AWSã§WAFãèšå®ããŠã¿ããïŒ
ã€ã³ã¿ãŒãããã®æ®åã«äŒŽãããªã³ã©ã€ã³ãµãŒãã¹ãžã®ãµã€ããŒæ»æã®è¢«å®³ãæ·±å»ã«ãªã£ãŠããŸããåãµãŒãã¹ãžã®ãµã€ããŒæ»æãæªç¶ã«é²ã察çãšããŠãWAFïŒãŠã§ãã¢ããªã±ãŒã·ã§ã³ãã¡ã€ã¢ãŠã©ãŒã«ïŒãèšå®ããããšãã§ããŸããAWSïŒã¢ããŸã³ãŠã§ããµãŒãã¹ïŒãæäŸããWAFã®ç¹åŸŽã»æéã»èšå®æé ã解説ããŸããäžçèŠæš¡ã®é販ãµã€ãAmazonã¯ååã®é販以å€ã®ãµãŒãã¹ãæäŸããŠããŸãã
æ°ãããµãŒããŒãå°å
¥ããéãAWSãåè£ã®äžã€ã«éžã¶äŒæ¥ã»å人ãå¢ããŠããŠããŸãããµãŒããŒæ§ç¯ã«ãããã»ãã¥ãªãã£å¯Ÿçã¯æ°ã«ãªããšããã§ãããã®èšäºã§ã¯ãAmazonãæäŸããWAFã解説ããŸãã
AWSã§ãçšããããWAFãšã¯

WAFã®æ£åŒåç§°ã¯ãWeb Application Firewallã§ãã
ååã®éããWebãµãŒããŒãWebãµã€ããä¿è·ãããã¡ã€ã¢ãŠã©ãŒã«ã§ãããŠãŒã¶ãŒãšWebãµãŒããŒéã®éä¿¡ãç£èŠããã·ã°ããã£ïŒäžæ£ãªå€ã»éä¿¡ãã¿ãŒã³ãå®çŸ©ããã«ãŒã«ïŒã«äžèŽããéä¿¡ãæ»æãšå€æããããã¯ããããšãã§ããŸãã
WAFã¯ãªãå¿ èŠïŒ
WAFãå¿
èŠãšãããäž»ãªçç±ã¯ãWebã¢ããªã±ãŒã·ã§ã³ã«è匱æ§ãååšããç¹ããããããŸãã
WEBã¢ããªã±ãŒã·ã§ã³ã®éçºæã«ãã¹ãŠã®ã»ãã¥ãªãã£èŠä»¶ãèæ
®ãè匱æ§ãžã®å¯Ÿçãå®çŸã§ããã°ãè匱æ§ãæªçšãããµã€ããŒæ»æãžã®å¯Ÿçãã§ããŸãããããWEBã¢ããªã±ãŒã·ã§ã³ã®ãªãªãŒã¹ã®ã¹ããŒããæ±ããããäžãéããããã³ãã¯ãŒããªãœãŒã¹ã§ããã¹ãŠã®ã»ãã¥ãªãã£å¯Ÿçãå®çŸããã®ã¯å°é£ã§ãã
ãã®ããããã®WAFãå¿
èŠãšãªãã®ã§ãã
ã¢ãã©ã€ã¢ã³ã¹åWAFãšã¯ã©ãŠãåWAF
代衚çãªWAFã«ã¯ããã¢ãã©ã€ã¢ã³ã¹åããšãã¯ã©ãŠãåãããããŸãã
ã¢ãã©ã€ã¢ã³ã¹åã¯ããšã³ããŠãŒã¶ãŒãšWebãµãŒããŒéã®ãããã¯ãŒã¯äžã«æ©åšãèšçœ®ããã¿ã€ãã®WAFã§ãã
äžæ¹ãã¯ã©ãŠãåã¯ãã€ã³ã¿ãŒãããçµç±ã§ãµãŒãã¹ãšããŠå°å
¥ããã¿ã€ãã®WAFã§ãã
ã¢ãã©ã€ã¢ã³ã¹åWAFã¯ãããŒããŠã§ã¢ã®è³Œå
¥ãã·ã¹ãã ã®æ§ç¯ãå¿
èŠãšãªã£ãŠãããããåæå°å
¥è²»çšãé«é¡ã«ãªããŸãããŸãããããã¯ãŒã¯ã®èšå®äœæ¥ãã·ã°ããã£ã®ç·šéäœæ¥çãå°éçãªèšå®ãè¡ããããé«åºŠãªå°éç¥èããã£ãæè¡è
ã«ããéçšãå¿
èŠã«ãªããŸãã
ä¿è·ãããµãŒããŒå°æ°ãããŠã§ãã¢ããªã±ãŒã·ã§ã³ãå€ãå Žåã¯è²»çšé¢ã§ã®ã¡ãªãããåºãŠããã§ãããã
ã¯ã©ãŠãåWAFã¯ãã¢ãã©ã€ã¢ã³ã¹åWAFãšæ¯ã¹ãŠäœäŸ¡æ Œããã€ç°¡åã«å°å
¥ã§ããŸãã
æ©åšã®è³Œå
¥ã¯å¿
èŠãããŸããããŸããéçšäœæ¥ããããã¯ãŒã¯ã®èšå®äœæ¥ãã·ã¹ãã 倿Žçã¯ãã³ããŒãè¡ããŸããããã«ãã€ã³ã¿ãŒãããçµç±ã§ã®ãµãŒãã¹ã®ãããã©ãã§ãéçšãå¯èœã§ãã
ã¯ã©ãŠãåWAFã®æéã¯ãä¿è·ãããµã€ãæ°ã»ãã©ãã£ãã¯æ°ã«ãããŸãããã®ããã倿°ã®ãµã€ãã«å°å ¥ããããããã¯ãã©ãã£ãã¯ã®å€ããµã€ãã«å°å ¥ããå Žåãæã ã®æéãã©ãã»ã©ã«ãªãããäºåã«èª¿æ»ããå¿ èŠããããŸãã
WAFãµãŒãã¹ã®æ¯èŒ
Googleã§ããã¯ã©ãŠãåWAFããšæ€çŽ¢ãããšãå€ãã®æ€çŽ¢çµæãåºãŠããŸãããã®äžããã幟ã€ãã®WAFãµãŒãã¹ãããã¯ã¢ããããŸãã
(1) ã¢ãã©ã€ã¢ã³ã¹åWAF
- Barracuda Web Application Firewall
- FortiWeb
- SecureSphere Web Application Firewall
- WAPPLES
- SecureSoft Sniper DDX ã·ãªãŒãº
(2) ã¯ã©ãŠãåWAF
- æ»æé®æãã
- ScutemïŒã¹ãã¥ãŒã¿ã ïŒ
- WAF/DDoS察ç/CDNãµãŒãã¹ TrustShelter/WAF
- ã·ãã³ãã㯠ã¯ã©ãŠãåWAF
- Web Application FirewallãµãŒãã¹ Scutum
ã¢ãã©ã€ã¢ã³ã¹åWAFã¯ã³ã¹ãé¢ã§é«é¡ã«ãªããŸããäžæ¹ãã¯ã©ãŠãåWAFã¯æ¯èŒçå®äŸ¡ã§å°å ¥ã§ããããšãããããŸããå°å ¥åã«ãã調æ»ããäŒç€Ÿã«æãé©ããWAFãéžæããŸãããã
AWS WAFã®èšå®

AWSã®WAFã¯ãã¯ã©ãŠãåWAFã§ãã
äœã³ã¹ãã§ãæ¯èŒçã·ã³ãã«ãªããªã·ãŒã®èšå®ã§å°å
¥ãå¯èœã§ããæ¡ä»¶ã«åºã¥ããŠã§ããªã¯ãšã¹ããèš±å¯ããããã¯ããŸãã¯ç£èŠãã§ããŸãã
èšå®ã§ããæ¡ä»¶ã«ã¯ãIPã¢ãã¬ã¹ãHTTPããããŒãHTTPæ¬æãURIæååãSQLã€ã³ãžã§ã¯ã·ã§ã³ãããã³ã¯ãã¹ãµã€ãã¹ã¯ãªãããå«ãŸããŸããAWS WAFã¯åæè²»çšã¯çºçããŸãããäœæãããŠã§ãã¢ã¯ã»ã¹ã³ã³ãããŒã«ãªã¹ã ïŒãŠã§ãACLïŒã®æ°ããŠã§ãACLããšã«è¿œå ããã«ãŒã«ã®æ°ãããã³åä¿¡ãããŠã§ããªã¯ãšã¹ãã®æ°ã«åºã¥ããŠèª²éãããŸãã
ã§ã¯ãAWS WAFã®éå§æ¹æ³ãšèšå®æé ãèŠãŠãããŸãããã
AWS WAFã®äœ¿çšéå§æ¹æ³
AWS WAFã®äœ¿çšéå§ã«ããã£ãŠãŸããAWSã¢ã«ãŠã³ããèšå®ããã°ã€ã³ããŸãã
次ã«ããŠã§ãã¢ã¯ã»ã¹ã³ã³ãããŒã«ãªã¹ãïŒãŠã§ãACLïŒãäœæããŸããæ¡ä»¶ãä»äžãããã«ãŒã«ãäœæãããã®ãŠã§ãACLã«èšå®ããŸãã
èšå®æé ã¯ã次ã®èŠåºãã§è©³ãã説æããŸãã
AWS WAFã®èšå®æé - 10ã¹ããã
ã§ã¯ãAWS WAFã䜿çšããããã®èšå®æé ã10ã¹ãããã«ãããŠè§£èª¬ããŸãã
ã¹ããã1ïŒAWS WAFãèšå®ãã
AWSã¢ã«ãŠã³ãã«ãµã€ã³ã¢ããããã»ããã¢ãããå®è¡ããŸãã
ã¹ããã2ïŒãŠã§ãACLãäœæãã
AWS WAFã³ã³ãœãŒã«ããããŠã§ãACLãäœæããŸãã
ã¹ããã3ïŒIPäžèŽæ¡ä»¶ãäœæãã
IPäžèŽæ¡ä»¶ãäœæããŸãããªã¯ãšã¹ãã®çºçå
ã®IPã¢ãã¬ã¹ãŸãã¯IPã¢ãã¬ã¹ç¯å²ãæå®ããŸããæå®ããIPã¢ãã¬ã¹ããã®ãªã¯ãšã¹ããèš±å¯ããããããã¯ãããã¯ãåŸã®ã¹ãããã§æå®ããŸãã
ã¹ããã4ïŒGeoäžèŽæ¡ä»¶ãäœæãã
GeoäžèŽæ¡ä»¶ãäœæããŸãããªã¯ãšã¹ãéä¿¡å
ã®1ã€ä»¥äžã®åœãæå®ããŸããæå®ããåœããéä¿¡ããããªã¯ãšã¹ããèš±å¯ããããããã¯ãããã¯ãåŸã®ã¹ãããã§æå®ããŸãã
ã¹ããã5ïŒæååäžèŽæ¡ä»¶ãäœæãã
æååäžèŽæ¡ä»¶ãäœæããŸãããªã¯ãšã¹ãã§AWS WAFã«ãã£ãŠæ€çŽ¢ãããæååïŒããããŒãŸãã¯ã¯ãšãªæååã§æå®ããå€ãªã©ïŒãèå¥ããŸãããŸããæååäžèŽæ¡ä»¶ãäœæããã«ããããæ£èŠè¡šçŸæ¡ä»¶ãäœæããããšãã§ããŸããæå®ããæååãå«ããªã¯ãšã¹ããèš±å¯ããããããã¯ãããã¯ãåŸã®ã¹ãããã§æå®ããŸãã
ã¹ããã6ïŒSQLã€ã³ãžã§ã¯ã·ã§ã³äžèŽæ¡ä»¶ãäœæãã
SQLã€ã³ãžã§ã¯ã·ã§ã³äžèŽæ¡ä»¶ãäœæããŸããæªæã®ããSQLã³ãŒãã®æç¡ãæ€æ»ããããŠã§ããªã¯ãšã¹ãã®éšåïŒããããŒãã¯ãšãªæååãªã©ïŒãèå¥ããŸããæªæã®ããå¯èœæ§ãããSQLã³ãŒããå«ããªã¯ãšã¹ããèš±å¯ããããããã¯ãããã¯ãåŸã®ã¹ãããã§æå®ããŸãã
