GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects β†’ globaldatanet β†’ aws-firewall-factory

globaldatanet / aws-firewall-factory

Licence: Apache-2.0 license
Deploy, update, and stage your WAFs while managing them centrally via FMS.

Programming Languages

typescript
32286 projects
javascript
184084 projects - #8 most used programming language
shell
77523 projects

Labels

awssecurityfirewallwafowaspamazon-web-servicesgovernancecdkdevsecops

Projects that are alternatives of or similar to aws-firewall-factory

Waf
🚦Web Application Firewall or API Gateway(εΊ”η”¨ι˜²η«ε’™/API网关)
Stars: ✭ 547 (+659.72%)
Mutual labels:  firewall, waf
Whatwaf
Detect and bypass web application firewalls and protection systems
Stars: ✭ 1,881 (+2512.5%)
Mutual labels:  firewall, waf
Botwall4j
A botwall for Java web applications
Stars: ✭ 41 (-43.06%)
Mutual labels:  firewall, waf
waf4wordpress
WAF for WordPress πŸ”₯ with 60+ security checks and weekly updates
Stars: ✭ 102 (+41.67%)
Mutual labels:  firewall, waf
waf-brain
Machine Learning WAF Based
Stars: ✭ 74 (+2.78%)
Mutual labels:  waf, owasp
Awesome Waf
πŸ”₯ Everything about web-application firewalls (WAF).
Stars: ✭ 4,047 (+5520.83%)
Mutual labels:  firewall, waf
Cidram
CIDRAM: Classless Inter-Domain Routing Access Manager.
Stars: ✭ 86 (+19.44%)
Mutual labels:  firewall, waf
Sbt Dependency Check
SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). 🌈
Stars: ✭ 187 (+159.72%)
Mutual labels:  owasp, devsecops
shieldfy-php-client
The official PHP SDK for Shieldfy
Stars: ✭ 15 (-79.17%)
Mutual labels:  firewall, waf
Docker Waf
An NGINX and ModSecurity based Web Application Firewall for Docker
Stars: ✭ 181 (+151.39%)
Mutual labels:  firewall, waf
Openrasp
πŸ”₯Open source RASP solution
Stars: ✭ 2,036 (+2727.78%)
Mutual labels:  waf, devsecops
coraza-caddy
OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
Stars: ✭ 75 (+4.17%)
Mutual labels:  waf, owasp
Go Agent
Sqreen's Application Security Management for the Go language
Stars: ✭ 134 (+86.11%)
Mutual labels:  waf, owasp
Laravel Firewall
Web Application Firewall (WAF) package for Laravel
Stars: ✭ 544 (+655.56%)
Mutual labels:  firewall, waf
ftw
Framework for Testing WAFs (FTW!)
Stars: ✭ 106 (+47.22%)
Mutual labels:  waf, owasp
Xwaf
xWAF 3.0 - Free Web Application Firewall, Open-Source.
Stars: ✭ 48 (-33.33%)
Mutual labels:  firewall, waf
Django Defectdojo
DefectDojo is an open-source application vulnerability correlation and security orchestration tool.
Stars: ✭ 1,926 (+2575%)
Mutual labels:  owasp, devsecops
Apicheck
The DevSecOps toolset for REST APIs
Stars: ✭ 184 (+155.56%)
Mutual labels:  owasp, devsecops
Securetea Project
The OWASP SecureTea Project provides a one-stop security solution for various devices (personal computers / servers / IoT devices)
Stars: ✭ 181 (+151.39%)
Mutual labels:  firewall, owasp
rds-snapshot-export-to-s3-pipeline
RDS Snapshot Export to S3 Pipeline
Stars: ✭ 88 (+22.22%)
Mutual labels:  amazon-web-services, cdk
View All Similar Projects βž”

Mentioned in Awesome CDK License: Apache2 cdk latest gdn dakn language Tweet roadmap

AWSFirewallFactory

Table of contents


Releases Author
Changelog - Features David Krohn
Linkedin - Blog

Overview

AWS Web Application Firewalls (WAFs) protect web applications and APIs from typical attacks from the Internet that can compromise security and availability, and put undue strain on servers and resources. The AWS WAF provides prebuilt security rules that help control bot traffic and block attack patterns. You can also create your own rules based on your own requirements. In simple scenarios and for smaller applications, this is very easy to implement on an individual basis. However, in larger environments with tens or even hundreds of applications, it is advisable to aim for central governance and automation. This simple solution helps you deploy, update and stage your Web Application Firewalls while managing them centrally via AWS Firewall Manager.

Example Deployment

Media

If you want to learn more about the AWS Firewall Factory feel free to look at the following media resources.

