SlideShare ist ein Scribd-Unternehmen logo

淺談WAF在AWS的架構

4
4ndersonLin

分享在AWS上WAF架構, 包含Best practice和AWS WAF等架構。 SCLin@AWSUGTW Mail: gesarlin0803@gmail.com

Technologie
1 von 27
Downloaden Sie, um offline zu lesen
淺談WAF在AWS的架構 SC Lin@AWSUGTW 2017/07/19
SC Lin ❖ Now: ➢ Engineer with focus on public cloud and security. ➢ Prepare for AWS Certified DevOps - Professional ❖ Experiences: ➢ System Engineer, PIC ➢ Security Engineer, PIC ❖ AWS Certification: ➢ AWS Certified Solutions Architect - Professional ➢ AWS Certified Solutions Architect - Associate ➢ AWS Certified Developer - Associate ➢ AWS Certified SysOps Administrator - Associate 2
Agenda ❖ Why WAF? Problems and expectations ❖ WAF architecture on AWS ❖ Comparisons ❖ Demo ❖ Summary This is a AWS WAF icon. 3
Why WAF? 4
Before Why WAF, What is WAF? A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. - Description of WAF from Wikipedia A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. - Description of WAF from OWASP 5
Why WAF? Problems and expectations ➢ OWASP Top 10 ➢ SQL Injection ➢ XSS ➢ CVE & NVD ➢ DDoS ➢ Compliance 6
Why WAF? - 2017 OWASP Top 10 ➢ A1-Injection ➢ A2-Broken Authentication and Session Management ➢ A3-Cross-Site Scripting (XSS) ➢ A4-Broken Access Control ➢ A5-Security Misconfiguration ➢ A6-Sensitive Data Exposure ➢ A7-Insufficient Attack Protection ➢ A8-Cross-Site Request Forgery (CSRF) ➢ A9-Using Components with Known Vulnerabilities ➢ A10-Underprotected APIs 7
DDoS Why WAF? - DDoS 8
Why WAF? - Compliance Compliance ➢ PCI DSS 3.2 requirement 6.6 choice 2 “Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.” ➢ Don’t worry, most of the solutions can help you meet PCI DSS. ➢ AWS WAF service is already certified by PCI DSS. ○ check here “https://aws.amazon.com/tw/compliance/services-in-scope/” 9
WAF architecture on AWS 10
WAF architecture on AWS - AWS best practice AWS best practice Reference: AWS Best Practices for DDoS Resiliency (June 2015) 11
WAF architecture on AWS - Traditional architecture Traditional architecture - problems XFF XFF Scale out Rule Consistency XFF Warm up XFF Warm up ELB traffic fee Traffic Out 12
WAF architecture on AWS - AWS best practices AWS best practice Reference: AWS Best Practices for DDoS Resiliency (June 2016) 13
WAF architecture on AWS - Cloud service Architecture working with cloud service 14
WAF architecture on AWS - AWS WAF Architecture - AWS WAF CloudFront WAF ALB EC2 15
Comparisons 16
Comparisons - Meet OWASP Traditional architecture 1. 使用高度自行客製化的 rule。 2. 使用品牌產品自帶的rule。 Working with cloud service 1. 上限和下限完全取於服務供應商 Working with AWS WAF 1. AWS WAF請參考Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities 17
Comparisons - Meet compliance Traditional architecture 1. 調整rule的彈性大,對於服務供應商的依賴性小。 2. 品牌產品能產出Compliance report,減少對應稽核的負擔。 Working with cloud service 1. 上限和下限完全取於服務供應商的服務 內容。 Working with AWS WAF 1. AWS WAF底層直接符合PCI,但是Rule的產出與改善... 是使用者的責任。 (AWS shared responsibility model) 18
Comparisons - Maintain & automation Traditional architecture 1. 學習的時間成本,需要維運者有較高的技術 /溝通能力。 2. 複雜的架構,管理複雜度必然增加。 3. 難以自動化,須熟悉特定廠商的 API/Command。 Working with cloud service 1. 架構單純,維運難度較低。 2. 難以自動化,須熟悉特定廠商的 API/Command。 Working with AWS WAF 1. 架構單純,維運難度較低。 2. 學習一套API打天下。 19
Comparisons - Pricing Traditional architecture 1. 養機器 = 貴 2. 專業的維運 = 貴 3. 使用知名品牌 = 貴 (License fee $1~3 hourly) Working with cloud service 1. 不需搭配CDN的專業Cloud WAF,假如包含professional service的話價格必然貴。 2. 搭配CDN的類型必須先購買CDN服務,再購買WAF模組。 Working with AWS WAF 1. AWS WAF有較低的起始費用,同時也支援 CF & ALB來賦予使用者選擇架構的彈性。 ($5 per web ACL, $1 per rule, $0.60 per million requests) 20
Demo 21
Demo SQL Injection Protect XSS Protect Rate based rule CVE 2017-5638: Strust2 22
Summary 23
Summary 1. 把WAF套進架構不是問題,如何Tuning rule才是問題。 2. 對應適合的場景/能力,使用適合架構。 3. 程式有洞就要補... 不要推給資安設備! 4. 如果有用CloudFront/ALB的, 馬上試試看AWS WAF能幫你攔到多少東西! 24
Wishlist 透明的SQLinj, XSS規則清單。 String match支援Regular Expression Rate-based rule的取樣單位是5分鐘,希望可以自由讓使用者調整。 Log只能看到最近3小時,最好能夠儲存log到S3/Cloudwatch Logs。 Rules per web ACL只能有10條... 更多的Feature… (Support case分類居然沒有feature request...) 25
References ❏ AWS Security Blog https://aws.amazon.com/blogs/security/ ❏ AWS WAF Developer Guide http://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html ❏ AWS WAF Preconfigured Rules & Tutorials https: ❏ //aws.amazon.com/waf/preconfiguredrules/AWS Security Whitepaper https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf ❏ AWS Security Best Practices https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf ❏ Overview of AWS Security - Network Security https://d0.awsstatic.com/whitepapers/Security/Networking_Security_Whitepaper.pdf ❏ AWS Best Practices for DDoS Resiliency Whitepaper https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf 26
27

