How to Secure AWS Deployments with SecureSphere WAF

The Imperva SecureSphere Web Application Firewall (WAF) analyzes all user access to business-critical web applications and protects your applications and data from cyberattacks. SecureSphere WAF dynamically learns an applications’ “normal” behavior and correlates it with crowd-sourced threat intelligence to deliver application protection.
SecureSphere WAF identifies and acts upon dangers maliciously woven into innocent-looking website traffic, such as:

• Blocking technical attacks such as SQL injection, cross-site scripting and remote file inclusion that exploit vulnerabilities in web applications;
• Business logic attacks such as site scraping and comment spam;
• Botnets and DDoS attacks; and
• Preventing account takeover attempts in real-time, before fraudulent transactions can be performed.

The SecureSphere WAF protections listed above are made available both on-premises and in the cloud. This post will explain the steps needed to deploy a SecureSphere WAF to protect an existing AWS-based web environment. Imperva also provides a quick-start deployment CloudFormation template which could be useful as a reference for automating the deployment process (for more details see “Considerations and Hints” below).

Deploying SecureSphere WAF on AWS

General Architecture

A typical deployment of SecureSphere WAF on the AWS platform includes the following elements (see Figure 1):

• SecureSphere Management Console (MX). The MX is required to specify networking rules, manage security configuration, handle security violations and produce reports.
• Layer of SecureSphere WAF Gateways. These are the WAF instances that process the traffic and apply the security.
• External Load Balancer. The external load balancer will distribute the traffic between the deployed WAF gateway instances.
• Internal Load Balancer. The internal load balancer distributes the traffic coming from the WAF between the deployed web servers.

Figure 1: Typical environment with SecureSphere WAF deployed

Before You Begin

Deploying SecureSphere WAF requires the following prerequisites:

• For BYOL deployment: Imperva License file. The license can be obtained through Imperva. (On-Demand version is also supported via AWS Marketplace.)
• Virtual Network and Subnets, in which the WAF instances will be deployed.
• External ELB, to which WAF instances register.

Deploying SecureSphere Management Server

1. Navigate to the AWS portal: https://aws.amazon.com/marketplace
2. Depending on the type of license model:
   1. For BYOL:
      1. Search for SecureSphere WAF BYOL, select the relevant result and continue.
      2. Link to the CloudFormation will be sent by Imperva after contacting Imperva to obtain the license.
   2. For On-Demand:
      1. Search for SecureSphere WAF Management On-Demand, select the relevant result.
      2. Under Usage Instructions, download the CloudFormation.
      3. Continue and purchase from the AWS Marketplace.
3. Create a CloudFormation stack using the downloaded template. Specify the required parameters, including:
   1. Deployment name; user names and password.
   2. Networking settings, including vpc and subnets.
   3. Security settings, including security group and keypair. The MX instance needs access to the internet.
      Hint: for security reasons make sure that the MX is not accessible from the internet.
   4. Select the desired machine type. Recommended instance types are provided in Imperva documentation, more powerful instance types may improve the WAF performance.
4. After the FTL operation finished successfully, upload the license:
   1. Login to the web console: point your browser at https://<Your Management IP address>:8083 (access from local network is required).
   2. Enter admin username credentials.
   3. For BYOL: Upload the license file in the License window.

Deploying Auto-Scaling SecureSphere WAF Gateway Stack

1. Navigate to the AWS portal: https://aws.amazon.com/marketplace
2. Depending on the type of license model:
   1. For BYOL:
      1. Search for SecureSphere WAF BYOL, select the desired model and continue.
      2. Link to the CloudFormation will be sent by Imperva after contacting Imperva to obtain the license.
   2. For On-Demand:
      1. Search for SecureSphere WAF Gateway, select the desired model.
      2. Under Usage Instructions, download the CloudFormation.
      3. Continue and purchase from the AWS Marketplace.
3. Create a CloudFormation stack using the downloaded template. Specify the required parameters, including:
   1. Deployment name; user names, passwords and scaling
   2. Networking settings, including vpc, subnets and the ELB.
      Note: outbound internet access is needed on WAF subnets.
   3. Security settings, including security group and keypair.
   4. Select the desired machine type. Recommended instance types is provided in Imperva documentation, more powerful instance types may improve the WAF performance.
   5. Specify the Management Server address.

Configure Networking

After the WAF MX and Gateways are in place, it is time to configure the networking and allow the traffic to flow from the External Load Balancer to the Internal Load Balancer(s):

1. Access SecureSphere console via a web browser using the following path: https://<Your Management IP address>:8083 and log on.
2. Within site tree configurations, create Server Group and HTTP Service.
   Server groups are a representation of one or more servers located in a specific site.
   Web services represent the services that SecureSphere monitors.
3. Configure routing:
   1. In the HTTP Service Reverse Proxy configuration, create Reverse Proxy rules. Every rule created will direct the traffic to a different destination (for example, a different Internal Load Balancer). For detailed information on the configuration process consult with SecureSphere guide.

Testing the Deployment

Once the deployment process if finished, it is time to validate that it is configured properly.

1. Test the deployment: To test the deployment, generate valid HTTP calls to the external ELB and make sure you get the expected response from the web servers.
2. Test the security configuration: To test the security configuration, generate malicious HTTP requests. Log into SecureSphere management console and look at the alerts dashboard, to check if new violations are generated. This is the time to tune the security configuration.
   Hint: Make sure that the security policies are applied to the web services you created.

When security is properly tuned, you can switch to “active” mode and start blocking malicious traffic.

Considerations and Hints

• As the SecureSphere WAF Gateway is sensitive to session state, it is highly recommended that you enable session stickiness on the external load balancer.
• TLS/SSL termination can have major impact on the performance. Terminating the encryption in the ELB before the WAF will significantly improve performance.
• The deployment process can be automated. Any orchestration tool can be used. SecureSphere provides vast REST API support for automation purposes.
• Imperva provides a Deployment Kit CloudFormation template for quick deployment. The kit will create a VPC, SecureSphere management console and scalable WAF, including an ELB. This template could be useful as a reference for automating the deployment process. Deployment Kit templates are available in the same location as the other CloudFormation templates.

Learn more about Imperva SecureSphere WAF for AWS.