SlideShare a Scribd company logo

Edge immersion days module 2 - protect your application at the edge using aws waf & shield advanced

R
RoiElbaz1

The document discusses Amazon Web Services' (AWS) cloud-native protections against distributed denial-of-service (DDoS) attacks and web application threats. It describes AWS WAF for inspecting and mitigating layer 7 attacks, AWS Shield Standard for automatic protection against common network attacks, and AWS Shield Advanced for additional detection and monitoring capabilities. The document also provides an overview of DDoS trends, the benefits of a cloud-native defense approach, and example customer implementations of AWS WAF and Shield services.

Internet
1 of 28
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF & Shield Advanced Protect your application at the Edge
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat landscape
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Types of threats Application Ping of Death | ICMP Flood | Teardrop | reflections | UDP floods SYN/ACK Flood | Slowloris | SSL Abuse Presentation Session Transport Network HTTP Flood | Malformed HTTP App exploits | CVE |s XSS | SQLi | RFI Bots | Scrapers | Crawlers Bad BotsDDoS Web Application Attacks
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Trends of DDoS attacks 0 200 400 600 800 1000 1200 1400 1600 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Largest DDoS Attacks (Gbps) Largest DDoS Attacks Memcached Attacks Mirai Attacks
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud native protection
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pillars of perimeter protection MONITOR RESPOND PREPARE Build a DDoS resilient application on AWS Be aware of threat environment and application health Engage response team
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud native protection Built-in protection Protection tools Always-on Automatic Distributed Easy to use Customizable APIs AWS scale Experts support
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Built-in protection for everyone AWS Shield Standard Automatic defense against the most common network and transport layer DDoS attacks for any AWS resource, in any AWS Region Available to ALL AWS customers at no additional cost
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Daily DDoS attacks mitigated by AWS
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protection tools
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DDoS resilient architecture Route 53 ALB Security Group EC2 Instances Application Load Balancer CloudFront Public Subnet Web Application Security Group Private Subnet AWS WAF DDoS Attack Users Cloudwatch S3 API Gateway
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API Acceleration - Slack • Slack host their API behind ALB for serving json files with more than 10B requests/week. They were looking for DDoS protection • Slack selected CloudFront for its reliability, flexibility and AWS integration Average response time decreased to 200ms from 480ms
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF & Shield Advanced
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF Managed layer 7 inspection and mitigation tool, monitors HTTP/S requests and protects web applications from malicious activities Custom Rules Security AutomationManaged Rules
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF benefits AWS WAF Easy to deploy Fast incident response Affordable Full API support Managed service
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom rules 1. Define conditions: IP Match, Geo-IP, String Match, Regex Match, SQLi, XSS, Size Constraints 2. Define rules: Regular or rate based 3. Add to Web Access Control Lists: Order & action (Block, Allow, Count) 4. Attach to AWS Resource: CloudFront, ALB
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Seller managed rules Rules managed by experts Choice of 6 partners Pay as you go Easy to deploy automatic updates
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security automations Honeypot for bad bots CloudFront Log parsing Reputation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WAF automation - eVitamins • An global online retailer of health and beauty products. They were looking to solve DDoS, Bots & Crawlers security challenges. • eVitamins selected AWS WAF for its protection, automation and easiness of use.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Firewall manager • Central management for Security profile • Automated policy enforcement across accounts & applications • WAF rule sets
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Additional detection & monitoring Advanced protection Visibility into attack detection & mitigation AWS WAF & FM at no additional cost 24X7 DDoS Response Team Cost protection (absorb scaling costs) Advanced Protection AWS Shield Advanced
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch metrics for Shield Advanced Metrics: • DDoSDetected • DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, DDoSAttackRequestsPerSecond Dimensions: • UDPTraffic, DNSReflection, SYNFlood, RequestFlood…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Improving DDoS response time Customer account AWS managed capabilities AWS Shield Engagement Lambda DRT notification topic SoC Engineer Shield Advanced IoT button DRT Support
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. attacks MONITOR RESPOND PREPARE AWS ShieldInternet Cloud native protection in a nutshell AWS services AWS WAF Customer infrastructure Application Presentation Session Transport Network Web Application Attacks DDoS Bad Bots x x x x MONITOR RESPOND PREPARE DDoS Cloudwatch CloudFront Access logs DDoS Response Team Security Automation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. To learn more about Perimeter protection on AWS DDoS Resiliency Whitepaper AWS re:Invent 2017: Automating DDoS Response in the Cloud (SID324) AWS re:Invent 2017: NEW LAUNCH! Introduction to Managed Rules for AWS WAF (SID217) Best Practices for DDoS Mitigation on AWS Advanced Techniques for Securing Your Web Applications with AWS WAF and AWS Shield
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Appendixes
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Evolution of WAF & DDoS mitigation On-Premise Cloud-Routed Cloud-Native
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WebACL example Rule Allow, Count, Block Rate-Based Rule Count, Block Rule Allow, Count, Block Match Condition SQL injection Match Condition Cross-site scripting Match Condition Size constraint Match Condition IP addresses Managed Rules No override, Override to count WebACL WebACL Match Condition String and Regex Match Condition Geo match Rule Allow, Count, Block Rule Allow, Count, Block Rule Allow, Count, Block

