340 likes | 418 Views
Nick Matthews AWS Partner Solutions Architect. November 2017. Firewall Deployment in AWS. Network Security in the Cloud. The Cloud is Happening. The operators, applications, and the platform have changed. ABC’s of AWS Networking. = Datacenter (often more than 1)
E N D
Nick Matthews AWS Partner Solutions Architect November 2017 Firewall Deployment in AWS Network Security in the Cloud
The Cloud is Happening • The operators, applications, and the platform have changed
ABC’s of AWS Networking = Datacenter (often more than 1) = Collection of Availability Zones = Virtual Machine = Isolated network in a Region = Public IP for an instance = Logical device for VPN and WAN = Cross-connect WAN into a VPC = Subnet, local to an AZ • Availability Zone (AZ) • Region • Instance • Virtual Private Cloud • Elastic IP • Virtual Private Gateway • Direct Connect • Subnet
Security Groups • “A security group acts as a virtual firewall that controls the traffic for one or more instances.” • Stateful – TCP, UDP, ICMP • 250 rules per instance • No additional cost • Denies are logged to VPC Flow Logs • Integration with other AWS services • Can reference other security groups, similar to object/server groups • Reference other security groups across VPC Peering • White-list only
VPC security controls VPC 10.1.0.0/16 EC2 Instance 3 10.1.10.20 EC2 Instance 1 10.1.1.6 EC2 Instance 2 10.1.1.7 • Network ACL per Subnet • Route Table per Subnet • Security Groups per instance SG In SG Out SG In SG In SG Out SG Out Subnet 10.1.10.0/24 Subnet 10.1.1.0/24 Network ACL Out Network ACL Out Network ACL In Network ACL In Virtual Router Route Table Route Table Virtual Private Gateway Internet Gateway
Use Cases for Firewalls Beyond Security Groups • Next-Gen Firewall (NGFW) and Application Inspection • Intrusion Prevention/Detection (IPS/IDS) • Auditing, Analytics, Compliance and Reporting • Comments for individual rules • Central Management • Troubleshooting • Single pane of glass including on-premises • Above 250 rules per instance • IP Reputation or Geo Blocking • Additional security features • Deep Packet Inspection, Web Application Firewall, URL Filtering
What does this mean? • Requirements of different environments may use different architectures • Web applications are more likely to use Security Groups, host-based firewalls, or a WAF • Business applications are more likely to use Firewalls • Firewalls may be easier to begin migrations • Pay hourly • Migrate applications to security groups as comfort increases • May have a steady stream of on-premises applications migrating in • Firewalls add a level of complexity • High Availability management • Friction to application provisioning • Intrusion Prevention/Detection and Deep Packet Inspection are common requirements • Sending all traffic back on-premises and host-based security don’t cover all use cases
Auto Scaling in AWS The Elastic Load Balancer is a Fully Qualified Domain Name (FQDN) that scales up with load Elastic Load Balancer (ELB) The Auto Scale Group launches or terminates instances based on defined metrics such as CPU load Limit the ports, protocols, and appropriate sources and destinations with security groups Web Instances Auto-Scaling
“Anti-Patterns” for Firewalls - Before Subnets and clustering are limited to a single Availability Zone Firewalls don’t auto-scale to meet demand, becoming a bottleneck Virtual IP Addresses (VIPs) operate differently in AWS, so the firewall must support a version of high availability using VPC API calls Firewall Pair Elastic Load Balancing Outbound routing from the instances is statically set to a single firewall Firewalls may not support a DNS name with NAT or in security policies, sending all traffic to a single IP address of the ELB Web Instances Auto-Scaling Route Table
Security Competency - Infrastructure • Reviewed by the AWS Partner team • High quality Documentation • Auto-scaling • ELB Integration • Multi-AZ High Availability • Security best practices http://aws.amazon.com/security/partner-solutions/
Firewall Design Patterns - Now Firewalls are distributed in multiple Availability Zones Firewalls auto-scale to meet demand Health checks from the Elastic Load Balancer ensures only healthy firewalls are in the DNS records Firewalls Auto-Scaling Elastic Load Balancing Outbound routing from the instances is set to the Virtual Private Gateway, which is highly available Firewalls poll the internal ELB DNS and make security policy and NAT decisions on the Fully Qualified Domain Name (FQDN) Web Instances Auto-Scaling Route Table
