WAF for ALBs

Overview

WAF support for ALB is now available in many regions.

Clients want to provide a pattern of using ALB → (Lambda | EC2) to be secured via WAF (and HTTPS).

Clients want to minimise the maintenance footprint of adding WAF for many applications….


This content originally appeared on DEV Community and was authored by Arun Kumar

Overview

WAF support for ALB is now available in many regions.

Clients want to provide a pattern of using ALB → (Lambda | EC2) to be secured via WAF (and HTTPS).

Clients want to minimise the maintenance footprint of adding WAF for many applications.

Architecture

arch

Pricing Details

WAF Pricing

a. WAF

  • $5 per web ACL per month
  • $1 per rule per web ACL per month (assume one rule = “core-waf-automations — SQL Injection Rule”)
  • $0.60 per million web requests

b. F5

  • Charge per month in each available region (pro-rated by the hour) $20 / unit
  • Charge per million requests in each available region $1.2 / unit

Estimates

a. WAF Pricing

  • 12 web acls (6x2 acls)
  • 10 rules per WebACL = 120 rules total = $120
  • 100 million requests = $60
  • $2,160 Annual cost

b. Market place pricing — 4x F5 managed rulesets

  • $480 for $80 per account per region per month x 6
  • $480 for 100 million requests x 4 rulesets (total requests across all accounts / regions)
  • $11,520 Annual cost

c. Total pricing estimate

  • $13,680 annual total

Solutions

a. Author is AWS themselves

b. Without dedicated security team — “web application firewall strategy” can be a hassle (even with one)

c. AWS WAF ACL — central inspection and decision point for incoming requests (for all apps that use it)

  • This solution has a bunch of preconfigured rules for use with ALB, CloudFront

  • I’m assuming we can easily integrate with marketplace rules, like the F5 ones.

d. Log analysis — more than just “waf rules to apply” — there’s mechanisms for updating rules:

  • Both WAF logs and App logs can be parsed by Athena/Lamdba to inform on HTTP Flood, Scanners & Probes

  • Scheduled cloudwatch event rule triggers lambda to maintain IP Reputation Lists

  • Bot lists also updated via a lambda.

Types of Rules

a. White/black listing (manual lists)

  • No automation setup around these lists — is the expectation you manage via AWS Console?

b. SQL Injection, XSS (patterns in URI, querystring, request body)

c. HTTP Flood (web-layer DDoS, brute force logins)

  • ConfigureRateBasedRule (Custom::ConfigureRateBasedRule — HttpFloodProtectionRateBasedRuleActivated)

d. Scanners & Probes (abnormal amount errors from an origin)

e. IP Reputation Lists (3rd party lists hourly updated)

  • spamhaus.org
  • torproject.org
  • emergingthreats.net

f. Bad Bot (honeypot to attract bots)

  • ApiGateway, Lambda


This content originally appeared on DEV Community and was authored by Arun Kumar


Print Share Comment Cite Upload Translate Updates
APA

Arun Kumar | Sciencx (2021-06-10T15:02:05+00:00) WAF for ALBs. Retrieved from https://www.scien.cx/2021/06/10/waf-for-albs/

MLA
" » WAF for ALBs." Arun Kumar | Sciencx - Thursday June 10, 2021, https://www.scien.cx/2021/06/10/waf-for-albs/
HARVARD
Arun Kumar | Sciencx Thursday June 10, 2021 » WAF for ALBs., viewed ,<https://www.scien.cx/2021/06/10/waf-for-albs/>
VANCOUVER
Arun Kumar | Sciencx - » WAF for ALBs. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2021/06/10/waf-for-albs/
CHICAGO
" » WAF for ALBs." Arun Kumar | Sciencx - Accessed . https://www.scien.cx/2021/06/10/waf-for-albs/
IEEE
" » WAF for ALBs." Arun Kumar | Sciencx [Online]. Available: https://www.scien.cx/2021/06/10/waf-for-albs/. [Accessed: ]
rf:citation
» WAF for ALBs | Arun Kumar | Sciencx | https://www.scien.cx/2021/06/10/waf-for-albs/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts