Waf Charm

Blog

AWS WAF

Part 1: [New AWS WAF] Summary of Changes

【Table of contents】

  1. Introduction
  2. Changes
  3. Concerns
  4. Conclusion

1. Introduction

AWS released a new version of AWS WAF on Nov 25, 2019. This blog is a summary of the new changes compared to the previous version.
 
Part 1: [New AWS WAF] Summary of Changes (this blog)
Part 2: [New AWS WAF] AWS Management Console Operation (Managed Rules)
Part 3: [New AWS WAF] AWS Management Console Operations (Original Rules)
Part 4: [New AWS WAF] AWS Management Console Operations (Pattern Sets & Rule Groups)
Part 5: [New AWS WAF] JSON Explanation

2. Changes

Here are some of the areas that have received changes:
 
・ Change of name
・ Introduction of AWS WAF Web ACL Capacity Units (WCU)
・ Changes to the management console
・ Changes in rule setting method
・ Ability to manage rules in document format
・ Launch of AWS Managed Rules (AMR)
・ Official support for level control of managed rules
 
Change of name
 
The previous version of AWS WAF is now known as AWS WAF Classic, and the new version will now be referred to as AWS WAF.
 
Introduction of the AWS WAF Web ACL Capacity Units (WCU)
 
AWS WAF uses web ACL capacity units (WCU) to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. AWS WAF calculates capacity differently for each rule type, to reflect each rule’s relative cost. Until now, the number of rules was limited to 10 rules and 5 regular expression pattern sets, but with WCU, the cost of processing each processing element is accounted and calculated by the number of processing elements to be applied, and the total number of rules can be registered as long as the total does not exceed the capacity. You can use up to 1500 WCU per Web ACL, and you can also increase the limit by requesting AWS support to relax the limit.
 
Notes:
・ There is a limit (10) to the number of regular expressions even if they are WCU.
There is also a limit of 10 regular expressions that can be included in a pattern set.

・ About IP restrictions
It takes the form of a pattern set, and 10,000 IPs can be specified in one pattern set.

・ About String Match Conditions
In the string match condition, "begins with ~" and "includes" were specified, but it should be noted that the processing cost of WCU is different for each.
※Please note that processing costs are also accounted in the string conversion process.
 
Official information:
https://docs.aws.amazon.com/waf/latest/developerguide/limits.html
 
Restrictions

Resource Default Restrictions
Web ACLs per region 100
Rule Groups per region 100
Web ACL capacity units (WCU) per Web ACL 1,500
WCU per rule group 1,500
IP Sets per region 100
Regular expression sets per region 10
Unique regular expression patterns per set of regular expressions 10
Rate-based rules per Web ACL 10
Requests per second per Web ACL (applies only to the Application Load Balancer) 100,000

 
Example of WCU calculation:
If you try to detect SQL injection conditions at three points: URL, cookie header, and body
 
・ 3(detection points)  × 20(SQL injection WCU) = 60 WCU
・ Managed rule is 1000 WCU
 
When both are used, the total is 1060 WCU. This is where the necessary settings are made in the WCU.
 
Rule conditions

Matching Statement WCU
Match by country 1
IP set matching 1
Regular expression pattern set 25 per pattern set
Size constraint 1
SQLi Attacks 20
String match Depends on the type of match
XSS Attacks 40

 
Logical conditions

Logical Statement WCU
AND Logic Depends on rules
NOT Logic Depends on rules
OR Logic Depends on rules

 
Special conditions

Statement WCU
Rate-based Depends on search criteria
Managed rule group Defined by the rule group
Rule group You define this when you create a rule group

 
Changes to the management console
The emphasis is on managed rules, and the console makes it easy to choose managed rules. The rule group functionality has been moved from the AWS Firewall Manager to the AWS WAF side.
We have explained about the console operation in the next blog.
 
Changes in rule setting method
・It is now possible to use OR function in the condition part.
For example, it is now possible to use the OR function to add an IP blacklist together with country restriction conditions.
・Multiple decode processing is now possible.
It is possible to unify them to lowercase letters after decoding the URL.
・There is no longer a restriction on the expression in CIDR.

Until now, the contents were as follows.
IPv4 address ranges: /8 and /16 to /32 are supported.
IPv6 address ranges: /24, /32, /48, /56, /64, and /128 are supported.
・Changes in the items used in the FieldToMatch.
URI has been changed to UriPath.
 
Ability to manage rules in document format
Until now, rules were updated using various APIs, but now it is possible to reflect this by simply implementing the API for updating Web ACLs in JSON format.
Managing it as a JSON file allows you to quickly revert to the previous state.
The IP Set and Regex Set are managed in separate files and called by ARN.
 
Launch of AWS Managed Rules (AMR)
AWS has released its own set of managed rules.
And now, it is also possible to use multiple managed rules.
"OWASP Top 10" compatible rules and "IP reputation lists" have been released for multiple uses. In addition, several limited rules such as "WordPress" and "PHP" are also released.
 
Official support for level control of managed rules
WafCharm provides the ability to change the BLOCK / COUNT mode of the rules contained in the AWS WAF Classic Managed Rules on the WafCharm management screen. However, the new AWS WAF allows you to change the individual rules in the managed rules from the AWS Management Console, making it easy to change individual rules to COUNT in case of false positives.

3. Concerns

・What will happen to the old AWS WAF?
The service will continue as AWS WAF Classic. WafCharm is also still compatible with it.
 
・How do I migrate from AWS WAF Classic to the new AWS WAF?
Please refer to the following official information to configure the new AWS WAF.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-migrating-from-classic.html

4. Conclusion

This is a major change in the operation and function of AWS WAF. Although it is relatively easy to write the rules by oneself, it is still difficult to create and select appropriate rules due to the limitations of the WCU. A way to simplify the operation is to use managed rules, so in case you haven't used it before, now is a perfect time to evaluate if that would be a good solution for your configuration.