Content management error: Header Banners should not be placed in the Navigation placeholder!
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!
Modis developed and continues to manage a fleet of ESRI ArcGIS geospatial servers for a commercial operator in the lands industry.
The ArcGIS application servers in the customers platform are hosted inside private VPC subnets. exposed through a public internet-facing Application Load Balancer (ALB). Java services and end-user client JavaScript talk directly to services hosted on the ArcGIS servers. As such, there is a need for the ArcGIS servers to be publicly accessible.
ArcGIS servers have an administration facility exposed in the same way services are exposed. This is exposed at:
It was desirable to have those administration facilities inaccessible to the average user who legitimately has access to other ArcGIS services.
Modis architected, implemented and operates this service for its customer as a Managed Services Provider. This work was done in early 2021.
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!
An AWS WAFv2 was placed in front of the ArcGIS ALB to block the specific admin URLs. This was added by way of augmenting the existing CloudFormation template responsible for standing up the ALB and ArcGIS servers. The CloudFormation update was such that using conditions the implementation was environment specific.
The WAFv2 was enabled with the following rules:
Rule | Type | Action |
ArcGisWafRuleBlockAdmin | Custom | Block |
ArcGisWafRuleBlockManager | Custom | Block |
AWSManagedRulesCommonRuleSet | AWS Managed | Count |
AWSManagedRulesAdminProtectionRuleSet | AWS Managed | Count |
AWSManagedRulesKnownBadInputsRuleSet | AWS Managed | Count |
AWSManagedRulesWindowsRuleSet | AWS Managed | Count |
While initially only the two custom rules were required, it made sense to add counts on a set of seemingly appropriate AWS Managed rules to identify if it is feasible to block these in addition. The functional requirements of the ArcGIS servers not being well understood it was not clear if blocking these immediately would cause customer experience issues. Future work will analyse the count results and attempt blocking appropriate managed rules in other lower (non-production) environments.
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!
In Production, UAT and Test environments the administration pages are now inaccessible outside of the ArcGIS server itself.
Monitoring showed immediately that there were regular hits to the production ArcGIS administration pages. These regular hits continued for many weeks, then stopped and have not returned. The graph below from CloudWatch metrics illustrates this:
While it is unclear if the traffic was ‘legitimate’ or malicious no functionality has been impaired by the introduction of block rules, suggesting it is not legitimate traffic and so a positive outcome being blocked.
Monitoring of the Count metrics for AWS Managed Rules shows there is potential for further improvement.
The below illustrates a spike in counts for the AWS Managed ‘admin’ rule, a spike that does not correlate to the custom rules for ‘admin’ and ‘manager’. This warrants further analysis.
At Modis we connect people, technology and businesses to the opportunities they need to thrive in a rapidly advancing world. With 1,300+ technology professionals across six locations (Sydney, Melbourne, Brisbane, Adelaide, Canberra and Perth), we work with our clients to deliver solutions and talent to transform technology portfolios, streamline business functions, drive innovation or enhance organisational capability. https://aws.modis.com
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!
The Western Australian Government land information authority, Landgate, needed to implement a low-cost scalable solution for property reporting to pro...
In late 2019, a multi-national enterprise asked Modis to review its AWS Cloud operations. Having started their AWS Cloud journey in early 2018 and app...
Landgate needed to migrate to the cloud its Topo application used by Landgate Topographic and Geospatial teams for maintenance and dissemination of We...
Organisations are looking to detach themselves of their costly on-premise data centres, not just moving applications, but all aspects of software life...
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!