Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

Similar documents
Advanced Techniques for DDoS Mitigation and Web Application Defense

Additional Security Services on AWS

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

haltdos - Web Application Firewall

Building a Self-Defending Border. Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS

Elastic Load Balancing

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Accelerating your Business with Security

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Imperva Incapsula Product Overview

War Stories from the Cloud: Rise of the Machines. Matt Mosher Director Security Sales Strategy

AWS Web Application Firewall. Darren Weiner Cloud Architect/Engineer

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

State of the Internet Security Q Mihnea-Costin Grigore Security Technical Project Manager

DNS SECURITY BENEFITS OF OUTSOURCING YOUR DNS TO AN IP ANYCAST+ PROVIDER

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

The Presence and Future of Web Attacks

Comprehensive datacenter protection

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Check Point DDoS Protector Introduction

A10 DDOS PROTECTION CLOUD

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

Title: Planning AWS Platform Security Assessment?

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Yuri Gushin & Alex Behar

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

Getting Started with AWS Security

DDoS attack patterns across the APJ cloud market. Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Cisco Firepower with Radware DDoS Mitigation

Fregata. DDoS Mitigation Solution. Technical Specifications & Datasheet 1G-5G

THUNDER WEB APPLICATION FIREWALL

Imperva Incapsula Website Security

Intelligent and Secure Network

68% 63% 50% 25% 24% 20% 17% Credit Theft. DDoS. Web Fraud. Cross-site Scripting. SQL Injection. Clickjack. Cross-site Request Forgery.

WHITEPAPER AMAZON ELB: Your Master Key to a Secure, Cost-Efficient and Scalable Cloud.

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

DDoS MITIGATION BEST PRACTICES

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

Radware s Attack Mitigation Solution Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

AKAMAI CLOUD SECURITY SOLUTIONS

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

Sucuri Technical Overview

The Top 6 WAF Essentials to Achieve Application Security Efficacy

A GUIDE TO DDoS PROTECTION

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Cloudflare Advanced DDoS Protection

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

WHITE PAPER. Best Practices for Web Application Firewall Management

Check Point DDoS Protector Simple and Easy Mitigation

4/4/2018 F5 Government Symposium 2018 AWS and F5 Deep Dive

ALIENVAULT USM FOR AWS SOLUTION GUIDE

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Think You re Safe from DDoS Attacks? As an AWS customer, you probably need more protection. Discover the vulnerabilities and how Neustar can help.

Beyond Blind Defense: Gaining Insights from Proactive App Sec

DDoS Detection&Mitigation: Radware Solution

F5 Synthesis Information Session. April, 2014

Protect your apps and your customers against application layer attacks

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Corrigendum 3. Tender Number: 10/ dated

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

Web Application Firewall

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

What to expect from the session Technical recap VMware Cloud on AWS {Sample} Integration use case Services introduction & solution designs Solution su

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

PROTECT YOUR DATA FROM MALWARE AND ENSURE BUSINESS CONTINUITY ON THE CLOUD WITH NAVLINK MANAGED AMAZON WEB SERVICES MANAGED AWS

Getting started with AWS security

Arbor White Paper Keeping the Lights On

Securing Your Amazon Web Services Virtual Networks

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

Enterprise D/DoS Mitigation Solution offering

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

SIEMLESS THREAT DETECTION FOR AWS

Imma Chargin Mah Lazer

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

McAfee Virtual Network Security Platform

CogniFit Technical Security Details

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Pulse Secure Application Delivery

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Comprehensive DDoS Attack Protection: Cloud-based, Enterprise Grade Mitigation F5 Silverline

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Practical Guide to Choosing a DDoS Mitigation Service WHITEPAPER

For USA & Europe January 2018

Vulnerability Assessment with Application Security

Cloud Security Strategy - Adapt to Changes with Security Automation -

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Web Application Firewall Subscription on Cyberoam UTM appliances

Internet2 DDoS Mitigation Update

Transcription:

