WAF for ALBs

aklm10barca

Arun Kumar

Posted on June 10, 2021

WAF for ALBs

Overview

WAF support for ALB is now available in many regions.

Clients want to provide a pattern of using ALB → (Lambda | EC2) to be secured via WAF (and HTTPS).

Clients want to minimise the maintenance footprint of adding WAF for many applications.

Architecture

arch

Pricing Details

WAF Pricing

a. WAF

  • $5 per web ACL per month
  • $1 per rule per web ACL per month (assume one rule = “core-waf-automations — SQL Injection Rule”)
  • $0.60 per million web requests

b. F5

  • Charge per month in each available region (pro-rated by the hour) $20 / unit
  • Charge per million requests in each available region $1.2 / unit

Estimates

a. WAF Pricing

  • 12 web acls (6x2 acls)
  • 10 rules per WebACL = 120 rules total = $120
  • 100 million requests = $60
  • $2,160 Annual cost

b. Market place pricing — 4x F5 managed rulesets

  • $480 for $80 per account per region per month x 6
  • $480 for 100 million requests x 4 rulesets (total requests across all accounts / regions)
  • $11,520 Annual cost

c. Total pricing estimate

  • $13,680 annual total

Solutions

a. Author is AWS themselves

b. Without dedicated security team — “web application firewall strategy” can be a hassle (even with one)

c. AWS WAF ACL — central inspection and decision point for incoming requests (for all apps that use it)

  • This solution has a bunch of preconfigured rules for use with ALB, CloudFront

  • I’m assuming we can easily integrate with marketplace rules, like the F5 ones.

d. Log analysis — more than just “waf rules to apply” — there’s mechanisms for updating rules:

  • Both WAF logs and App logs can be parsed by Athena/Lamdba to inform on HTTP Flood, Scanners & Probes

  • Scheduled cloudwatch event rule triggers lambda to maintain IP Reputation Lists

  • Bot lists also updated via a lambda.

Types of Rules

a. White/black listing (manual lists)

  • No automation setup around these lists — is the expectation you manage via AWS Console?

b. SQL Injection, XSS (patterns in URI, querystring, request body)

c. HTTP Flood (web-layer DDoS, brute force logins)

  • ConfigureRateBasedRule (Custom::ConfigureRateBasedRule — HttpFloodProtectionRateBasedRuleActivated)

d. Scanners & Probes (abnormal amount errors from an origin)

e. IP Reputation Lists (3rd party lists hourly updated)

  • spamhaus.org
  • torproject.org
  • emergingthreats.net

f. Bad Bot (honeypot to attract bots)

  • ApiGateway, Lambda
💖 💪 🙅 🚩
aklm10barca
Arun Kumar

Posted on June 10, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

WAF for ALBs
aws WAF for ALBs

June 10, 2021