AWS Web Application Firewall. Darren Weiner Cloud Architect/Engineer

Similar documents
Additional Security Services on AWS

Advanced Techniques for DDoS Mitigation and Web Application Defense

Building a Self-Defending Border. Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

Securing Your Amazon Web Services Virtual Networks

Getting Started with AWS Security

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Hardening the Cloud: Assuring Agile Security in High-Growth Environments (Moving from span ports to virtual appliances)

haltdos - Web Application Firewall

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

Securing Your Microsoft Azure Virtual Networks

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Elastic Load Balancing

Vision of the Software Defined Data Center (SDDC)

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

USE CASE - HYBRID CLOUD IZO MANAGED CLOUD FOR AWS

Cloud Security Strategy - Adapt to Changes with Security Automation -

Please give me your feedback

Pulse Secure Application Delivery

Automating Security Practices for the DevOps Revolution

CLOUD WORKLOAD SECURITY

Overcoming the Challenges of Automating Security in a DevOps Environment

STATE OF MODERN APPLICATIONS IN THE CLOUD

ARCHITECTING WEB APPLICATIONS FOR THE CLOUD: DESIGN PRINCIPLES AND PRACTICAL GUIDANCE FOR AWS

CREATING A CLOUD STRONGHOLD: Strategies and Methods to Manage and Secure Your Cloud

CYBER SECURITY WHITEPAPER

The Cloud Changes Nothing and Everything! Amazon.com, Inc. and its affiliates. All rights reserved.

THE JOURNEY OVERVIEW THREE PHASES TO A SUCCESSFUL MIGRATION ADOPTION ACCENTURE IS 80% IN THE CLOUD

A10 HARMONY CONTROLLER

Amazon Web Services 101 April 17 th, 2014 Joel Williams Solutions Architect. Amazon.com, Inc. and its affiliates. All rights reserved.

DEVOPS AND THE FUTURE OF ENTERPRISE SECURITY

AWS Reference Design Document

Vom PoC zur IT-Transformation Cloud Adoption in der Praxis. Constantin Gonzalez Solutions Architect, Amazon Web Services Deutschland

Architecting for Greater Security in AWS

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

HARNESSING THE HYBRID CLOUD TO DRIVE GREATER BUSINESS AGILITY

DevOps Tooling from AWS

Securing Amazon Web Services (AWS) EC2 Instances with Dome9. A Whitepaper by Dome9 Security, Ltd.

THE ACCENTURE CYBER DEFENSE SOLUTION

AKAMAI CLOUD SECURITY SOLUTIONS

Benefits of Extending your Datacenters with Amazon Web Services

Business Strategy Theatre

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

The Top 6 WAF Essentials to Achieve Application Security Efficacy

ORACLE DEPLOYMENT DECISION GUIDE: COMPARING YOUR DEPLOYMENT OPTIONS

Cloud Computing Introduction & Offerings from IBM

RED HAT CLOUDFORMS. Chris Saunders Cloud Solutions

How Smart Networks are changing the Corporate WAN

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

The Evolution of Data Center Security, Risk and Compliance

Modelos de Negócio na Era das Clouds. André Rodrigues, Cloud Systems Engineer

AWS Well Architected Framework

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Data Protection Everywhere. For the modern data center

Vodafone keynote. How smart networks are changing the corporate WAN. Peter Terry Brown Director of Connectivity & UC.

5 reasons why choosing Apache Cassandra is planning for a multi-cloud future

Cloudreach Data Center Migration Services

Virtustream Managed Services Drive value from technology investments through IT management solutions. Tim Calahan, Manager Managed Services

Security

Perfect Balance of Public and Private Cloud

VMware Cloud on AWS The Next Generation Hybrid Cloud Architecture

AWS Solution Architect Associate

4/4/2018 F5 Government Symposium 2018 AWS and F5 Deep Dive

AWS 101. Patrick Pierson, IonChannel

Enabling Innovation in the Digital Economy

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

EY Norwegian Cloud Maturity Survey 2018

Modern Database Architectures Demand Modern Data Security Measures

Accelerate Your Cloud Journey

Securing Microservices Containerized Security in AWS

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

SIEM: Five Requirements that Solve the Bigger Business Issues

EY Norwegian Cloud Maturity Survey Current and planned adoption of cloud services

90 % of WAN decision makers cite their

SECURE HYBRID CLOUD Solution

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

Modernize Your Infrastructure

SD-WAN Solution How to Make the Best Choice for Your Business

Application security : going quicker

Sichere Applikations- dienste

Overview. Application security - the never-ending story

REALIZE YOUR. DIGITAL VISION with Digital Private Cloud from Atos and VMware

What s New at AWS? A selection of some new stuff. Constantin Gonzalez, Principal Solutions Architect, Amazon Web Services

Building an Effective Cloud Operating Model on AWS

What is Dell EMC Cloud for Microsoft Azure Stack?

Energy Management with AWS

Contents. Background. Use Cases. Product Introduction. Product Value

Cisco Cloud Services Router 1000V and Amazon Web Services CASE STUDY

QUALYS SECURITY CONFERENCE Qualys CertView. Managing Digital Certificates. Jimmy Graham Senior Director, Product Management, Qualys, Inc.

CISO as Change Agent: Getting to Yes

AUTOMATING SECDEVOPS WORKSHOP

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Brocade Application Delivery

Building Resilience in a Digital Enterprise

OptiSol FinTech Platforms

Transcription:

AWS Web Application Firewall Darren Weiner Cloud Architect/Engineer

My journey 20 years in IT 8 years in the cloud Rode the.com wave Web Admin DBA IT Director Cloud Consulting Today s Journey Adoption of cloud technologies Security ecosystem AWS Web Application Firewall Ø Feature overview Ø Process of adoption Live Demo Credits: https://design.tutsplus.com/tutorials/use-filter-forge-and-adobe-photoshop-to-create-a-yellow-brick-road--cms-25029 2

National Renewable Energy Laboratory Mission Statement Advance the science and engineering of energy efficiency, sustainable transportation, and renewable power technologies and provide the knowledge to integrate and optimize energy systems. Cloud Team Mission Statement Provide cloud services and expertise as an enterprise NREL-solution for enabling mission-driven data science, computing, application development, data management, and analysis innovation at the laboratory. 3

Why? Fast/Agile Innovation Continuum of service offerings Scalable, resilient Can reduce management complexity It s shiny, new and fun Cloud First/Cloud Native When? Is the business ready? (Federal Risk and Authorization Management Program) Is it best of breed? Does it need to be? Who are the stakeholders and the decision makers? Are your people ready? Training, comfort level. Will the code/platform adapt easily? 4

Before talking about the Web Application Firewall Let s talk about the WAF Well Architected Framework In the cloud it s easy to do things fast. It s another thing entirely to do them well Operational Excellence Security Reliability Performance Efficiency Cost Pillar by Bohdan Burmich from the Noun Project 5

Security tools Data Capture 6

Ability to respond Application Testing Vulnerability Scans Network Pen Testing Load Testing Development practices: OWASP Peer reviews 7

AWS Web Application Firewall Web Application firewall that natively integrates with key AWS services (Load balancers, CloudFront, more to come) Pushbutton deployment includes out-of-the gate solutions that address rate and rule-based vectors. Centralized WAF management Ideal solution for serverless architectures There are no infrastructure or appliances to manage. Ability to deploy new rules in a dev/test/prod paradigm Granular user access control to read/modification of ACLs. Reduces architectural footprint Provide ability to respond rapidly to user requests: Can automate Application Delivery Control features Fits nicely with CI/CD frameworks Alerts/notification and deep reporting capabilities Consumption based pricing model

Public logs Record set security group Availability Zone Availability Zone Availability Zone Private security group Availability Zone Availability Zone Availability Zone 9

Templatized deployment Rate/scan blocks: v Http floods v Scanner and probe Global blocks: v Global IP Reputation lists (11,1324 blocks, Updated hourly) v Blacklist Application protection: v SQL Injection v XSS Whitelist Bad bot blacklisting Additional Options: size-constrained rules Customized regex-based rules third party rulesets* Any rate-based function (via lambda)

NREL External Load Balancer Internal Load Balancer WAF APPLIANCE WAF APPLIANCE Availability Zone Availability Zone Availability Zone Amazon ECS Amazon ECS Amazon ECS Availability Zone Availability Zone Availability Zone 11

NREL X AWS WAF Internal Load Balancer External Load Balancer Availability Zone Availability Zone Availability Zone Amazon ECS Amazon ECS Amazon ECS Availability Zone Availability Zone Availability Zone 12

The Big Sell Requirements Finding stakeholders, then peddling wares. Cyber, Operations, Networking Top down, bottom up Proof-of-concept Powerpoint Ensuring exceptions are handled with appropriate change management. Forcing ourselves to move slow Limits to cloud knowledge 13

14

15

Full visibility with drill-down capability 16

Timely alerting of rule threshold breach 17

Application Delivery Control (Redirect/rewrite/internal/external access) Managed a bit differently - via load balancers 18

Change management process to be defined Can build a pipeline that integrates with service now process for tracking changes that impact external-facing systems. Cloud Team could stage changes, Networking team approves. 19

Pricing Pricing is largely consumption based. Fixed cost (per Ruleset): ~$20/month* Per 1 million requests: $1.20 $1.20 *Price is for using a 3 rd party ruleset. Using native AWS rulesets is roughly ½ the cost 20

Reasons to NOT deploy Don t have a single management plane across the enterprise Not best of breed? Some latency on rate-based rules Body inspection size limit Vendor lock Lack of expertise/training Current Status Currently implemented for internal websites and one small externally-facing site Enhanced with third party rulesets Working out centralizing logs on the cyber logging platform Training ops team on WAF and Load balancers 21

Record set Public logs security group Availability Zone Availability Zone Availability Zone Private security group Availability Zone Availability Zone Availability Zone 22

All journeys must come to an end AWS Web Application Firewall is a mature integrated product Organizations and individuals need to keep up with the pace of cloud innovation Evaluate maturity of cloud services to determine when is the right time Work towards compliance and security most organizations can and should do both Well architect your systems, don t just do it fast Remember developers rule the world Resources: https://aws.amazon.com/blogs/apn/the-5-pillars-of-the-aws-well-architected-framework/ https://d1.awsstatic.com/whitepapers/architecture/aws_well-architected_framework.pdf https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/template.html 23

Thank you!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback