This lab walks you through the steps to block web traffic with a WAF (web application firewall) in AWS.
Duration: 1 Hour
AWS Region: US East (N. Virginia)
AWS WAF is a web application firewall that helps you to protect your web applications against common web exploits that might affect availability and compromise security.
AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns like SQL injection and cross-site scripting.
It only allows the request to reach the server based on the rules or patterns you define.
Users create their own rules and specify the conditions that AWS WAF searches for in incoming web requests.
The cost of WAF is only for what you use.
The pricing is based on how many rules you deploy and how many web requests your application receives.
For example, you can deploy AWS WAF on Amazon CloudFront with an Application Load Balancer in front of your web servers or servers running on EC2.
You can create your own rules, depending on your requirements, whether to block or allow the incoming and outgoing request. You can also customise the string that appears in your web request.
You can also configure rules in AWS WAF to identify and block web requests threats like SQL injections and cross-site scripting.
AWS WAF also allows us to review our rules and customize them to prevent new attacks from reaching the server.
A bastion host is a system that is exposed to the internet launched in a public subnet.
In terms of security, Bastion is the only server which is exposed to the internet and should be highly protective to attacks.
Bastion host is also known as a Jump Box. It is a computer that acts like a proxy server and that allows the client machine to connect to the remote server.
It usually resides outside the firewall.
The Bastion server filters the incoming traffic and prevents the unwanted connections entering the network thus acting like a gateway.To maintain the security of bastion hosts, all unnecessary software, daemons and users are removed.
Load Balancer, a service that allows you to distribute the incoming application or network traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses, in multiple Availability Zones.
ALB is used to route the HTTP and HTTPS traffic across the targets based on the rules attached with the target group.
Rules determine what action is taken when a rule matches a client request.
The target group is used to route requests across registered targets as part of an action rule. Target groups consist of a protocol and target port. We can also configure health checks to monitor the status of the target group. A single ALB can route traffic to multiple target groups.
Targets consist of EC2 instances that are registered with the ALB as part of a target group.
Two web servers are launched in the Private subnet to handle the web request.
The request the to web servers are shared using the ALB.
Web servers are attached to the ALB Target group.
Servers are pre-installed with HTTPD on both servers and have the test pages RESPONSE COMING FROM SERVER 1 and RESPONSE COMING FROM SERVER 2 respectively.
They are attached to a security group via port 22 that allows the SSH connection only from Bastion server and port 80 that allows the web traffic coming from ALB.
In this lab, we will launch two web servers with an HTTPD service installed in them.
An Application Load Balancer (ALB) with the target group routing the traffic to the load balancer.
Creating an IP set in WAF i.e list of IPs to block. Here we are adding our IPv4 by getting it from https://www.whatismyip.com/.
Creating an ACL rule in WAF using the IP set created in the above step.
Testing the Response of the Load balancer without applying the WAF ACL.
Applying WAF rule to the Application Load Balancer.
Testing the working of the ALB.