Empfohlen

淺談WAF在AWS的架構_20171027
淺談WAF在AWS的架構_20171027淺談WAF在AWS的架構_20171027
淺談WAF在AWS的架構_201710274ndersonLin
 
Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityLibbySchulze
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudAmazon Web Services
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleDeborah Schalm
 
Real World Cloud Application Security
Real World Cloud Application SecurityReal World Cloud Application Security
Real World Cloud Application SecurityJason Chan
 
Aws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic ScaleAws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic ScalePuppet
 

Empfohlen

淺談WAF在AWS的架構_20171027
淺談WAF在AWS的架構_20171027淺談WAF在AWS的架構_20171027
淺談WAF在AWS的架構_201710274ndersonLin
 
Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityLibbySchulze
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudAmazon Web Services
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleDeborah Schalm
 
Real World Cloud Application Security
Real World Cloud Application SecurityReal World Cloud Application Security
Real World Cloud Application SecurityJason Chan
 
Aws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic ScaleAws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic ScalePuppet
 
Leveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IPLeveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IPPerforce
 
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...VMware Tanzu
 
Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Lucy Huh Kerner
 
Demystifying Service Mesh
Demystifying Service MeshDemystifying Service Mesh
Demystifying Service MeshMitchell Pronschinske
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containersAkash Mahajan
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017CodeOps Technologies LLP
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsPuma Security, LLC
 
Getting Started with OpenStack
Getting Started with OpenStackGetting Started with OpenStack
Getting Started with OpenStackCisco DevNet
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep diveCisco DevNet
 
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...VMware Tanzu
 
OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015Lora O'Haver
 
Digitální transformace: zabezpečení agilních prostředí
Digitální transformace: zabezpečení agilních prostředíDigitální transformace: zabezpečení agilních prostředí
Digitální transformace: zabezpečení agilních prostředíMarketingArrowECS_CZ
 
Resilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIsResilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIsVMware Tanzu
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitAmazon Web Services
 
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...Amazon Web Services
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDNebulaworks
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015Evident.io
 
Webinar: Skytap & Jenkins
Webinar: Skytap & JenkinsWebinar: Skytap & Jenkins
Webinar: Skytap & JenkinsSkytap Cloud
 
Seven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit NetworkSeven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit NetworkKhash Nakhostin
 
Creating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudCreating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudErika Barron
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your ApplicationsAmazon Web Services
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security ServicesAlert Logic
 

Weitere ähnliche Inhalte

Was ist angesagt?

Leveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IPLeveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IPPerforce
 
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...VMware Tanzu
 
Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Lucy Huh Kerner
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containersAkash Mahajan
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017CodeOps Technologies LLP
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsPuma Security, LLC
 
Getting Started with OpenStack
Getting Started with OpenStackGetting Started with OpenStack
Getting Started with OpenStackCisco DevNet
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep diveCisco DevNet
 
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...VMware Tanzu
 
OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015Lora O'Haver
 
Digitální transformace: zabezpečení agilních prostředí
Digitální transformace: zabezpečení agilních prostředíDigitální transformace: zabezpečení agilních prostředí
Digitální transformace: zabezpečení agilních prostředíMarketingArrowECS_CZ
 
Resilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIsResilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIsVMware Tanzu
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitAmazon Web Services
 
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...Amazon Web Services
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDNebulaworks
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015Evident.io
 
Webinar: Skytap & Jenkins
Webinar: Skytap & JenkinsWebinar: Skytap & Jenkins
Webinar: Skytap & JenkinsSkytap Cloud
 
Seven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit NetworkSeven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit NetworkKhash Nakhostin
 
Creating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudCreating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudErika Barron
 

Was ist angesagt? (20)

Leveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IPLeveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IP
 
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
 
Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...
 
Demystifying Service Mesh
Demystifying Service MeshDemystifying Service Mesh
Demystifying Service Mesh
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
 
Getting Started with OpenStack
Getting Started with OpenStackGetting Started with OpenStack
Getting Started with OpenStack
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep dive
 
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...
 
OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015
 
Digitální transformace: zabezpečení agilních prostředí
Digitální transformace: zabezpečení agilních prostředíDigitální transformace: zabezpečení agilních prostředí
Digitální transformace: zabezpečení agilních prostředí
 
Resilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIsResilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIs
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
 
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
 
Webinar: Skytap & Jenkins
Webinar: Skytap & JenkinsWebinar: Skytap & Jenkins
Webinar: Skytap & Jenkins
 
Seven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit NetworkSeven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit Network
 
Creating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudCreating Complete Test Environments in the Cloud
Creating Complete Test Environments in the Cloud
 

Ähnlich wie 淺談WAF在AWS的架構

Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your ApplicationsAmazon Web Services
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security ServicesAlert Logic
 
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesSetup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesAmazon Web Services
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Running Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWSRunning Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWSShiva Narayanaswamy
 
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...Amazon Web Services
 
網路安全自動化 - 縮短應用維安的作業時間
網路安全自動化 - 縮短應用維安的作業時間網路安全自動化 - 縮短應用維安的作業時間
網路安全自動化 - 縮短應用維安的作業時間Amazon Web Services
 
Application Deployment on AWS - Startup Talks June 2015
Application Deployment on AWS - Startup Talks June 2015Application Deployment on AWS - Startup Talks June 2015
Application Deployment on AWS - Startup Talks June 2015Amazon Web Services
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud Amazon Web Services
 
