow or prevent web traffic from reaching the application. Depending on the features available, filters can block traffic based on a variety of criteria such as originating IP addresses, referenced URIs, and HTTP header content. 

An effective traffic filter is very important for defeating certain types of vulnerabilities that arise due to unchecked traffic traversal, like cross-site scripting (XSS) vulnerabilities. It should provide this capability not only for web applications, but also as part of a broader set of features for API security. Users must be able to create granular rule sets to ensure the API remains protected while still functioning for legitimate users.

Bot Mitigation

Guarding against bot traffic is another key feature of an effective WAF. While in many cases bots are not outright malicious, they can still have a negative impact on web application and site performance. A good WAF will provide users with bot mitigation that is easy to understand and configure, without depending on manual identification of bot traffic.

Metadata Collection

Finally, monitoring and reporting features are critical. Preventing and mitigating attacks are the primary goal, but the intelligence and operational knowledge gained from the details of a specific incident are key to improving the overall security posture of your application infrastructure. 

Effective WAFs should not only record this metadata for later evaluation, but they should also support real-time traffic control: showing all traffic data in real time, firing alerts, providing immediate feedback when security policies are modified, and so on. Some attacks warrant an immediate response from security and operational teams, and in those cases, every second counts.

With these goals in mind, it’s time to evaluate AWS’ WAF solution to see if it delivers a full-featured and effective application firewall.

What Comes in the Box?

Let’s look at what AWS advertises for its WAF; in other words, what do you get, and what are its primary features?

AWS states its WAF service delivers the following (discussed in more detail below):

  • Web traffic filtering
  • Bot control
  • Account takeover fraud prevention
  • A fully featured API
  • Real-time visibility
  • Integration with AWS Firewall Manager

Web Traffic Filtering

AWS WAF gives users traffic-filtering features, defined in the AWS WAF documentation as web access control lists (web ACLs) that let users define criteria like:

  • IP address origin of the request 
  • Country of origin of the request
  • String match or regular expression (regex) match in a part of the request
  • Size of a particular part of the request
  • Detection of malicious SQL code or scripting

This provides users with granular criteria for filtering malicious traffic. In terms of the OWASP Top 10, this should help cover A03 (Injection) and A10 (Server-Side Request Forgery) vulnerabilities.

Bot Control

Provided by AWS as a “managed rule group,” bot control allows users to restrict and control traffic from automated bots like web scrapers and scanners. While OWASP does not identify bots as an outright risk and they aren’t all malicious in nature, they have the capability to significantly impact the performance of any web application.

Account Takeover Fraud Protection

This capability is another managed rule group designed to combat unauthorized logins via compromised credentials or brute forcing, as well as bots. It’s an important part of ATO (Account Takeover) prevention, and it addresses the OWASP categories of A01 (Broken Access Control) and A07 (Identification and Authentication Failures).

Being able to manage a WAF via an API is meant to be more of an overall value proposition than a feature that addresses a specific security threat. However, defining configuration in your code means you can test and audit it rigorously prior to deployment, avoiding the potential downsides of manual configuration and the resulting errors. In that regard, this potentially addresses A05 (Security Misconfiguration) vulnerabilities.

Real-Time Visibility

The AWS WAF service captures a variety of real-time metrics. Being able to view and understand security-related data is crucial to the effective response to, and remediation of, issues and incidents. AWS WAF also advertises integration with CloudWatch, providing a shorter path to creating visualization and alerting capabilities and addressing the OWASP Top 10 A09 (Security Logging and Monitoring Failures) category.

Integration with AWS Firewall Manager

This lets you enforce a common configuration definition for multiple AWS accounts, allowing you to audit and maintain a predefined configuration while generating actionable alerts when any drift is detected. Being able to enforce a shared configuration from a single point of control also helps address potential Security Misconfiguration vulnerabilities (A05). 

Challenges to Getting Started

While it’s important to choose a WAF product that provides features most closely aligned with your application needs, you also need a WAF that makes it easy to take advantage of that feature set.

If a WAF offering is mired in complex documentation and configuration requirements, meaning a heavier engineering investment to deploy and maintain, then the administrative overhead is going to diminish time-to-value.

In the case of AWS WAF, Amazon provides a brief getting started guide, which along with some of the managed rules, helps to get a working solution up and running with minimal configuration and deployment time. You should note that the guide assumes users are familiar with both web application security and the additional AWS services needed to take full advantage of the WAF. You also need to consider a variety of billing metrics around capacity and rule enforcement, which can add unnecessary cognitive overhead.

An experienced AWS user and security practitioner won’t have much of a problem getting up to speed quickly, but teams that do not bring both skill sets to the table might have difficulty.

Getting Web Security Right 

Modern applications sit upon a vastly different landscape from that of past generations. Web-facing, always-connected software is the de facto standard, with the time between feature releases continuously diminishing. In this environment, it is more critical than ever to get security right. A good web application firewall is thus a necessity, but does AWS WAF do the job?

The next article in this series (AWS WAF: A Deep Dive, Part 2) will further explore this question by looking at some of the more granular features and user experiences with AWS’ web application firewall.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.