Now it's the security industry's turn to be burned by cloud
Amazon ignites Web Applications Firewall to char security chaff
Amazon has launched web application firewall to help customers guard against common web exploits.
The web attic touts the service as a means to ink custom rules to block attack patterns like SQL injection and cross-site scripting and offering the ability to quickly deploy application rules.
Rules can be set based on IP address, HTTP headers, URI strings, and configured through the API or management console. The more rules set the higher the cost.
Amazon Web Services man Jeff Barr offers a case study of how the WAF could work.
"[Attackers] could run through a list of common or default usernames and passwords, or they could attempt to exploit a known system, language, or application vulnerability perhaps powered by SQL injection or cross-site request forgery as the next step," Barr says
"Like it or not, these illegitimate requests are going to be flowing in 24 by 7.
"Even if you keep your servers well-patched and do what you can to keep the attack surface as small as possible, there’s always room to add an additional layer of protection."
Amazon has slapped chicken feed service pricing on the WAF, asking for 60 cents per million hits, US$1 a rule, and $5 for each access control list.
Web application firewalls are a tool in the security defence chest and are no panacea. Security bods say the technology can be often bypassed and some maintain some offerings even introduce the vulnerabilities the platform seeks to mitigate. ®