Network Security Architectures on AWS Agent-Based Security Interface Shifting Route Shifting Services VPC AZ Mesh Web Auto-Scaling
Design Considerations Direction of Traffic East-West Security Policy Availability Requirements Bandwidth VPC Scale Application and Protocols
Lollipop Design • Send all traffic back on-premises • Use VPN or Direct Connect to connect on-premises • Use existing security stack for Internet traffic • Maintains dependency and increases requirements of existing hardware
Lollipop Design – Public AWS Services • Not all services are accessible through a VPC • Traffic hairpins through the internet • Example of services available in a VPC: • Amazon S3 • AWS Lambda • Amazon RDS • Amazon DynamoDB • Private Link: • Kinesis, EC2, ELB, SSM
Host Based Security • Host Intrusion Detection Systems (HIDS) • Agent-based solution scales as instances scale • Agent can be monitoring and controlled centrally • Access to unencrypted data and process and user context
‘Services VPC’ or ‘Transit VPC’ • Use for centralized control and transitive routing between VPCs • Reduces operational and software licensing costs • Can be used between VPCs, accounts, and regions • Close to a DMZ design • Hub and spoke network uses VPN • Reduces changes needed on spoke VPCs • Scales to ~10 VPCs without overlapping addresses using the default tunnel addresses • Use your own tunnel addresses for higher scale
Auto Scaling Firewalls – the ‘ELB Sandwich’ • Use stickiness for HTTP/S applications • Use NLB for long-lived TCP connections • Firewalls or WAF • Requires: • ELB support • Auto-scaling automation • Flexible licensing • Security Competency products have support • Use X-Forwarded headers or Proxy Protocol for source visibility • NLB provides source IP natively
Elastic Network Interface (ENI) Shifting • AWS equivalent to Virtual IP • HSRP, VRRP • Move the ENI within a single Availability Zone • IP address stays the same • Works for inbound and outbound traffic • Health check on-instance or off-instance • Clustering may be available
Route Shift • Outbound connectivity • Move the route across multiple Availability Zones • Health check on-instance or off-instance • Equivalent to changing the route table association for a subnet
Customer #1 • Operate 10 VPCs • Using VPC to segment applications of different security levels • Different organizations and acquisitions will be placed in different VPCs • Traffic will be an applicationmix from on-premises migration • Requirement for IPSand stateful packet inspection between security zones • Need to reduce cost on licensing and operational overhead • Traffic between on-premises and AWS is trusted but requires private link with predictable performance, at least 1Gbps total
Customer #1 – Services VPC • Security Groups within the VPC for security • Default route points towards VPN • On-premises (RFC 1918) routes towards Direct Connect • Traffic to the internet or other applications goes through firewall
Customer #2 • Requires encryption over AWS Direct Connect • Requires IPS on all traffic to and from the datacenter • AWS considered an ‘untrusted datacenter’ • Requires high availability in case AWS Direct Connect is down • Direct Internet access for patches, AWS API access, and ability to whitelist access to URLs • Expect 2Gbps to a single VPC
Encrypted Direct Connect and Outbound Proxy Instances have proxies set for outbound HTTP traffic Routes to on-premises split between firewalls with VPN connections • Scale firewalls and routes out to handle load • Most firewalls handle approximately 1.5 Gbps • Use ENI shifting for additional high availability
Customer #3 • Customer requires encryption in transit for all traffic leaving an AWS building (Availability Zone) • Requires IPS between accounts and VPC’s • 4 VPC’s • 3 stage development – Development, Staging, Production • 1 DMZ choke point to the internet and on-premises • Utilizing 2 Availability Zones in each VPC
Customer #3 Full Availability Zone Mesh • Firewall in each Availability Zone • DMZ VPC with WAN and Internet access • Using firewall vendor’s centralized management solution for VPN management • Relies on application-level failover • Encryption everywhere
Use cases Customized security Complement existing control Advantages Scalable Dynamic Design Caveats Requires security maturity Based on quality of metadata Metadata and Event Driven Security AWS Lambda VPC Flow Logs
Q&A Thank you!