Useful Links

Architecture

Architecture

Features

  1. Automated capactiy calculation via API - CheckCapacity

  2. Algorithm to split Rules into RuleGroups

  3. Automated update of RuleGroup if capacity changed

  4. Add ManagedRuleGroups via configuration file

  5. Automated generation of draw.io diagram for each WAF

  6. Checking of the softlimit quota for WCU set in the AWS account (stop deployment if calculated WCU is above the quota)

  7. Easy configuration of WAF rules trough JSON file.

  8. Deployment hash to deploy same WAF more than once for testing and/or blue/green deployments.

  9. Stopping deployment if soft limit will be exceeded: Firewall Manager policies per organization per Region (L-0B28E140) - Maximum number of web ACL capacity units in a web ACL in WAF for regional (L-D9F31E8A)

  10. RegexMatchStatement and IPSetReferenceStatement is working now πŸš€

  11. You can name your rules. If you define a name in your RulesArray, the name + a Base36 timestamp will be used for the creation of your rule - otherwise a name will be generated. This will help you to query your logs in Athena. The same rule name also applies to the metric by adding "-metric" to the name.

  12. Support for Captcha - You can add Captcha as an action to your WAFs. This helps you block unwanted bot traffic by requiring users to successfully complete challenges before their web request are allowed to reach AWS WAF protected resources. AWS WAF Captcha is available in the US East (N. Virginia), US West (Oregon), Europe (Frankfurt), South America (Sao Paulo), and Asia Pacific (Singapore) AWS Regions and supports Application Load Balancer, Amazon API Gateway, and AWS AppSync resources.

  13. Added S3LoggingBucketName to JSON. You need to specify the S3 Bucket where logs should be placed in. We also added a prefix for the logs to be AWS conform (Prefix: AWSLogs/AWS_ACCOUNTID/FirewallManager/AWS_REGION/).

  14. Added testing your WAF with GoTestWAF. To be able to check your WAF we introduced the SecuredDomain parameter in the JSON (which should be your domain) which will be checked using the WAF tool.

  15. TaskFileParameters:

    Parameter Value
    SKIP_QUOTA_CHECK true (Stop deployment if calculated WCU is above the quota)
    false (Skipping WCU Check)
    WAF_TEST true (testing your waf with GoTestWAF)
    false (Skipping WAF testing)
    CREATE_DIAGRAM true (generating a diagram using draw.io)
    false (Skipping diagram generation)
    CDK_DIFF true (generating a cdk before invoking cdk deploy)
    false (Skipping cdk diff)

  16. Validation of your ConfigFile using schema validation - if you miss a required parameter in your config file the deployment will stop automatically and show you the missing path.

  17. PreProcess- and PostProcessRuleGroups - you can decide now where the Custom or ManagedRules should be added to.

  18. RuleLabels - A label is a string made up of a prefix, optional namespaces and a name. The components of a label are delimited with a colon. Labels have the following requirements and characteristics:

    • Labels are case-sensitive.

    • Each label namespace or label name can have up to 128 characters.

    • You can specify up to five namespaces in a label.

    • Components of a label are separated by a colon ( : ).

  19. While Deployment the Price for your WAF will be calculated using the Pricing API

  20. Dashboard - The Firewall Factory is able to provision a CloudWatch Dashboard per Firewall. The Dashboard shows:

    • Where the WAF is deployed to [AWS Region and Account(s)]
    • Which resource type you are securing
    • Which Managed Rule Groups in which version are in use
    • Link to Managed Rule Groups documentation
    • Direct Link to your secured Application / Endpoint
    • AWS Firewall Factory version
    • Check if the AWS Firewall Factory version is the latest or not during rollout
    • Allowed / Blocked and Counted Requests
    • Bot vs Non-bot Requests

See example: FirewallDashboard

Deployment

Prerequisites

  1. An central S3 Bucket with write permission for the security account needs to be in place.

  2. (Optional) If you want to use the CreateDashboard Feature to get a Dashboard deployed for your Firewall in the central Security Account, the cross-account functionality in CloudWatch must be enabled. To enable enable your account to share CloudWatch data with the central security account follow this how to.

Deployment via Taskfile

  1. Create new json file for you WAF and configure Rules in the JSON (see example.json to see structure)
  2. Assume AWS Profile awsume PROFILENAME
  3. (Optional) Enter task generateconfig
  4. Enter task deploy config=NAMEOFYOURCONFIGFILE

Contributors


Any form of contribution is welcome. The above contributors have been officially released by globaldatanet.

Contribute

Want to contribute to AWS FIREWALL FACTORY? Check out the Contribution docs

πŸ‘ Supporters

Stargazers repo roster for @globaldatanet/aws-firewall-factory


Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].