Amazon AWS Certified Advanced Networking Specialty – Security & Compliance

1. Overview of Layer 7 Firewalls

Hey everyone, and welcome back to the Kplabs course. So in today’s lecture, we’ll be discussing more about the web application firewall. So web application firewall is currently like one of the very critical components as far as the security infrastructure is concerned. And in most of the organizations, specifically the enterprise grade, you have web application firewall already implemented. So let’s look into what web application firewall is all about.

Now, we all know what firewall is, and most of us have already used firewall in some way or other. It may be AWS security groups, it may be IP tables. So this is one of the things that you should already know. Now, one important thing is that firewall, they generally operate on layer three and layer four of the OSI model. So we’ll look into this. So when you talk about the main aim of firewall, so the main aim of firewall is to block the malicious or unauthorized traffic. And I’m sure that you already know. So when you speak about that, firewall works on layer three and layer four, that means network and transport layer.

So generally, if I open up a random packet, you have within the transport layer, you have various things like source port, destination port. If you go into the Internet Protocol layer, you have the source IP, destination IP. You also have various things like sequence number, which is within the transport layer. And this is where the stateful and stateless firewalls really play a vital role. So this is something that we already know we allow based on IP addresses, port numbers. So this is what the generic firewall does. So, coming back to the presentation, the main name of firewall is basically to not allow the traffic which is malicious.

Now, the question is, when we look into the diagram, since the firewall operates at layer theater, layer four, it cannot really look into the layer seven traffic, which is the application traffic. And this is where the question comes is that what about the malicious traffic like SQL injection attacks, the cross site scripting attacks, which generally operates at the layer seven, specifically where the Http protocol operates. So if you look into the diagram, the non Http attacks can be already differed with the standard packet firewall. However, the Http attack. So since the firewall cannot really read the Http packets, let me show you again. So within this packet you have the IP layer, you have the transport layer and you have the Http layer. So this is the layer seven. So within layer seven you have a lot of information, like user agent, you have the request Uri, you have the host headers and you have the Http request itself. So this is the Uri portion.

So all of these things the firewall cannot read because it does not operate on the layer seven. And this is the reason why there is a need of a firewall, because layer seven, where the applications are running. They have a lot of attacks, a huge amount of attacks. And this is the reason why there was a necessity to have a firewall which can read the Http packets which operates at layer seven and can protect applications against various kind of attacks. So I’ll show you there is an OS top ten which has a lot of attacks specifically related to web applications. It can be SQL injection, I’m sure you might have heard about it. SQL injection, you have cross site scripting, a lot of them are there. These are details which are mentioned within the OS top ten.

And since all of them, they generally operate at layer seven, you need a firewall which can protect you against the layer seven attacks. And this is where the web application firewall is all about. So web Application firewall are generally designed for web application and these kind of firewall, they operate at layer seven. So again, the rules that you write for Web application firewall, these are rules specific for the Http based communication.

So we’ll look into it in detail. But just understand that one of the primary motives of various kind of apps which are available is to protect against the OS top ten metrics. And this is very important. So considering the Web Application firewall vendors, there are a lot of vendors which are available. It ranges from open source like Naxi Mod Security to various commercial solutions which are like signal signs. Akamai, you have AWS West which is also pretty interesting solutions as far as the commercials are concerned.

So even a lot of content delivery networks like Cloudflare, they offer the Web application firewall, which you can go ahead and look into it and definitely one of the best ones to have a high level overview is the AWS, because it is quite straightforward and you can go ahead and create your own rule sets, create your own web ACLs, et cetera. So again, there are commercial ones like Akamai Signal Sciences which are good, but the problem with them is that many times they do not really entertain startups which have like five, six servers. So that is quite a big pain. And this is the reason why I generally recommend to go ahead and straightforwardly go with AWS. Simple, straightforward solution. You can use it any time and you can implement anything ten and it’s a pay as you go. So anyway, we’ll discuss more about this in the relevant section.

2. Overview of AWS WAF

Hey everyone and welcome back to the KP Labs course. So in today’s lecture we’ll be discussing about the AWS web application firewall offering. So this is a pretty interesting and a pretty straightforward bath which is offered by AWS. So let’s look into what exactly and how exactly it really works. So AWS WAF basically works based on condition, rules, web seals and associations. So this might be a little confusing as a start. So what we’ll do is we’ll take a very simple use case which will help us understand the entire flow based on which the AWS bus really operates. So let’s take an example. So let’s suppose that I live in a place A in Bangalore and I want to meet a friend who is living in place B. So I’m living in place A and I want to meet a friend who is living in place B. So in order to meet a friend, what I’ll have to do is definitely I’ll have to travel.

