1 / 33

Nick Matthews AWS Partner Solutions Architect

Nick Matthews AWS Partner Solutions Architect. November 2017. Firewall Deployment in AWS. Network Security in the Cloud. The Cloud is Happening. The operators, applications, and the platform have changed. ABC’s of AWS Networking. = Datacenter (often more than 1)

charlenegordon
Download Presentation

Nick Matthews AWS Partner Solutions Architect

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nick Matthews AWS Partner Solutions Architect November 2017 Firewall Deployment in AWS Network Security in the Cloud

  2. The Cloud is Happening • The operators, applications, and the platform have changed

  3. ABC’s of AWS Networking = Datacenter (often more than 1) = Collection of Availability Zones = Virtual Machine = Isolated network in a Region = Public IP for an instance = Logical device for VPN and WAN = Cross-connect WAN into a VPC = Subnet, local to an AZ • Availability Zone (AZ) • Region • Instance • Virtual Private Cloud • Elastic IP • Virtual Private Gateway • Direct Connect • Subnet

  4. Security Groups • “A security group acts as a virtual firewall that controls the traffic for one or more instances.” • Stateful – TCP, UDP, ICMP • 250 rules per instance • No additional cost • Denies are logged to VPC Flow Logs • Integration with other AWS services • Can reference other security groups, similar to object/server groups • Reference other security groups across VPC Peering • White-list only

  5. VPC security controls VPC 10.1.0.0/16 EC2 Instance 3 10.1.10.20 EC2 Instance 1 10.1.1.6 EC2 Instance 2 10.1.1.7 • Network ACL per Subnet • Route Table per Subnet • Security Groups per instance SG In SG Out SG In SG In SG Out SG Out Subnet 10.1.10.0/24 Subnet 10.1.1.0/24 Network ACL Out Network ACL Out Network ACL In Network ACL In Virtual Router Route Table Route Table Virtual Private Gateway Internet Gateway

  6. Use Cases for Firewalls Beyond Security Groups • Next-Gen Firewall (NGFW) and Application Inspection • Intrusion Prevention/Detection (IPS/IDS) • Auditing, Analytics, Compliance and Reporting • Comments for individual rules • Central Management • Troubleshooting • Single pane of glass including on-premises • Above 250 rules per instance • IP Reputation or Geo Blocking • Additional security features • Deep Packet Inspection, Web Application Firewall, URL Filtering

  7. What does this mean? • Requirements of different environments may use different architectures • Web applications are more likely to use Security Groups, host-based firewalls, or a WAF • Business applications are more likely to use Firewalls • Firewalls may be easier to begin migrations • Pay hourly • Migrate applications to security groups as comfort increases • May have a steady stream of on-premises applications migrating in • Firewalls add a level of complexity • High Availability management • Friction to application provisioning • Intrusion Prevention/Detection and Deep Packet Inspection are common requirements • Sending all traffic back on-premises and host-based security don’t cover all use cases

  8. Auto Scaling in AWS The Elastic Load Balancer is a Fully Qualified Domain Name (FQDN) that scales up with load Elastic Load Balancer (ELB) The Auto Scale Group launches or terminates instances based on defined metrics such as CPU load Limit the ports, protocols, and appropriate sources and destinations with security groups Web Instances Auto-Scaling

  9. “Anti-Patterns” for Firewalls - Before Subnets and clustering are limited to a single Availability Zone Firewalls don’t auto-scale to meet demand, becoming a bottleneck Virtual IP Addresses (VIPs) operate differently in AWS, so the firewall must support a version of high availability using VPC API calls Firewall Pair Elastic Load Balancing Outbound routing from the instances is statically set to a single firewall Firewalls may not support a DNS name with NAT or in security policies, sending all traffic to a single IP address of the ELB Web Instances Auto-Scaling Route Table

  10. Security Competency - Infrastructure • Reviewed by the AWS Partner team • High quality Documentation • Auto-scaling • ELB Integration • Multi-AZ High Availability • Security best practices http://aws.amazon.com/security/partner-solutions/

  11. Firewall Design Patterns - Now Firewalls are distributed in multiple Availability Zones Firewalls auto-scale to meet demand Health checks from the Elastic Load Balancer ensures only healthy firewalls are in the DNS records Firewalls Auto-Scaling Elastic Load Balancing Outbound routing from the instances is set to the Virtual Private Gateway, which is highly available Firewalls poll the internal ELB DNS and make security policy and NAT decisions on the Fully Qualified Domain Name (FQDN) Web Instances Auto-Scaling Route Table