More Related Content

PPTX
Introduction to AWS WAF and AWS Firewall Manager
Akesh Patil
 
PPTX
Aws meetup aws_waf
Adam Book
 
PDF
Defending your workloads with aws waf and deep security
Mark Nunnikhoven
 
PDF
Amazon CloudFront Best Practices and Anti-patterns
Abhishek Tiwari
 
PDF
Amazon guard duty_lab
Bela Sojina MBA, PMP
 
PDF
AWS CZSK Webinář 2019.05: Jak chránit vaše webové aplikace před DDoS útoky
Vladimir Simek
 
PDF
Mitigating techniques
Richard Harvey
 
PDF
Intro to threat_detection_and_remediation on aws
Bela Sojina MBA, PMP
 
Introduction to AWS WAF and AWS Firewall Manager
Akesh Patil
 
Aws meetup aws_waf
Adam Book
 
Defending your workloads with aws waf and deep security
Mark Nunnikhoven
 
Amazon CloudFront Best Practices and Anti-patterns
Abhishek Tiwari
 
Amazon guard duty_lab
Bela Sojina MBA, PMP
 
AWS CZSK Webinář 2019.05: Jak chránit vaše webové aplikace před DDoS útoky
Vladimir Simek
 
Mitigating techniques
Richard Harvey
 
Intro to threat_detection_and_remediation on aws
Bela Sojina MBA, PMP
 

Similar to Edge immersion days module 2 - protect your application at the edge using aws waf & shield advanced (20)

PDF
D do s_white_paper
Francisco Terrones Ramos
 
PPTX
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
 
PDF
D do s_white_paper_june2015
saifam
 
PDF
Network Security Design Bla Bla Bla Bla B
Stas Kanitskiy ☁
 
PPTX
Security
Parag Patil
 
PPTX
Managing Security on AWS
AWS Summits
 
PDF
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
PPTX
AWS Security and Compliance Presentation
goutamnita
 
PDF
Protect Your Data and Apps in the Public Cloud
Imperva
 
PPTX
5 minutes on security
CloudHesive
 
PDF
What is AWS DDoS Protection, and why is it needed_.pdf
CyberPro Magazine
 
PPTX
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
Cloudflare
 
PDF
AWS_security_at_scale__From_development_to_production.pdf
kantrajnee88
 
PDF
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
PDF
Maximize your investment with AWS Native Security Controls
Rasool Irfan
 
PDF
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
MazeBolt Technologies
 
PPTX
Automating AWS security and compliance
John Varghese
 
PPTX
AWS SSA Webinar 11 - Getting started on AWS: Security
Cobus Bernard
 
PPTX
AWS SSA Webinar 7 - Getting Started on AWS
Cobus Bernard
 
PDF
Amazon Web Services Security
Jason Chan
 
D do s_white_paper
Francisco Terrones Ramos
 
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
 
D do s_white_paper_june2015
saifam
 
Network Security Design Bla Bla Bla Bla B
Stas Kanitskiy ☁
 
Security
Parag Patil
 
Managing Security on AWS
AWS Summits
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
AWS Security and Compliance Presentation
goutamnita
 
Protect Your Data and Apps in the Public Cloud
Imperva
 
5 minutes on security
CloudHesive
 
What is AWS DDoS Protection, and why is it needed_.pdf
CyberPro Magazine
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
Cloudflare
 
AWS_security_at_scale__From_development_to_production.pdf
kantrajnee88
 
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
Maximize your investment with AWS Native Security Controls
Rasool Irfan
 
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
MazeBolt Technologies
 
Automating AWS security and compliance
John Varghese
 
AWS SSA Webinar 11 - Getting started on AWS: Security
Cobus Bernard
 
AWS SSA Webinar 7 - Getting Started on AWS
Cobus Bernard
 
Amazon Web Services Security
Jason Chan
 
Ad

Recently uploaded (20)

PDF
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
Funds Management Learning Material for Beg
NKKumar16
 
Ad

Edge immersion days module 2 - protect your application at the edge using aws waf & shield advanced