ã¹ããã7ïŒïŒãªãã·ã§ã³ïŒè¿œå ã®æ¡ä»¶ãäœæãã
远å ã®æ¡ä»¶ãããå Žåã¯äœæããŸããäœæã¯ä»»æã§ãã®ã§ãè¿œå æ¡ä»¶ããªãå Žåã¯æ¬¡ã®ã¹ãããã«é²ã¿ãŸãã远å ã®æ¡ä»¶ã«ã¯ãããµã€ãºå¶çŽæ¡ä»¶ãããã¯ãã¹ãµã€ãã¹ã¯ãªããã£ã³ã°äžèŽæ¡ä»¶ãçããããŸãã
ã¹ããã8ïŒã«ãŒã«ãäœæããŠæ¡ä»¶ã远å ãã
ãŸããã«ãŒã«ãäœæããŸãããã®åŸããŠã§ããªã¯ãšã¹ãã§æ€çŽ¢ãããæ¡ä»¶ãæå®ããŸããåãã«ãŒã«ã«è€æ°ã®æ¡ä»¶ã远å ããå Žåããã¹ãŠã®æ¡ä»¶ã«äžèŽããå Žåã«ã®ã¿ããªã¯ãšã¹ããèš±å¯ãŸãã¯æåŠãããŸãã
ã¹ããã9ïŒã«ãŒã«ããŠã§ãACLã«è¿œå ãã
åã®ã¹ãããã§äœæããã«ãŒã«ããŠã§ãACLã«è¿œå ããå Žåãæ¬¡ã®èšå®ãæå®ããŸãã
ã»ã«ãŒã«ã®ãã¹ãŠã®æ¡ä»¶ã«äžèŽãããŠã§ããªã¯ãšã¹ããžã®ã¢ã¯ã·ã§ã³ïŒãªã¯ãšã¹ãã®èš±å¯ããããã¯ãã«ãŠã³ãïŒ
ã»ãŠã§ãACLã®ããã©ã«ãã¢ã¯ã·ã§ã³ãïŒãªã¯ãšã¹ãã®èš±å¯ãŸãã¯æåŠïŒ
ã¹ããã10ïŒãªãœãŒã¹ãã¯ãªãŒã³ã¢ãããã
AWS WAFã«ãããŠãäžèŠãªè¿œå æéãçºçããªãããã«äœæããAWS WAFãªããžã§ã¯ããã¯ãªãŒã³ã¢ããããŸãã
詳ããã¯ãåã¹ãããã®è©³çްã説æãããŠããäžèšããŒãžãåç §ããŠãã ããã
https://docs.aws.amazon.com/ja_jp/waf/latest/developerguide/waf-chapter.html
ãŸãšã
æ¥ã
æ°ããªWebã¢ããªã±ãŒã·ã§ã³ã®è匱æ§ãæªçšãããµã€ããŒæ»æãçãŸããŠããŸããWebãµãŒãã¹ãæäŸããäŒæ¥ã«ãšã£ãŠWAFã¯å¿
é ã®ã»ãã¥ãªãã£å¯Ÿçã®äžã€ãšèšããã§ãããã
AWS WAFãæŽ»çšããã»ãã¥ãªãã£å¯Ÿçãå®è·µããŸãããïŒ
ãã®èšäºã®ããŒã¯ãŒãã«é¢ããå匷äŒã»ã€ãã³ããæ¢ã
TECH PLAYã§ã¯ãITãšã³ãžãã¢åãã®å匷äŒã»ã€ãã³ãæ
å ±ãæäŸããŠããŸãã
èå³ã®ããæ¹ã¯ãã²ãåå ãã ããã
- ãAWSãã«é¢ããå匷äŒã»ã€ãã³ããæ¢ã
- ãã€ã³ãã©ãã«é¢ããå匷äŒã»ã€ãã³ããæ¢ã
- ãã»ãã¥ãªãã£ãã«é¢ããå匷äŒã»ã€ãã³ããæ¢ã