So before traveling, you should remember that Bangalore is a well known city for traffic. So before that, before I can actually travel, I have a certain condition. The first condition is whether the traffic is less or whether there is a huge traffic. That is the first condition that I have. So second condition, is there any Uber or Ola available so that I can hire a cap and I can reach place B? Because it’s not necessary that public transport should always help you reach a destination place. So there are two conditions. So now these are the two conditions that I have. Now this is the condition part. So there can be multiple conditions over here. Now let’s go to the rules part.

So within the rules plot, what I do, I combine the combination conditions. So if traffic is less and if Uber and Ola are available so you are making an and condition over here if this is true and if the second condition is also true. So that is what rules define. Okay? So you can have multiple conditions. You can combine multiple conditions in a rule. Now, what happens if these two conditions meet? So if they meet then yes rule is taken. If they do not meet then the no rule is defined. So web ACLs are like okay, if these conditions are met then okay, I’ll go to meet my friend. If they do not meet then okay, I’ll stay at my home and I’ll go some other day. So this is like allow or deny based rules. Now these are the three conditions. Now, the last is association. So this is associated with me which is read so entire part. So I hope you understood. You have the condition, you have the rule which contains multiple condition. You have the web ACS which defines to either allow or either block. So either I should go or either I should stay back and association. So is it associated with me? Is it associated with some other person. This is what the association is all about. Great.

So we’ll understand this in great detail. So let’s take each of them in a separate page and understand in great detail. So first is the conditions. So condition basically defines the characteristic that needs to be analyzed within the Http based web request. So there can be multiple conditions. So as far as AWS WAF is concerned, there are total of six conditions which it supports. You have SQL injections, you have cross site scripting, you have geographic location like let’s assume that geographic location like if someone is coming from Russia, so that becomes a condition. So all of these are part of the geographic location. You have condition based on the length of the request. So there are multiple conditions which are defined. So when you talk about rules, so if you have defined multiple conditions, you can add them in an and manner in a rule. So talking about rules, so again, we can combine multiple conditions into rule to precisely target a specific Http request.

So there are two types of rules which are available. One is the regular rule and second is the rate base rule. So when you took an example of a regular rule so let’s take if a request comes from 172 30 00:50 and if they include SQL like code, so these are two individual conditions. So in one rule, there can be multiple conditions and they are treated as and. So if request is coming from this IP, and if the request contains SQL like code, so this becomes a rule. So this is a regular rule. Now, there is also a rate based rule. So what rate base rule means it is a regular rule plus the rate limiting feature. So the same thing, if the request is coming from 172 30 00:50, they include to be an SQLi code and if the request exceeds 1000 requests in ten minutes, so there is a rate limiting feature in the rate base rule.

Okay, so let’s look into the first sample. So what happens if the request is coming from this IP and it includes the SQL I code? Should it be allowed? Should it be not allowed is a question and that is defined in the WebCL. So web ACL is pretty simple. You have a condition and if the condition are met, what should be done, whether you should allow, whether you should block, whether you should just count. So there are three types of action. You either allow it, you either block it or you just count it. These are the three conditions which are allowed. Now, the last is association. Now, the association is like to whom this three entity should be associated with. Should it be associated with the EC? To instance, should it be associated with the load balancer with the CloudFront distribution is a question.

So association is a very important concept because as of now, the vast cannot be associated with the EC two instance. There are only two supported association. One is the application load balancer and second is the cloud front. So this is something which you need to remember that you cannot directly attach it to the EC two instance. Perfect. So too much of theory that we have already looked. Let’s look into the AWS wax and let’s look into each one of these. So I’ll go to the wax and shield. So they have the combined page. As of now, I’ll go to the AWS wave and if you look into the conditions, there are six conditions which are part of wax as of 2018 is concerned again this will increase in the future. But currently these are six conditions which are added.

GeoMatch is something which is quite interesting because let’s assume that you have an ecommerce website based on India. So you don’t really need to have a request which is coming from Russia or some other part of countries. So you can actually block all the requests from other countries except India. So, very interesting condition. And to many of the startups which are only solely based on India and Indian customers, I suggest them to implement the GeoMatch based conditions anyways. So I’ll show you. So these are the conditions. Now within the GeoMatch condition you can have multiple conditions. So let me put the Virginia. So you’ll have to select the region and within this I have a condition which is already created called as geo condition. So this is the name of the condition. Now, within this condition what I have is I have a filter of India.