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF & Shield Advanced Protect your application at the Edge
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat landscape
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Types of threats Application Ping of Death | ICMP Flood | Teardrop | reflections | UDP floods SYN/ACK Flood | Slowloris | SSL Abuse Presentation Session Transport Network HTTP Flood | Malformed HTTP App exploits | CVE |s XSS | SQLi | RFI Bots | Scrapers | Crawlers Bad BotsDDoS Web Application Attacks
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Trends of DDoS attacks 0 200 400 600 800 1000 1200 1400 1600 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Largest DDoS Attacks (Gbps) Largest DDoS Attacks Memcached Attacks Mirai Attacks
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud native protection
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pillars of perimeter protection MONITOR RESPOND PREPARE Build a DDoS resilient application on AWS Be aware of threat environment and application health Engage response team
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud native protection Built-in protection Protection tools Always-on Automatic Distributed Easy to use Customizable APIs AWS scale Experts support
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Built-in protection for everyone AWS Shield Standard Automatic defense against the most common network and transport layer DDoS attacks for any AWS resource, in any AWS Region Available to ALL AWS customers at no additional cost
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Daily DDoS attacks mitigated by AWS
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protection tools
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DDoS resilient architecture Route 53 ALB Security Group EC2 Instances Application Load Balancer CloudFront Public Subnet Web Application Security Group Private Subnet AWS WAF DDoS Attack Users Cloudwatch S3 API Gateway
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API Acceleration - Slack • Slack host their API behind ALB for serving json files with more than 10B requests/week. They were looking for DDoS protection • Slack selected CloudFront for its reliability, flexibility and AWS integration Average response time decreased to 200ms from 480ms
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF & Shield Advanced
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF Managed layer 7 inspection and mitigation tool, monitors HTTP/S requests and protects web applications from malicious activities Custom Rules Security AutomationManaged Rules
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF benefits AWS WAF Easy to deploy Fast incident response Affordable Full API support Managed service
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom rules 1. Define conditions: IP Match, Geo-IP, String Match, Regex Match, SQLi, XSS, Size Constraints 2. Define rules: Regular or rate based 3. Add to Web Access Control Lists: Order & action (Block, Allow, Count) 4. Attach to AWS Resource: CloudFront, ALB
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Seller managed rules Rules managed by experts Choice of 6 partners Pay as you go Easy to deploy automatic updates
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security automations Honeypot for bad bots CloudFront Log parsing Reputation
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WAF automation - eVitamins • An global online retailer of health and beauty products. They were looking to solve DDoS, Bots & Crawlers security challenges. • eVitamins selected AWS WAF for its protection, automation and easiness of use.
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Firewall manager • Central management for Security profile • Automated policy enforcement across accounts & applications • WAF rule sets
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Additional detection & monitoring Advanced protection Visibility into attack detection & mitigation AWS WAF & FM at no additional cost 24X7 DDoS Response Team Cost protection (absorb scaling costs) Advanced Protection AWS Shield Advanced
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch metrics for Shield Advanced Metrics: • DDoSDetected • DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, DDoSAttackRequestsPerSecond Dimensions: • UDPTraffic, DNSReflection, SYNFlood, RequestFlood…
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Improving DDoS response time Customer account AWS managed capabilities AWS Shield Engagement Lambda DRT notification topic SoC Engineer Shield Advanced IoT button DRT Support
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. attacks MONITOR RESPOND PREPARE AWS ShieldInternet Cloud native protection in a nutshell AWS services AWS WAF Customer infrastructure Application Presentation Session Transport Network Web Application Attacks DDoS Bad Bots x x x x MONITOR RESPOND PREPARE DDoS Cloudwatch CloudFront Access logs DDoS Response Team Security Automation
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. To learn more about Perimeter protection on AWS DDoS Resiliency Whitepaper AWS re:Invent 2017: Automating DDoS Response in the Cloud (SID324) AWS re:Invent 2017: NEW LAUNCH! Introduction to Managed Rules for AWS WAF (SID217) Best Practices for DDoS Mitigation on AWS Advanced Techniques for Securing Your Web Applications with AWS WAF and AWS Shield
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Appendixes
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Evolution of WAF & DDoS mitigation On-Premise Cloud-Routed Cloud-Native
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WebACL example Rule Allow, Count, Block Rate-Based Rule Count, Block Rule Allow, Count, Block Match Condition SQL injection Match Condition Cross-site scripting Match Condition Size constraint Match Condition IP addresses Managed Rules No override, Override to count WebACL WebACL Match Condition String and Regex Match Condition Geo match Rule Allow, Count, Block Rule Allow, Count, Block Rule Allow, Count, Block