Enhancing security and trust with AWS WAFv2
— By Parag Suchak, Ritesh Kumar
Web Application Firewall (WAF) is considered a critical part of an effective security solution that offers website security and strengthens the overall security posture. The end goal for any web application Firewall is to protect the application against:
- Known vulnerabilities and threats
- Identification of and protection against bad bots
- Protection against Distributed Denial of Service (DDoS) attacks
- Real-time intelligence to block blacklisted source
- Geolocation Enforcement
As the world’s largest fantasy sports platform with 110 million+ users, we at Dream11 run multiple contests simultaneously while maintaining optimum user experience and efficiently process millions of user requests per minute. Our user-first and data-driven teams have made it their priority to ensure that the Dream11 app remains protected against common as well as advanced threats and vulnerabilities. In this blogpost, we will explain how AWS WAF has helped us to do so and why we switched from AWS WAF classic to AWS WAFv2 for better manageability and more visibility.
How does WAF work?
Web Application Firewall is configured between client and web server. For every request from the client, WAF inspects and checks for any WAF rules that match to the requests. If a particular request matches the WAF rule. For example, in the Cross-Site-Scripting payload as shown in the diagram above, the request will be blocked by WAF and it will not reach the Application Server. WAF also supports putting specific rules into count mode/monitor mode where requests will not be blocked but they will be tagged differently to understand how the rules works.
AWS WAF is a prebuilt service provided for protecting applications that are hosted on the AWS cloud. It can be deployed on the following sources:
- Amazon CloudFront distribution
- Application Load Balancer
- Amazon Application programming interface (API) Gateway REST API
- AWS AppSync GraphQL API
AWS WAF comes with two different versions:
- AWS WAF classic
- AWS WAFv2 (Introduced in Nov 2019).
Why AWS WAFv2 ?
AWS WAF classic is powerful and can protect against common attacks. However, there are many improvements in AWS WAFv2 over the AWS WAF classic which add more powers to handle malicious attacks more efficiently.
After considering all new enhancements offered in WAFv2, we decided to migrate our WAF classic to the new AWS WAFv2. There are two ways to do so.
Option 1: Using Migration Wizard
Option 2: Manually create new WAF rules & Conditions
The Challenges:
- The migration wizard can migrate only unique rules across all WebACls. Also, it cannot migrate WebAcls across AWS Accounts
- Manual migration requires setting up everything (including rules and conditions) from scratch, which was too complicated and time consuming for us.
Our Solution:
We took a hybrid approach which includes the use of the migration wizard and a little manual work to solve this problem.
First, we migrated all unique rules with the wizard across all the WebAcls. Then, we got the JSON code for common rules and imported JSON across all the WebAcls as per requirements. WAFv2 supports visual consoles as well as JSON editors for creating new WAF rules and conditions. We just required importing the JSON of the common rules and created new customized JSON rules across the AWS accounts.
Things to consider while migrating using Migration Wizard:
- Only web ACL can be migrated within the same AWS account
- If multiple web ACLs share the same resources like IP sets and regex, they will be duplicated under the new WAF
- Rate-based rules can not be migrated
- Managed rules from the AWS marketplace can not be migrated
- Logging for web ACLs will be disabled by default
- Configured cloudwatch alarms in WAF classic require the metric name modification
- AWS WAF Security Automations lambda and functions need to be updated manually.