Secure your Web Applications with AWS WAF & AWS Shield James Chiang ( 蔣宗恩 ) AWS Solution Architect www.cloudsec.com

What to expect from this session Types of Threats AWS Shield AWS WAF DEMO

Real World DDOS Attack http://map.norsecorp.com/#/

DDoS Threats and Trends 1600 1400 1200 Largest DDoS Attacks (Gbps) Memcached Attacks 1000 800 Mirai Attacks 600 400 200 0 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Largest DDoS Attacks

Why is DDoS a Problem? Availability of your applications Attacks can last for hours and even days Financial Impact Lost Revenue Increased Infrastructure Expense Extortion Reputation Hit Security Data Loss

Types of DDoS attacks

Types of DDoS attacks Volumetric DDoS attacks Congest networks by flooding them with more traffic than they are able to handle (e.g., UDP reflection attacks)

Types of DDoS attacks State-exhaustion DDoS attacks Abuse protocols to stress systems like firewalls, IPS, or load balancers (e.g., TCP SYN flood)

Types of DDoS attacks Application-layer DDoS attacks Use well-formed but malicious requests to circumvent mitigation and consume application resources (e.g., HTTP GET, DNS query floods)

Traditional Challenges with DDoS Protection Mitigations require bandwidth lots of it. Scaling is expensive. Anomaly detection is challenging and evolving. DDoS expertise is in short supply.

AWS approach to DDoS protection

At AWS, our goal has always been to Remove undifferentiated heavy lifting Ensure availability Automatically protected against common attacks AWS services are highly available

DDoS protections built into AWS Integrated into the AWS global infrastructure Always-on, fast mitigation without external routing Redundant Internet connectivity in AWS data centers

DDoS protections built into AWS Protection against most common infrastructure attacks SYN/ACK Floods, UDP Floods, Refection attacks etc. No additional cost DDoS Attack Users DDoS mitigation systems

Customers keep asking What about large DDoS attacks? Does AWS protect me from application layer attacks? Does AWS protect me from DDoS attacks? I want to talk to DDoS experts. How can I get visibility when I get attacked? Scaling for DDoS attacks is expensive.

AWS Shield A Managed DDoS Protection Service

Types of Threats AWS Shield DDoS Application Attacks Bad Bots Application Layer HTTP floods SQL injection Social engineering Sensitive data exposure Application exploits Crawlers Content scrapers Scanners & probes Network / Transport Layer Reflection SSL abuse Amplification Slowloris Layer 4 floods

Benefits of AWS Shield AWS Integration DDoS protection without infrastructure changes Always-On Detection and Mitigation Minimize impact on application latency Affordable Don t force unnecessary trade-offs between cost and availability Flexible Customize protections for your applications

AWS Shield Standard Protection Advanced Protection Available to ALL AWS customersat no additional cost Paid service that providesadditional protections, features, and benefits

AWS Shield Standard Layer 3/4 protection Automatic detection & mitigation Protection from most common attacks (SYN/UDP floods, reflection attacks, etc.) Layer 7 protection AWS WAF for Layer 7 DDoS attack mitigation Self-service & pay-as-you-go Built into AWS services Automatic protection against 96% of Layer 3/4 attacks Available globally on all internet-facing AWS services

L3/L4 Automatic mitigation system Developed L3 / L4 automatic mitigation system based on DDoS protection experience CloudFront, Route 53 placed inline before the edge location and examines all incoming packets Edge Location AWS Region Automatic reduction of 96% of DDoS attack DDoS Attack No additional settings or fees Advantage Scalability and low cost Permanent protection Automatic mitigation Built for AWS solution User Automatic mitigation CloudFront Route 53 CloudFront Route 53 Customerʼs Origin Infrastructure (ELB, EC2, S3, etc).

