Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is AWS WAF worth considering for enterprise cloud?

The new Amazon WAF offers firewall features for the cloud. Expert Dan Sullivan explains how Amazon WAF can be integrated in the enterprise cloud.

Amazon Web Services recently introduced its own Web application firewall. How does the AWS WAF compare to others...

on the market? Is it something enterprises should consider using standalone or in conjunction with another WAF?

Web application firewalls are designed to examine network traffic and block traffic based on wide-ranging policies that can include application-specific rules. WAFs implement firewall rules, such as blocking traffic based on protocol, as well as application level checks. WAFs can implement encryption and block content that violates policies. WAFs can also use stateful monitoring so they can evaluate more complex logic than if they were stateless and had access only to the latest packet under examination.

The AWS Web application firewall implements the features one would expect in a WAF, such as the ability to create rules to prevent common attack methods like cross-site scripting and SQL injection attacks.

As with other AWS services, cloud administrators can use the AWS console or the AWS API to configure and manage AWS WAF.

AWS WAF rules are executed on AWS CloudFront endpoints. CloudFront is AWS' content delivery network (CDN), which has endpoints distributed around the globe. This means application developers and administrators do not have to concern themselves with configuring reverse proxy servers or other servers to run a Web application firewall. Since rules need to propagate to all CDN end nodes, it can take about one minute before rule changes are in effect.

AWS offers two methods to debug WAF rules: using CloudWatch metrics and Sampled Web Requests. The CloudWatch service collects several metrics -- such as EC2, ElastiCache and DynamoDB metrics -- every minute. AWS WAF users can inspect those metrics to get a sense of the volume of traffic blocked by the rules. In addition, the Sampled Web Request API call allows administrators to determine why a particular packet was blocked by a specific rule.

Instead of licensing a WAF product, AWS charges based on WAF usage: $5 per access control list (ACL) per month, $1 per rule per Web ACL per month, and $0.60 per million Web requests per month.

Next Steps

Learn the four questions to ask before choosing a Web application firewall.

Find out more about comparing the top Web application firewalls.

Read how WAFs can protect against DDoS attacks.

This was last published in March 2016

Dig Deeper on Cloud Network Security Trends and Tactics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What type of WAF does your organization use for cloud environments?
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close