Control access by CIDR, security group.
Why is that important? Auto scaling.
Security group live in a VPC, but can span AZs
VPC gets a default Security Group when created but you need to customize it or use multiple
We create a security group that only allows TCP traffic to port 80 (knows nothing about HTTP!)
By default Security Groups allow nothing in, so we have to poke some holes (e.g. port 80/443) for web traffic)
Our HTTP Beer order gets through
The NTP Buffer Overrun exploit gets stopped at
the gate, as NTP uses port UDP/123 and there’s no access allowed for that sort of traffic
NO PORT SCANNING OF MISCONFIGURED HOSTS
The default Network ACLs (stateless) are to ALLOW everything
By adding a explicit DENY rule for Klingon.org we block all traffic from that source IP address
Klingon.com
Domain resolves to cloudfront not to the origin, but only for web traffic
Resolving ftp will give the ELB’s ip addresses allowing it to be attacked.
Non-cacheable content, or non web traffic can benefit from additional layers of security controlling access.
There’s A LOT of high quality commercial offerings in the marketplace, Firewalls, IPS/IDS, WAF, UTMs, SIEMs tools.
A multi layer strategy is required as there’s no silver bullet
Also scrub out the badness
Scale to absorb large attacks
ALB can isolate different backend services
Separate out services to ensure that there’s no collateral damage between servers hosting different types of applications (Best Practice, one service, one endpoint)
Here our malicious character has failed to find the origin using a DNS request for www.buildabeer.com, so instead he makes a DNS request for mail.buildabeer.com. The applications live on the same servers and as CDNs don’t generally handle mail traffic, the request resolves to the server IP addresses.
Slpit out the services t protect cross contamination. 1 application, 1 set of IPs/ELBs.
Customerize your security