This topic outlines the process for deploying an AWS Web Application Firewall (WAF) to protect LabKey instances from DDoS and Malicious Attacks.

Purpose

Public facing LabKey instances are subject to “internet background radiation” by nefarious miscreants who seek to comprise systems to gain access to protected data. Typically motivated by financial extortion, these individuals use DDoS and bot networks to attack victims. Fortunately there are some easy and low cost tools to protect against many attacks. This document describes how to deploy an AWS Web Application Firewall (WAF) to protect against the OWASP top 10 vulnerabilities and many malicious bot networks.

Related Documentation

Tutorial: Implementing a DDoS-resistant Website Using AWS Services:

• https://docs.aws.amazon.com/waf/latest/developerguide/tutorials-ddos-cross-service.html#tutorials-ddos-cross-service-overview

Requirements

• LabKey Instance Deployed in AWS on EC2
• Configured Elastic Load Balancer with target group routing to LabKey EC2 Instance
• Required AWS Permissions to use CloudFormation, WAF, IAM Policies, S3, Lambda etc.

Considerations

Many LabKey core features require uploading and downloading of files. These types of activities are difficult to distinguish from malicious activities as the methods used to upload malicious code is indistinguishable from normal workflows. To address possible false positives, clients have the following options:

• Use the IP Address whitelist function of the WAF to whitelist specific IP addresses or IP Address ranges of users originating from within the clients network. (e.g. whitelist the Public NAT gateway of the client’s network).
• If whitelisting is not feasible due to expectation of random user IP addresses from various internet locations; consider setting the XSS rule to count vs block. (See information below). While this may reduce the effectiveness of the WAF to protect against XSS attacks, clients still gain the benefit of other WAF features which block known malicious attacker source IP’s.

Deployment

Architecture

Deployment Steps

Follow the AWS Tutorial for detailed steps to deploy the WAF using the CloudFormation Template:

• https://docs.aws.amazon.com/waf/latest/developerguide/tutorials-ddos-cross-service-WAF.html

High level steps:

1. Deploy the WAF in the same region as your LabKey Instance.
2. Configure the WAF to protect your Elastic Load Balancer
3. Optional: Configuring IP Address Whitelists
4. Login to AWS and go to the WAF Console.
5. From the WAF Console, choose WebACL’s.
6. In the WebACL Conditions, choose IP Addresses.
7. Edit the "Whitelist Set" rule to include the IP addresses or address ranges you wish to whitelist.
8. Test.

Optional: Configuring XSS Rule from Block to Count

Edit the WebACL following the steps below:

1. Login to AWS and go to the WAF Console.
2. From the WAF Console, choose WebACL’s.
3. Click the WAF Name in the WebACL’s list. In the resulting dialog that opens, click the Rules tab to see the list of the ACL rules.
4. Click the Edit web ACL button.
5. For the XSS Rule, change the rule from "Block" to "Count".
6. Click the Update button to save changes.
7. Test.