DDoS attack mitigation example May 6, 2015 DNS flood attack targeting Route 53's 34 edge locations Peak volume is the top 4% of DDoS to date (source: Arbor Networks) Automatically detect and mitigate without affecting availability Calm down hundreds of attacks each year

DDoS attack mitigation example May 6, 2015 DNS flood attack targeting Route 53's 34 edge locations Peak volume is the top 4% of DDoS to date (source: Arbor Networks) Automatically detect and mitigate without affecting availability Calm down hundreds of attacks each year

AWS Shield Advanced Managed DDoS Protection

AWS Shield Advanced Additional detection & monitoring Protection against large DDoS attacks Visibility into attack detection & mitigation AWS WAF at no additional cost 24X7 DDoS response team Cost protection (absorb DDoS scaling cost)

AWS Shield Advanced Available on... Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53 In the following regions... Northern Virginia (us-east-1) Oregon (us-west-2) Ireland (eu-west-1) Tokyo (ap-northeast-1)

Demo

AWS DDoS Shield: Pricing Standard Protection No commitment No additional cost Advanced Protection 1 year subscription commitment Monthly base fee: $3,000 Data transfer fees Data Transfer Price ($ pergb) CloudFront ELB First 100TB $0.025 0.050 Next 400TB $0.020 0.040 Next 500TB $0.015 0.030 Next 4 PB $0.010 Contact Us Above 5PB Contact Us Contact Us

AWS DDoS Shield: How to choose Standard Protection Advanced Protection For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture onaws. For additional protection against larger and more sophisticated attacks, visibility into attacks, AWS cost protection, Layer 7 mitigations, and 24X7 access to DDoS experts for complex cases.

AWS WAF Managed DDoS Protection

Types of Threats DDoS Application Attacks Bad Bots Application Layer AWS WAF HTTP floods SQL injection Social engineering Sensitive data exposure Application exploits Crawlers Content scrapers Scanners & probes Network / Transport Layer Reflection SSL abuse Amplification Slowloris Layer 4 floods

How Does AWS WAF Protect you?

What is AWS WAF? Malicious request blocking SQLi XSS Web traffic filtering with custom rules Rate based rules IP Match & Geo-IP filters Regex & String Match Size constraints Action: Allow/Block Active monitoring & tuning CloudWatch Metrics/Alarms Sampled Logs Count Action mode

Common protections using AWS WAF today.. HTTP floods (Ratedbased Rules) Scanners and probes IP reputation lists Bots and scrapers SQL injection Cross-site scripting

AWS WAF available on Amazon CloudFront Application Load Balancer

AWS WAF Key Benefits Ease of Use Fast Incidence Response APIs + Flexible Rule Language Preconfigured Protection

Example: Whitelisting good users Verify that a valid referrer is present RAW request headers Host: www.example.com User-Agent: Mozilla/5.0 (Macintosh; Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.example.com/ Connection: keep-alive Rule String match condition Check: Header Referrer Match Type: Contains Match: example.com Action: ALLOW AWS WAF Good users CloudFront

Example: Apache Struts Vulnerability Virtual Patching: A security policy enforcement layer which prevents the exploitation of a known vulnerability in the code. For more details: https://forums.aws.amazon.com/ann.jspa?annid=4489

Example: Rate limit access to login page Rate-based Rule String Match condition on URI Protection from Brute force login attempts

Management Rule is enable Managed Rules on AWS WAF five featured sellers!

Featured sellers

Management Rule Key benefits 1. Rules managed by security experts 2. Choice of protections 3. Auto-updates 4. Pay as you go 5. Easy to deploy

Deploy in three easy steps Find rules on AWS WAF console or AWS Marketplace Click and subscribe Associate rules in AWS WAF

Trend Micro: Product details 1. Rules for Nginx and Apache servers Protects web servers, including the Apache Suite (Apache Httpd, Apache Struts, Apache Tomcat) and Nginx, from known vulnerabilities and helps meet PCI DSS requirements. 2. Content Management Servers (CMS) Rules Protects common CMS and EMS including WordPress, Joomla, and Drupal from known vulnerabilities, and to help meet PCI DSS requirements. Trend Micro delivers proactive global threat intelligence against zero-hour threats to ensure that you are always protected.

Demo

THANK YOU James Chiang AWS Solution Architect www.cloudsec.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback