ArcGIS with WAF v2

Roger Groom & Scott Bennett-McLeish, 25 August 2021

Country: Australia

Akkodis developed and continues to manage a fleet of ESRI ArcGIS geospatial servers for a commercial operator in the lands industry. The Scenario Akkodis developed and continues to manage a fleet of ESRI ArcGIS geospatial servers for a commercial operator in the lands industry.

The ArcGIS application servers in the customers platform are hosted inside private VPC subnets. exposed through a public internet-facing Application Load Balancer (ALB). Java services and end-user client JavaScript talk directly to services hosted on the ArcGIS servers. As such, there is a need for the ArcGIS servers to be publicly accessible.

ArcGIS servers have an administration facility exposed in the same way services are exposed. This is exposed at:

• https://<hostname>/arcgis/manager
• https://<hostname>/arcgis/admin

It was desirable to have those administration facilities inaccessible to the average user who legitimately has access to other ArcGIS services.

Akkodis architected, implemented and operates this service for its customer as a Managed Services Provider. This work was done in early 2021.

The Solution

An AWS WAFv2 was placed in front of the ArcGIS ALB to block the specific admin URLs. This was added by way of augmenting the existing CloudFormation template responsible for standing up the ALB and ArcGIS servers. The CloudFormation update was such that using conditions the implementation was environment specific.

The WAFv2 was enabled with the following rules:

Rule	Type	Action
ArcGisWafRuleBlockAdmin	Custom	Block
ArcGisWafRuleBlockManager	Custom	Block
AWSManagedRulesCommonRuleSet	AWS Managed	Count
AWSManagedRulesAdminProtectionRuleSet	AWS Managed	Count
AWSManagedRulesKnownBadInputsRuleSet	AWS Managed	Count
AWSManagedRulesWindowsRuleSet	AWS Managed	Count

While initially only the two custom rules were required, it made sense to add counts on a set of seemingly appropriate AWS Managed rules to identify if it is feasible to block these in addition. The functional requirements of the ArcGIS servers not being well understood it was not clear if blocking these immediately would cause customer experience issues. Future work will analyse the count results and attempt blocking appropriate managed rules in other lower (non-production) environments.

The Outcome

In Production, UAT and Test environments the administration pages are now inaccessible outside of the ArcGIS server itself.

Monitoring showed immediately that there were regular hits to the production ArcGIS administration pages. These regular hits continued for many weeks, then stopped and have not returned. The graph below from CloudWatch metrics illustrates this:

The graph from CloudWatch metrics illustrates regular hits have not returned

While it is unclear if the traffic was ‘legitimate’ or malicious no functionality has been impaired by the introduction of block rules, suggesting it is not legitimate traffic and so a positive outcome being blocked.

Monitoring of the Count metrics for AWS Managed Rules shows there is potential for further improvement.

The below illustrates a spike in counts for the AWS Managed ‘admin’ rule, a spike that does not correlate to the custom rules for ‘admin’ and ‘manager’. This warrants further analysis.