So it will look into all the request which is coming from multiple countries and it has the capability to check whether the request is coming from India or the request is coming from the countries which is not India. So I have one condition. So now I go to rules. So we have already looked at within rules you can attach condition. So, I have attached this specific condition. Within this rule there can be multiple conditions which can be attached. And I have a rule, I have a condition and the last is web ACL. So within the web SEL, I have associated a rule. So you see, I have associated this rule which basically it will check whether it should allow or it should block request.

So currently it’s allowed. So let me click on block. So what it will do, this web ACL will check whether the request is coming from India or not. If it is coming from India then the action is allowed. Now, if it is not coming from India then you have a default action whether to allow or whether to block. So I’ll say okay, I’ll click on block because I don’t really need okay. So this is what web ACLs, they generally all are about. Now, AWS web has a nice little graph which gives you an overview about the blocked request, about the allowed request and various others. So if you even do a geo rule, so this is where you can generate samples. It can actually tell you from which IPS the requests have been coming in. We’ll be looking into it during the implementation part, but this is where it gives you a great amount of detail. So let’s look into whether it really works. So currently I’m based on India, so this specific map is connected to my load balancer. So I’ll show you this.

So I’ll add an association. I’ll associate it with my application load balancer. So currently this is associated with the load balancer. We already discussed that association part. There are only two association. One is the application load balancer and one is the cloud front. So currently this is associated with the application load balancer. So I’ll quickly go to the ALB to verify whether it is actually connected or not. So I’ll go to load balancer, I’ll go to the KP Labs ALB and if you look into the web ACL, I already have a WAV ACL rule which is associated. Perfect. So now let’s look whether it is actually working or not. So we’ll send a request to the ALB, one from India and second from another location. So ideally what should happen is request from India should be allowed and request coming from some different location should be blocked.

So if I press Enter, you see I get a request which is Kplabs internal. So this seems to be working perfectly. Now I have an Opera browser. And within opera browser, I have a VPN. So Opera comes with a default VPN and within the VPN I have Europe as a location. So now if I go to the same URL, let’s look whether it should actually work or not. And you see it is showing 4034 bittern and this is what the Vast is actually actually doing. So this is one of the classic examples of the geolocation based rules of VAP. Now again, we have already seen that it can actually protect against various attacks like SQL injection, cross site scripting and various others.

3. Implementing AWS WAF with ALB

Hey everyone, and welcome back to the Kplabs course. So in the earlier lecture we had a high level overview related to what AWS Vape was all about. So in today’s lecture, we look into the implementation part and look into how we can actually configure the Wave. Now, one thing that we already discussed is the association part is that AWS Wave currently supports two type of association. One is the ALB and second is the Cloud front. So before we design a web, we should have one of these things already deployed. Now, I already have an ALB deployed, but what I’ll do is we’ll do this exercise again and we’ll deploy a brand new ALB so that we are on the same page. So before ALB can be deployed, you need to have one EC Two instance. So I have this EC Two instance which has a simple NGINX page. So this is a simple page. You can just do a Yummy, install engines and Service Engineer start and this is the only two steps that you need to do.

And you should have some kind of a page for the EC to instance. Once you have it, we can go ahead and create a Load balancer. The type would be application load, balancer. Let me name it as Kplabs Hyphen Wax so that it is easily recognizable. The type would be IPV four. And I’ll put it in the availability zone. One a okay, great. So select the two Availability zones. I’ll go to the Security groups. I’ll select the security group which has basically all allowed now routing, go to the Target group, name this as Target Valve and go to Next. And here basically just select the EC Two instance which has the web server running. Go to Next Review and go ahead and click on Create. Perfect. So you have the KP labs WAV over here. So the KP labaps wax. It takes a little amount of time for this to get configured. So till the time the state is changed from provisioning to available, we can go ahead and deploy our application firewall. Perfect.