  12. Deployment Architectures

  13. Network Security Architectures on AWS Agent-Based Security Interface Shifting Route Shifting Services VPC AZ Mesh Web Auto-Scaling

  14. Design Considerations Direction of Traffic East-West Security Policy Availability Requirements Bandwidth VPC Scale Application and Protocols

  15. Firewall Deployment Designs

  16. Lollipop Design • Send all traffic back on-premises • Use VPN or Direct Connect to connect on-premises • Use existing security stack for Internet traffic • Maintains dependency and increases requirements of existing hardware

  17. Lollipop Design – Public AWS Services • Not all services are accessible through a VPC • Traffic hairpins through the internet • Example of services available in a VPC: • Amazon S3 • AWS Lambda • Amazon RDS • Amazon DynamoDB • Private Link: • Kinesis, EC2, ELB, SSM

  18. Host Based Security • Host Intrusion Detection Systems (HIDS) • Agent-based solution scales as instances scale • Agent can be monitoring and controlled centrally • Access to unencrypted data and process and user context

  19. ‘Services VPC’ or ‘Transit VPC’ • Use for centralized control and transitive routing between VPCs • Reduces operational and software licensing costs • Can be used between VPCs, accounts, and regions • Close to a DMZ design • Hub and spoke network uses VPN • Reduces changes needed on spoke VPCs • Scales to ~10 VPCs without overlapping addresses using the default tunnel addresses • Use your own tunnel addresses for higher scale

  20. Auto Scaling Firewalls – the ‘ELB Sandwich’ • Use stickiness for HTTP/S applications • Use NLB for long-lived TCP connections • Firewalls or WAF • Requires: • ELB support • Auto-scaling automation • Flexible licensing • Security Competency products have support • Use X-Forwarded headers or Proxy Protocol for source visibility • NLB provides source IP natively

  21. Single VPC Designs

  22. Elastic Network Interface (ENI) Shifting • AWS equivalent to Virtual IP • HSRP, VRRP • Move the ENI within a single Availability Zone • IP address stays the same • Works for inbound and outbound traffic • Health check on-instance or off-instance • Clustering may be available

  23. Route Shift • Outbound connectivity • Move the route across multiple Availability Zones • Health check on-instance or off-instance • Equivalent to changing the route table association for a subnet

  24. Case Studies

  25. Customer #1 • Operate 10 VPCs • Using VPC to segment applications of different security levels • Different organizations and acquisitions will be placed in different VPCs • Traffic will be an applicationmix from on-premises migration • Requirement for IPSand stateful packet inspection between security zones • Need to reduce cost on licensing and operational overhead • Traffic between on-premises and AWS is trusted but requires private link with predictable performance, at least 1Gbps total

  26. Customer #1 – Services VPC • Security Groups within the VPC for security • Default route points towards VPN • On-premises (RFC 1918) routes towards Direct Connect • Traffic to the internet or other applications goes through firewall

  27. Customer #2 • Requires encryption over AWS Direct Connect • Requires IPS on all traffic to and from the datacenter • AWS considered an ‘untrusted datacenter’ • Requires high availability in case AWS Direct Connect is down • Direct Internet access for patches, AWS API access, and ability to whitelist access to URLs • Expect 2Gbps to a single VPC

  28. Encrypted Direct Connect and Outbound Proxy Instances have proxies set for outbound HTTP traffic Routes to on-premises split between firewalls with VPN connections • Scale firewalls and routes out to handle load • Most firewalls handle approximately 1.5 Gbps • Use ENI shifting for additional high availability

  29. Customer #3 • Customer requires encryption in transit for all traffic leaving an AWS building (Availability Zone) • Requires IPS between accounts and VPC’s • 4 VPC’s • 3 stage development – Development, Staging, Production • 1 DMZ choke point to the internet and on-premises • Utilizing 2 Availability Zones in each VPC

  30. Customer #3 Full Availability Zone Mesh • Firewall in each Availability Zone • DMZ VPC with WAN and Internet access • Using firewall vendor’s centralized management solution for VPN management • Relies on application-level failover • Encryption everywhere

  31. Metadata – AWS CloudTrail, VPC Flow Logs

  32. Use cases Customized security Complement existing control Advantages Scalable Dynamic Design Caveats Requires security maturity Based on quality of metadata Metadata and Event Driven Security AWS Lambda VPC Flow Logs

  33. Q&A Thank you!

More Related