WAF Implementation

Reading is Fundamental (RIF) was in the process of migrating its main rif.org website to existing AWS infrastructure used for hosting Skybrary, RIF’s interactive library of eBooks and real-world video explorations. RIF was looking to improve upon the existing security measures already in place for both sites—specifically, to expand threat coverage, reduce management complexity, and improve its overall ability to manage security rulesets continuously without expending undue effort and overhead.

By implementing AWS WAF with its existing ALB deployment, BitPusher enabled RIF to realize these objectives at a low cost and with minimal management complexity. The new, streamlined security framework includes optimized AWS-managed rulesets for continuously bolstering the organization’s security posture, as well as dynamic security controls for protecting against new and emerging threats on an ongoing basis.

The organization’s main rif.org website and Skybrary digital library platform were developed using Drupal, a popular PHP-based content management system (CMS). Because of the CMS and its underlying language’s expansive footprint, RIF was keen to effectively manage threats targeting the code behind its web site, especially those related to PHP and Drupal.

Existing security controls consisting of a small number of manually-added, aging rulesets were previously in place to provide rudimentary protection for both websites. These ad hoc rules were configured to protect against specific threats in a Varnish Cache layer, a setup that added significant management complexity to RIF’s web environment. With the existing security measures, RIF would need to allocate increasing efforts on an ongoing basis just to maintain the same level of protection.

Against this backdrop, the organization needed a solution for continuously protecting both its rif.org website and Skybrary offering against evolving threats without blocking legitimate traffic—all without incurring significant additional overhead (e.g., licensing and labor costs expenditures, performance tuning efforts).

With RIF’s existing web infrastructure, concerns, and requirements in mind, BitPusher implemented AWS WAF with the ALB deployment already in place. Using AWS-managed rulesets, BitPusher configured WAF to activate low-risk, high-value rules first (e.g., for detecting SQL injection exploits). Additionally, a full set of rules was turned on in count mode in order to monitor and start making distinctions between legitimate and malicious traffic even where the differences are more subtle.

With the new AWS WAF in place and attached to the existing ALB instance, RIF was able to leverage more comprehensive, active protection against modern threats, versus relying on static rules with waning efficacy against an evolving threat landscape. Moreover, the new solution was lower cost, more performant, and easier to maintain since the WAF infrastructure is fully managed by AWS. The organization is now looking to BitPusher for help in further fine-tuning its strong, properly configured WAF. Next steps include activating more rules over time and validating that legitimate traffic continues to receive unfettered access to the websites.

BitPusher is a DevOps company offering project work and ongoing management at a higher quality and lower, more predictable cost than consultants or in-house teams. Over the past 20 years Bitpusher has developed a delivery model based on reusable engineering components and a collaborative approach which allows for the right combination of availability, scalability, security, performance, and a cost-efficient use of hosting resources.

BitPusher is an advanced tier AWS consulting partner, an AWS public sector partner, and part of the AWS solution provider program.