amazonの新しいwafがきたぞ

井澤さん
2020年5月8日
社内掲示板esaより転載

 

世の中なかなかうまく行かないもので10年前のシステムをしかたなく動かさなキャいけないみたいなケースが往々にしてあります。

そんななかとりあえず入れとけばセキュリティ的に多少安心だよねっていうのがwafです。

 

プログラムバージョンアップとか5年とか開いてしまうと、システムの規模によりますがもはや作り直したほうがいいんじゃね?って感じになっていまいます。

 

そんななかwafは入れとけばとりあえずちょっと安心てことでコストの割に非常に効果が高いってのが魅力です。
もちろん万能ではないんですが私の人生のヒントは「ないよりまし、を最高評価とみなす」というものなので結構好きです。

いままでは「owasp top10」のを抜粋して使っていたのですが、新たにAWSがいい感じのを出してくれたようです。

 

以下ルール一覧です(原文載せます 翻訳機能つかってください)

 

NameCap
■ Admin protection
Contains rules that allow you to block external access to exposed admin pages. This may be useful if you are running third-party software or would like to reduce the risk of a malicious actor gaining administrative access to your application.
100
■Amazon IP reputation list
This group contains rules that are based on Amazon threat intelligence. This is useful if you would like to block sources associated with bots or other threats.
25
■Anonymous IP list
This group contains rules that allow you to block requests from services that allow obfuscation of viewer identity. This can include request originating from VPN, proxies, Tor nodes, and hosting providers. This is useful if you want to filter out viewers that may be trying to hide their identity from your application.
50
■Core rule set
Contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including those described in OWASP publications.
700
■Known bad inputs
Contains rules that allow you to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities. This can help reduce the risk of a malicious actor discovering a vulnerable application.
200
■Linux operating system
Contains rules that block request patterns associated with exploitation of vulnerabilities specific to Linux, including LFI attacks. This can help prevent attacks that expose file contents or execute code for which the attacker should not have had access.
200
■PHP application
Contains rules that block request patterns associated with exploiting vulnerabilities specific to the use of the PHP, including injection of unsafe PHP functions. This can help prevent exploits that allow an attacker to remotely execute code or commands.
100
■POSIX operating system
Contains rules that block request patterns associated with exploiting vulnerabilities specific to POSIX/POSIX-like OS, including LFI attacks. This can help prevent attacks that expose file contents or execute code for which access should not been allowed.
100
■SQL database
Contains rules that allow you to block request patterns associated with exploitation of SQL databases, like SQL injection attacks. This can help prevent remote injection of unauthorized queries.
200

 

中でも新しいのがaws独自で収集した情報を分析し、攻撃してきそうなIPリスト化、それらを排除してくれるものです。
正直攻撃してくるIPって限られているのでこれは一見大雑把に見えるがかなり効果高いんではないでしょうか。