So I’ll go to Services and I’ll type AWS Wax and this will take me to the common page of WAFF and Shield. And I’ll select WAFF for the time being. So if you look into the graph simple way, first, you have to create a condition, second, you create a rule. Third, you create a Web SEL and fourth you create an association. So we’ll follow the similar approach. So first we’ll select a condition. So the condition I’ll select GeoMatch as of now and you have to filter by the region where it will be implemented. I’ll be using the North Virginia region where my ALB is deployed. So I’ll create a condition. I’ll say it as KP Labs hyphen Demo. The region will be north Virginia. The location since this is a Geo match, the location would be country. And then you can specify the country. I’ll select India. Perfect. And I’ll click on Add location. So this location has been added.

So if you want to maybe allow requests from multiple countries, you can add here as well. So I’ll click on Create Perfect. So now you have the condition which is created. Now what you can do is, the next thing you can do is you can create a rule. So I’ll go to rules, I’ll create a new rule. I’ll name it as KP Labs rules. The rule type can be regular or rate based. I’ll select regular for the time being. And now in the other section you have when a request does match which condition. So we’ll select the originate geographic location because we are working based on geography. And I’ll select the condition which we have defined which is KP Labs demo. And I’ll click on Add condition. So rule is when a request matches. So when the request originates from a geographic location which is defined in the KP Labs demo condition name and that is India. This is what rules are all about. So you see you can actually put multiple rules over here and they work based on and condition. So we’ll just use one rule for our demo. So that it becomes easier and less confusing. So I’ll create a rule.

Perfect. So now we have the Kplabs rule. So we have a condition which we have created. We have the rules which have created. Now the question is the web ACS. So we’ll go to the web ACLs and I’ll click on create a web ACL here web ACL. I’ll say kplabs f and web ACL. The region would be North Virginia and now AWS resources to associate. So this is where the association part comes into the picture. So this is where you have to put the ALB names. So I’ll put the KP Labs Hyphen wave, which is the ALB. Now before we do that, let’s quickly verify.

Currently if you see the AWS Web ACL, it does not really have anything. Now, as soon as you click on Next, this is the page which would be presented to you. So you’ll have to put basically the rules. So what we’ll do, we’ll click on Next and within the rules column I’ll select the KP Labs rule over here. And I’ll select Add Rule to the web. ACL. Now this is asking me if the request matches this rule. So this rule already states that it will analyze the Http packet and verify whether the request is coming from India or not. So if it is coming from India, what action should be taken? I’ll say click on allow. So if it is India it will allow. Now the next section is if request doesn’t match any rules. So if the request is not originating from India then what do you want to do? I’ll say then I want to block all the requests that doesn’t match. So before we do that, let’s quickly verify whether our ALP is working properly or not. So let me open up the ALB C name.

Okay, so 50 three service temporary Unavailable. Let’s quickly verify. So I’ll go to the target groups. This is the target graph oops I think the targets were not registered. So this is a bit confusing when you come from the classic load balancer background so you have to click on Add to Registered then only it goes here and you click on Save perfect. So let’s just wait for a moment. So the status is initial perfect. So now the status has been changed to Healthy. So if I quickly verify, you see I have a page which is up and running perfectly. Great. So everything seems to be working perfectly. I’ll go and I’ll click on Review and Create. And I’ll click on Confirm. So what it will do is it will associate this specific web application firewall ACS that we have created to the application load balancer named Kplabs Hyphenbar. So if you go to the load balancer, let me just quickly refresh it is still not associated, so it takes a little amount of time for the association to take place.

So let’s just wait for a moment. Perfect. So the web ACL is successfully associated. So even here if I just refresh the page you see AWS Web ACL should be allowed. Great. So things should be working perfectly as expected. So in order to verify this again, what we’ll do, we have the Opera Browser. Opera Browser will click CTRL Shift N so that it goes to the private window. Here I’ll click on VPN, I’ll enable the VPN and the optimal location. Let me select it as Europe perfect. So now whatever request that I put in it will go from the Europe location. So now I open up the DNS name. I’ll copy this DNS of the back and I’ll enter it in the Opera Browser. So this will be terminal through the Europe VPN and you see it is showing 40 three Forbidden. You now can put it in the browser Chrome which does not have VPN.

So now you see, it works perfectly. So this is what the Geolocationrelated VAS is implemented. So again, once you have this ACS, you can actually get a nice little graph based on five minute period and you can even get the sample. So this is where you’ll get the IP addresses from which the requests are coming from. So you can actually look into the great logs that you expect. So this is it about configuring the AWS wax. I hope the basic configuration is understood by you and I look forward to see you in the next lecture.

• Category: Uncategorized