alphaspirit - Fotolia

Is AWS WAF worth considering for enterprise cloud?

The new Amazon WAF offers firewall features for the cloud. Expert Dan Sullivan explains how Amazon WAF can be integrated in the enterprise cloud.

Amazon Web Services recently introduced its own Web application firewall. How does the AWS WAF compare to others...

on the market? Is it something enterprises should consider using standalone or in conjunction with another WAF?

Web application firewalls are designed to examine network traffic and block traffic based on wide-ranging policies that can include application-specific rules. WAFs implement firewall rules, such as blocking traffic based on protocol, as well as application level checks. WAFs can implement encryption and block content that violates policies. WAFs can also use stateful monitoring so they can evaluate more complex logic than if they were stateless and had access only to the latest packet under examination.

The AWS Web application firewall implements the features one would expect in a WAF, such as the ability to create rules to prevent common attack methods like cross-site scripting and SQL injection attacks.

As with other AWS services, cloud administrators can use the AWS console or the AWS API to configure and manage AWS WAF.

AWS WAF rules are executed on AWS CloudFront endpoints. CloudFront is AWS' content delivery network (CDN), which has endpoints distributed around the globe. This means application developers and administrators do not have to concern themselves with configuring reverse proxy servers or other servers to run a Web application firewall. Since rules need to propagate to all CDN end nodes, it can take about one minute before rule changes are in effect.

AWS offers two methods to debug WAF rules: using CloudWatch metrics and Sampled Web Requests. The CloudWatch service collects several metrics -- such as EC2, ElastiCache and DynamoDB metrics -- every minute. AWS WAF users can inspect those metrics to get a sense of the volume of traffic blocked by the rules. In addition, the Sampled Web Request API call allows administrators to determine why a particular packet was blocked by a specific rule.

Instead of licensing a WAF product, AWS charges based on WAF usage: $5 per access control list (ACL) per month, $1 per rule per Web ACL per month, and $0.60 per million Web requests per month.

Next Steps

Learn the four questions to ask before choosing a Web application firewall.

Find out more about comparing the top Web application firewalls.

Dig Deeper on Cloud Network Security Trends and Tactics