A Guide on How does AWS WAF Work?

Web Application Firewall (WAF)

AWS Web Application Firewall (WAF) is a web-based application firewall service that helps protect your web apps from common deeds that could affect app availability, compromise security, or consume excessive resources. 

AWS Free Tier provides 10 million monthly bot control requests.

Firewall

A firewall is software installed in your machine or sits between the device on the part of the actual uplink of the internet, which carefully analyzes the traffic. It allows or restricts the flow of traffic to your device with the help of pre-defined configuration rules that are returned to the firewall.

WAF Conditions

Condition defines basic characteristics that would analyze within a web request.

Six conditions of AWS WAF are as follows:

  1. Cross-Site scripting activities
  2. GEO Match
  3. IP address
  4. Size Constraints
  5. SQL Injection attacks
  6. Strings that appear within the requests

1. Cross-Site scripting activities

A cross-site scripting match condition specifies the parts of a web request (such as a User-Agent header) that you want AWS WAF to inspect for cross-site scripting threats.

2. The geographical location that requests originate from (GEO Match)

It will block all international requests. You can choose a filter, which country can use your website. A geo match condition lets you allow, stop, or count web requests based on the geographic origin of the request.

3. IP address 

IP address or address ranges that requests originate from an IP match condition specifies the IP addresses and IP address ranges that you want to use to control access to your content. Put IP addresses that you want to allow and IP addresses that you wish to block into separate IP match conditions.

4. Length of specified parts of the request (Size Constraints) 

The size condition specifies the parts of the web application that you want AWS WAF to compare to a given set size.

5. SQL Injection attacks

SQL injection attacks a SQL injection match condition specifies the parts of a web request (such as a User-Agent header) that you want AWS WAF to inspect for SQL queries. Create separate conditions for parts that you want to allow SQL queries in and parts that you don’t.

6. Strings that appear within the requests

A string match condition, or a regex match condition, specify the part of a web request (such as a User-Agent header) and the text (the header’s value) that you want to use to control access to your content. Create separate conditions for strings or regex patterns that you want to allow or block.

WAF Rules

We can combine multiple combinations into rules to precisely target requests. A web ACL has a capacity of 1,500, and you can add hundreds of rules and rule groups to a web ACL. The total number that you can add is based on the complexity and capacity of each rule.

WAF provides two types of rules:

  1. Regular Rule
  2. Rate-Based Rule

 

1. Regular Rule

Let’s look into sample Regular Rule:

  • If a request comes from 172.30.50
  • They include being SQL-like code

If the rules have multiple conditions, it is considered an AND operation

2. Rate-Based rule

Rate-Based rule = Regular Rule + Rate limiting feature

  • If the request comes from 172.30.0.50
  • They include being SQL-like code
  • If requests exceed 1000 requests in 10 minutes

WEB WAF ACL

Web WAF ACL defines action taken against a rule 

Regular Rule

  • If requests come from 172.30.0.50
  • They include being SQL-like code

What action do you want to take now?

You can apply these actions to your WAF ACL.

Types of actions: Allow, Block, and Count.

Association

It is defined to which entity WAF is associated with. You can’t WAF be associated with EC2 instance directly.

WAF association supports these AWS Services:  CloudFront, Application Load Balancer (ALB), Amazon API Gateway, and AWS Appsync.

Also Read AWS Virtual Private Cloud (VPC): Everything You Should Know

Leave a comment

Your email address will not be published.