
Introducing AWS WAF - hepha1979
https://aws.amazon.com/waf/
======
david_shaw
In general, I'm not a huge fan of using WAFs to protect web applications --
I've spent too much of my career bypassing WAFs to have a lot of confidence in
them. That said, using a WAF can _hugely_ improve application security
visibility, if not increase actual resilience.

The AWS WAF is, presumably, going to give application developers and owners
significantly more insight into whether their apps are getting attacked.
Congratulations to the Amazon team for shipping something that has the
potential to make a really big difference.

At this point, my only question is why Amazon didn't give it a strange name
(like most of the other AWS products)!

~~~
cperciva
_my only question is why Amazon didn 't give it a strange name (like most of
the other AWS products)!_

Maybe they decided that "WAF" was sufficiently ambiguous. My first guess was
s/firewall/framework/.

~~~
varelse
I'd have given them major kudos if they'd called it Web Traffic Firewall
instead.

~~~
cperciva
The first alternative name which came to my mind was "API Condom", but I like
your idea more.

------
adrianmacneil
I wish AWS would stop launching new services, and spend some time improving
the usability and features of their existing services. So many of their
products feel half finished, and could be so much better if they invested more
time in improving them rather than trying to compete with every cloud service
out there.

~~~
ErrantX
A lot of Amazon services seem to be "improved" by reducing prices (so, better
hardware or technology underneath the hood).

But I entirely agree; it's a good time for Amazon to look at the suite of
products and make them a tad more cohesive. It can be a bit disjointed at
times, especially when trying to tie multiple services together.

I wonder if the drivers are:

* Culture of always having to be seen to innovate

* (Percieved) Competition to keep launching new features to stay ahead

With that said there have been improvements; for example EFS building on top
of EBS.

~~~
hrez
EFS is still in preview 6 months later since announcement. Let's see if it
goes GA during reInvent.

~~~
Corrado
I'm just hoping for NFS 4.1 support so that I can start using it on my Windows
Server 2012R2 instances. Currently, EFS uses NFS 4.0 which is incompatible
with NFS 4.1 for some reason. :(

------
rmdoss
This is not a WAF like what CloudFlare or Sucuri offers.

It is basically the ability to create filtering rules at a high $ per rule.

Real WAF/IDS products come with a large set of rules that are well tested and
have a research team behind it.

~~~
dangrossman
Now any of those talented people and teams can productize that valuable
knowledge and deploy it on Amazon's infrastructure, rather than only the
couple dozen people that can get jobs at Cloudflare/Sucuri/etc. They've just
been handed a huge market of potential customers that have access to a WAF but
don't have the expertise to develop rulesets of their own.

------
cdnsteve
This sounds like ModSecurity - AWS style. The problem with WAF has always been
ensuring you have a good ruleset. You need to be extremely careful with
aggressive rules or you can break your application in area's you don't expect.
It takes lots and lots of trial and error writing out a safe ruleset that
doesn't break stuff. I wonder what the cycle would look like trying to get
this right on AWS?

One area I can see this being used for my purposes right now is to limit URL
patterns down to IP restrictions for /admin type area's on a web app. This
means this can be done A) Outside of app source code and B) without having to
do any fancy reverse proxy work and setup of subdomains.

~~~
lotyrin
Yeah, and if I'm adding WAF to my application, I'd want it to be something I
can run on a developer's laptop for fast iteration cycles -- Vagrant up,
change WAF rules, run the integration suite. If the WAF is up in the cloud, I
guess I have to wait until staging the code to see if something legitimate
gets snared by the WAF?

~~~
dogma1138
You can always run a reverse proxy in AWS behind a WAF that then points back
to your development machine, it's a complicated solution but it's not new.

If you host your servers internally and you are big organization you have
WAF's/Application Firewalls, IPS/IDS, and possibility a DB FW like imperva as
well.

Does this lead to issues with deployments? yes, but it doesn't affect your
code, if the WAF breaks you application 9/10 unless you use something silly
like SQL queries in the URL (yes this has been seen before...) it's up to your
security team to adjust the rule set during the pre-prod testing.

------
dperfect
It would be really nice if this were integrated directly with ELB and/or API
Gateway. The CloudFront requirement makes it quite expensive - especially for
people using custom SSL certificates (without resorting to SNI).

CloudFront (or any CDN) is great for serving static/cached content, but for
the kind of services WAF is designed to help protect, it wouldn't make a lot
of sense to use CloudFront (apart from WAF) as it would just be passing the
requests through to another load balancer/server.