Top 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the CloudTop 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the CloudAmazon Web Services
 
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...Amazon Web Services
 
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...Amazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
What's New VMware NSX Advanced Load Balancer (Avi Networks)
What's New VMware NSX Advanced Load Balancer (Avi Networks)What's New VMware NSX Advanced Load Balancer (Avi Networks)
What's New VMware NSX Advanced Load Balancer (Avi Networks)Avi Networks
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationAmazon Web Services
 

Ähnlich wie 淺談WAF在AWS的架構 (20)

Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
 
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesSetup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Running Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWSRunning Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWS
 
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
AWS re:Invent 2016: Workshop: Secure Your Web Application with AWS WAF and Am...
 
網路安全自動化 - 縮短應用維安的作業時間
網路安全自動化 - 縮短應用維安的作業時間網路安全自動化 - 縮短應用維安的作業時間
網路安全自動化 - 縮短應用維安的作業時間
 
Application Deployment on AWS - Startup Talks June 2015
Application Deployment on AWS - Startup Talks June 2015Application Deployment on AWS - Startup Talks June 2015
Application Deployment on AWS - Startup Talks June 2015
 
AWS CodeDeploy Getting Started
AWS CodeDeploy Getting StartedAWS CodeDeploy Getting Started
AWS CodeDeploy Getting Started
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
 
Top 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the CloudTop 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the Cloud
 
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
 
AWS Lunch and Learn - Security
AWS Lunch and Learn - SecurityAWS Lunch and Learn - Security
AWS Lunch and Learn - Security
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack Security
 
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
What's New VMware NSX Advanced Load Balancer (Avi Networks)
What's New VMware NSX Advanced Load Balancer (Avi Networks)What's New VMware NSX Advanced Load Balancer (Avi Networks)
What's New VMware NSX Advanced Load Balancer (Avi Networks)
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
 

Kürzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

淺談WAF在AWS的架構

  • 2. SC Lin ❖ Now: ➢ Engineer with focus on public cloud and security. ➢ Prepare for AWS Certified DevOps - Professional ❖ Experiences: ➢ System Engineer, PIC ➢ Security Engineer, PIC ❖ AWS Certification: ➢ AWS Certified Solutions Architect - Professional ➢ AWS Certified Solutions Architect - Associate ➢ AWS Certified Developer - Associate ➢ AWS Certified SysOps Administrator - Associate 2
  • 3. Agenda ❖ Why WAF? Problems and expectations ❖ WAF architecture on AWS ❖ Comparisons ❖ Demo ❖ Summary This is a AWS WAF icon. 3
  • 5. Before Why WAF, What is WAF? A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. - Description of WAF from Wikipedia A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. - Description of WAF from OWASP 5
  • 6. Why WAF? Problems and expectations ➢ OWASP Top 10 ➢ SQL Injection ➢ XSS ➢ CVE & NVD ➢ DDoS ➢ Compliance 6
  • 7. Why WAF? - 2017 OWASP Top 10 ➢ A1-Injection ➢ A2-Broken Authentication and Session Management ➢ A3-Cross-Site Scripting (XSS) ➢ A4-Broken Access Control ➢ A5-Security Misconfiguration ➢ A6-Sensitive Data Exposure ➢ A7-Insufficient Attack Protection ➢ A8-Cross-Site Request Forgery (CSRF) ➢ A9-Using Components with Known Vulnerabilities ➢ A10-Underprotected APIs 7
  • 9. Why WAF? - Compliance Compliance ➢ PCI DSS 3.2 requirement 6.6 choice 2 “Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.” ➢ Don’t worry, most of the solutions can help you meet PCI DSS. ➢ AWS WAF service is already certified by PCI DSS. ○ check here “https://aws.amazon.com/tw/compliance/services-in-scope/” 9
  • 11. WAF architecture on AWS - AWS best practice AWS best practice Reference: AWS Best Practices for DDoS Resiliency (June 2015) 11
  • 12. WAF architecture on AWS - Traditional architecture Traditional architecture - problems XFF XFF Scale out Rule Consistency XFF Warm up XFF Warm up ELB traffic fee Traffic Out 12
  • 13. WAF architecture on AWS - AWS best practices AWS best practice Reference: AWS Best Practices for DDoS Resiliency (June 2016) 13
  • 14. WAF architecture on AWS - Cloud service Architecture working with cloud service 14
  • 15. WAF architecture on AWS - AWS WAF Architecture - AWS WAF CloudFront WAF ALB EC2 15
  • 17. Comparisons - Meet OWASP Traditional architecture 1. 使用高度自行客製化的 rule。 2. 使用品牌產品自帶的rule。 Working with cloud service 1. 上限和下限完全取於服務供應商 Working with AWS WAF 1. AWS WAF請參考Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities 17
  • 18. Comparisons - Meet compliance Traditional architecture 1. 調整rule的彈性大,對於服務供應商的依賴性小。 2. 品牌產品能產出Compliance report,減少對應稽核的負擔。 Working with cloud service 1. 上限和下限完全取於服務供應商的服務 內容。 Working with AWS WAF 1. AWS WAF底層直接符合PCI,但是Rule的產出與改善... 是使用者的責任。 (AWS shared responsibility model) 18
  • 19. Comparisons - Maintain & automation Traditional architecture 1. 學習的時間成本,需要維運者有較高的技術 /溝通能力。 2. 複雜的架構,管理複雜度必然增加。 3. 難以自動化,須熟悉特定廠商的 API/Command。 Working with cloud service 1. 架構單純,維運難度較低。 2. 難以自動化,須熟悉特定廠商的 API/Command。 Working with AWS WAF 1. 架構單純,維運難度較低。 2. 學習一套API打天下。 19
  • 20. Comparisons - Pricing Traditional architecture 1. 養機器 = 貴 2. 專業的維運 = 貴 3. 使用知名品牌 = 貴 (License fee $1~3 hourly) Working with cloud service 1. 不需搭配CDN的專業Cloud WAF,假如包含professional service的話價格必然貴。 2. 搭配CDN的類型必須先購買CDN服務,再購買WAF模組。 Working with AWS WAF 1. AWS WAF有較低的起始費用,同時也支援 CF & ALB來賦予使用者選擇架構的彈性。 ($5 per web ACL, $1 per rule, $0.60 per million requests) 20
  • 22. Demo SQL Injection Protect XSS Protect Rate based rule CVE 2017-5638: Strust2 22
  • 24. Summary 1. 把WAF套進架構不是問題,如何Tuning rule才是問題。 2. 對應適合的場景/能力,使用適合架構。 3. 程式有洞就要補... 不要推給資安設備! 4. 如果有用CloudFront/ALB的, 馬上試試看AWS WAF能幫你攔到多少東西! 24
  • 25. Wishlist 透明的SQLinj, XSS規則清單。 String match支援Regular Expression Rate-based rule的取樣單位是5分鐘,希望可以自由讓使用者調整。 Log只能看到最近3小時,最好能夠儲存log到S3/Cloudwatch Logs。 Rules per web ACL只能有10條... 更多的Feature… (Support case分類居然沒有feature request...) 25
  • 26. References ❏ AWS Security Blog https://aws.amazon.com/blogs/security/ ❏ AWS WAF Developer Guide http://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html ❏ AWS WAF Preconfigured Rules & Tutorials https: ❏ //aws.amazon.com/waf/preconfiguredrules/AWS Security Whitepaper https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf ❏ AWS Security Best Practices https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf ❏ Overview of AWS Security - Network Security https://d0.awsstatic.com/whitepapers/Security/Networking_Security_Whitepaper.pdf ❏ AWS Best Practices for DDoS Resiliency Whitepaper https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf 26
  • 27. 27