kevinhakanson.com

AWS WAF vs. ModSecurity

April 25, 2016 #aws #waf #webdev #security

In a recent meeting with the corporate security team, it was mentioned that a Web Application Firewall (WAF) might be the recommendation for cloud projects to protect against XSS and SQL Injection.  The Cloud Security Workstream has done some research, including WAF options.  As I dug into what an AWS WAF solution might look like, I came up with this diagram:

AWS Static Content - AWS WAF.png

Since AWS WAF and its Web ACL rules are a feature of the Amazon CloudFront CDN, a full solution would pull in other Amazon functionality.  CloudFront is most useful as a CDN, if you host your static content assets in S3.  You can configure both an S3 Origin for your static content and a Custom Origin for your dynamic content.  In the diagram above, a “behavior” with the “path prefix” of api/* was used to route application requests to the ELB.

However, this solution requires some DNS changes.  CloudFront will now be configured for application hostname, and the ELB needs a new hostname.  This is where things become interesting.  In the classic www.example.com scenario, you make CloudFront respond to www.example.com, and your original ELB becomes something like origin-www.example.com, reflecting the fact it is the “Origin” server.  Our products use “naked” domains meaning example.com is the hostname instead of the more traditional www.example.com.  This makes the naming of origin.example.com harder (since origin-example.com would be a new domain).  It also may require us to use Route 53 for DNS because the requirement for an ALIAS record for the zone apex (see Choosing Between Alias and Non-Alias Resource Record Sets - Amazon Route 53).  This topic needs more investigation.

Earlier, I investigated putting Apache HTTP in front of Zuul and use the ProxyPass directive to pass any /api URIs.  This was for HTTP/2 protocol support, but could also be used if we use the ModSecurity Apache module as a WAF.  This solution means no new hostnames, less new infrastructure and could also be used by the deployments in the corporate data center until they can move to AWS.

AWS Static Content - ModSecurity.png

CloudFront will be an important feature for the United States, but for the South America and Australia deployments, there are fewer edge locations (see Amazon CloudFront Product Details ) and will be less customer traffic.  An alternate solution to AWS WAF may be the best solution for now.


© 2020 Kevin Hakanson (built with Gatsby)