~~~
sneak
In general, if you're not using SNI, you're doing it wrong.

There are probably a dozen orgs who can legitimately claim to absolutely need
to support pre-SNI clients, but those shouldn't be on AWS.

~~~
danielsju6
Even as of a year ago the major parts of Android, including the downloads
application, didn't support SNI.

------
onyxraven
The blog article is a bit more descriptive
[https://aws.amazon.com/blogs/aws/new-aws-
waf/](https://aws.amazon.com/blogs/aws/new-aws-waf/)

------
AdmiralAsshat
_With AWS WAF you pay only for what you use. AWS WAF pricing is based on how
many rules you deploy and how many web requests your web application receives.
There are no minimum fees and no upfront commitments._

Does this mean the amount would increase exponentially during a DDOS attack?
Could I sink my theoretical competitor into bankruptcy if I know they are an
AWS WAF client simply by DDOSing them?

~~~
dangrossman
A site on AWS is already paying per-request or per-GB for instance count, load
balancing, data transfer, etc. Adding the WAF would reduce the cost of a DDOS
by discarding requests at the edge, before they can generate additional
compute, IO and data transfer costs for your backend.

~~~
Domenic_S
That's the question, is discarding traffic at the edge a billable event? If so
what's the savings over spinning up new instances?

~~~
dangrossman
Let's say someone with a botnet is downloading a 5MB file from your server a
million times a day. The WAF rule to block those requests would cost you $1 +
(1 * $0.60 per million requests) = $1.60. The data transfer if you don't block
those requests would cost $450. You save $448.40 per day, or 99.6%, on just
the data transfer.

------
devit
> $5 per web ACL per month.

Really?

> Limits:

> Web ACLs per AWS account: 10

> Rules per AWS account: 50

> Conditions per AWS account: 50

> IP address ranges (in CIDR notation) per IP match condition: 1000

Huh? Is this really intended for production, with such low arbitrary limits?

~~~
merb
that's only prevention. If you need more they will raise it to a lot.
currently AWS SMS has a really low email sending limit too, like 5mails/s
however if you ask for a raise they raise that too something like
100.000mails/s.

~~~
harshreality
That thousands separator notation is ambiguous when communicating outside of a
country that uses it as a standard[1]. You mean 100k mails/s, I think? Using a
SI prefix like that is the easiest way to deal with it, or thinsp (u+2009)
seems to be the international standard for digit group separation.

[1] only a handful of countries use it, and they don't have English as their
primary language:
[https://en.wikipedia.org/wiki/Decimal_mark#Examples_of_use](https://en.wikipedia.org/wiki/Decimal_mark#Examples_of_use)
(row 5)

edit: regarding the disagreement over "only a handful" in a reply: that map is
showing the separator between units and fractional part I think, not the
thousands/millions/etc grouping separator.

~~~
oblio
While I grant you the "don't use English as primary language", "a handful of
countries" does not stand up to scrutiny:
[https://en.wikipedia.org/wiki/Decimal_mark#/media/File:Decim...](https://en.wikipedia.org/wiki/Decimal_mark#/media/File:DecimalSeparator.svg)

I don't even need to count to figure out that 80+ countries use that system :)

~~~
NeutronBoy
From the page you linked:

 _The convention for digit group separators varies but usually seeks to
distinguish the delimiter from the decimal mark. Typically, English-speaking
countries employ commas as the delimiter—10,000—and other European countries
employ periods or spaces: 10.000 or 10 000. Because of the confusion that can
result in international documents, the superseded SI /ISO 31-0 standard
advocates the use of spaces and the International Bureau of Weights and
Measures and International Union of Pure and Applied Chemistry advocate the
use of a "thin space" in "groups of three"._

------
shermanyo
Besides the service interface side, how does this compare to something like an
F5, baracuda or the IBM ISAM WAF? Does it target layer 7, packet filtering,
ssl termination or tie in with the identity service? Any comparisons in
functionality to some of the existing options would be interesting, anyone
have any good links?

------
awkgeek
I like AWS direction towards security. But...

Who needs WAF with basic, static rules in 2015 when applications are deployed
several times a day? Mod_security in a cloud? Well. Be ready to get a
dedicated person to support it to avoid false positives. And I guess it's
still easy to by-pass.

Give a try to Wallarm, NAXSI, Signal Sciences.

~~~
hkr_mag
None of solutions you've mentioned works in the cloud!

But yep. If you're looking for WAF for NGINX, these are good options.

BTW, mod_security is now compatible with NGINX too.

------
falcolas
I don't have a lot of experience with WAFs in production - if I already use
Nginx in front of my applications with appropriate rules and filters (which in
turn feeds into graphite and Nagios), what more would the WAF buy me?

~~~
lukeschlather
I think nothing. The main benefit would be that you don't need to maintain
Graphite and Nagios, you can just set your rules and trust Cloudwatch to work.

~~~
falcolas
OK - that's what I thought. I'm loathe to get rid of my own monitoring, simply
because it makes it harder to set up DR with another cloud provider.

------
nodesocket
It is not clear, do you deploy this in-front of your load balancers, after?
They mention CloudFront, but that doesn't make much sense, because you want a
WAF to protect your application, not just static assets right?

~~~
toomuchtodo
You can put you entire application in front of Cloudfront.

~~~
ShaneOG
It works better if you do it the other way around ;)

~~~
toomuchtodo
I had not had sufficient coffee before answering the question :D

------
gauravphoenix
I hope they allow to re-use ModSecurity rules in future, much like CloudFlare
already allows. Some of the web attack detection techniques require you to
maintain state which you can't today with AWS WAF

------
brightball
Will be interesting to see how this competes with Cloudflare and Incapsula

~~~
rmdoss
It doesn't. It comes with no rules and they charge quite a bit per rule entry.

CloudFlare, Sucuri and Incapsula all come with pre-package, well-tested rules.

------
gauravphoenix
Looks like release notes[1] are currently 404'ed

[1]
[https://aws.amazon.com/releasenotes/waf](https://aws.amazon.com/releasenotes/waf)

------
patman81
Now the only pice missing are AWS SSL certificates, for a one stop shop on the
whole security stack. Perhaps tomorrow at the AWS keynote. Fingers crossed.

~~~
ivanr
FYI, Amazon recently purchased a widely distributed CA root:
[https://www.awstrust.com/repository/](https://www.awstrust.com/repository/)

------
Tomte
It seems like every week Amazon is launching a new web service with a generic
abbreviation, and often also a non-descriptive name. Wasn't there something
else a few days ago?

I basically stopped having enough mental capacity for that after S3, EBS,
Glacier, EC2 (which I just looked up, I spelled it E2), and maybe SES.

How on earth do people survive in that ecosystem without a glossary right by
their side?

~~~
acdha
That's a reasonable complaint but I don't think it's warranted here. WAF is
the industry standard term for this kind of service so “Amazon WAF” seems a
lot less unhelpful than most of their other names.

------
kimcheekumquat
Thank god. There are too many third party WAFs that drop SSL connections and
Amazon does not support those.

------
api
Wake me up when AWS supports IPv6.

~~~
mahouse
Wake me up when there are users with IPv6-only connections. It will be a very
long nap...

~~~
tacticus
How about users that get better performance over ipv6. like many many mobile
users out there.

You can have your tool accessible by some piece of shit CGN and web proxy. or
direct over ipv6

------
the_arun
I wonder why didn't they do it as a config on the ELB instead of a new
service.

------
maxims
It should be mentioned that this service is not a stand alone service but is
rather used in conjunction with the CloudFront service - once a WAF ACL has
been configured it can be attached to a CloudFront distribution.

Edit: spelling correction

------
akurilin
Would love to read about people's experience with this, also the kind of use
cases where this is a great fit.

------
debacle
No mention of a critical aspect of a service like this: what is the per
request load time overhead?

~~~
ceejayoz
I'd imagine that depends on the rules you set up. Better to benchmark.

------
openstack_guru1
Does anyone know what they use under the covers?

~~~
tobz
I've been told it's nginx, in the same style of how CloudFlare uses it for
their edge locations.

~~~
rudolf0
Is that also what Amazon uses for CloudFront?

------
merb
Instead of releasing things every month, they should start supporting all
regions especially the EU should have more support like all services inside EU
Frankfurt since with the court order of the european's it would greatly help
to satisfy everybody.

------
bitwarrior
And here I thought this was an April Fools joke and they implemented Wife
Approval Factor in the cloud.

