Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Security Fundamentals: Dos and Don’ts


Published on

Enterprise-sanctioned application deployments on Infrastructure as a Service (IaaS) cloud platforms are fast becoming a reality. But while IaaS’s flexibility and cost-savings benefits are important, its success as a business solution hinges on its security.

Presented by the renowned industry expert Dr. Avishai Wool, this technical webinar covers security best practices for the Amazon Web Services (AWS) IaaS, including:

* The AWS firewall: what is it, how it differs from traditional firewalls, how it works, and tips for how to use it based on your business and technical needs
* AWS Security Groups: understanding them, recommendations for how to structure Security Groups to gain visibility and control of security polices effectively
* Integrating AWS into your enterprise data center: recommendations for setup, organization and configuration considerations on AWS
* Auditing and compliance: tools and techniques for tracking security policies across the hybrid data center

Published in: Software
  • Be the first to comment

  • Be the first to like this

AWS Security Fundamentals: Dos and Don’ts

  1. 1. 1
  2. 2. Confidential February 24, 2015 Speaker: Avishai Wool AlgoSec CTO & Co-Founder
  3. 3. POLL 3
  4. 4. • Introduction to Amazon AWS • The AWS Firewall • Configuring AWS Firewall Security Groups • Auditing and Best Practices for AWS 4 Agenda
  5. 5. Confidential Introduction to Amazon AWS
  6. 6. • Rent servers • Compute boxes (EC2) • Storage (S3) • Networking • Low cost • Outsourced – No IT department • Elastic (power-up/shut-down lots of servers fast) • Web UI, and programmable web-service API What Amazon Provides 6
  7. 7. Amazon Technology 7
  8. 8. • Amazon guarantees customer/customer separation • But what about filtering policy (firewalls) for: • Internet <-> Amazon-server, • Amazon-server <-> Datacenter • Amazon-server <-> Amazon-server • Amazon’s solution: “AWS firewall” • Free (price included in the server cost) • Embedded in infrastructure What About Security? 8
  9. 9. Amazon Technology 9
  10. 10. Connecting Amazon Network to Corporate 10 vGW: • Router + • VPN endpoint
  11. 11. Confidential The AWS Firewall
  12. 12. • A key concept in AWS is “Security Group” • A Security Group is a list of rules • Comparable to a Check Point “Policy” or Cisco “Access List” • Has a name • A Security Group is associated with an instance: • Like a “host-based firewall” Security Groups – Basics 12
  13. 13. 13
  14. 14. 14
  15. 15. Zoom into Rules: Where is the Destination? 15
  16. 16. • Consists of 2 lists of rules: Inbound and Outbound • One side of the rule is implicitly “me” • Inbound rules: from <Somewhere> to “me” with service S • Outbound rules: from “me” to <Somewhere> with service S • “my” IP address is not listed in the rule • Result: the security group can be associated with any instance without any modification Security Groups – Details 16
  17. 17. 17 Inbound Rules
  18. 18. 18 Outbound Rules
  19. 19. • All rules are “PASS” rules • Not an oversight but a deliberate feature • Rules do not perform NAT • The instance can have public and private IP addresses • AWS infrastructure takes care of this • The order of rules inside a Security Group does not matter 19 Security Groups – More Details
  20. 20. A Security Group can be associated with many instances An instance can be associated with many Security Groups! • This is a unique AWS innovation Why this works: • All rules are PASS rules • The order of security groups on an instance does not matter Security Groups and Instances: Many to Many 20
  21. 21. Confidential Challenges and Tips
  22. 22. • Only a single subnet per rule • No named network objects • No network object groups • Only a single service (protocol+port range) per rule • No named service objects • No service object groups • No comments per rule • No per-rule hit counting or logging • No “next-generation firewall” capabilities Current Policy Management Limitations 23
  23. 23. Things to think about • Modularity • Make it understandable • Directionality How to Organize the Policy? 24
  24. 24. • Create separate Security Groups for instances that have the same function: • Web servers • Database servers • Etc… • Create Security Groups for “default” or “infrastructure” services • Separate per operating system (Linux/Windows/…) Modular Policy Design 25
  25. 25. 27 • SSH access to command line (Linux) • NTP to synchronize clocks • ICMP to allow network troubleshooting (ping) • Etc…
  26. 26. • Web Access etc…
  27. 27. Keep it understandable: • Which policy protects a particular instance? KISS principle: Keep It Simple… Pitfall: Too many Security Groups per Instance 29 Security Groups per Instance 1-2 Simple 3 Borderline 4 or more Complicated
  28. 28. How to view the policy on an instance
  29. 29. 31
  30. 30. • Understandable – as long as policy is simple • Not too many rules (without scrolling) • Not too many Security Groups (without many columns)
  31. 31. • By default a Security Group allows anything in the outbound direction: • any service • to any IP address • Instance creation wizard does not suggest changing the default Pitfall: Insecure Outbound Rules 33
  32. 32. “View Rules” popup does not show the outbound rules
  33. 33. Tip: Edit the Security Group Outbound tab and add rules: • NTP only to specific time server • DNS lookups only via specific name server • Etc…
  34. 34. Confidential Other AWS Best Practices
  35. 35. • Keys to the kingdom: the AWS web interface • Power instances on/off • Change filtering policy and access controls Tip: Protect the access with more than just a password! Authentication 37
  36. 36. • Instead of a simple password • Use a smartphone app (“Google Authenticator”) • Provides a time-varying password MFA: Multi-Factor Authentication 40
  37. 37. • CloudWatch: Health monitoring and log server • CloudTrail: Audit log for API calls • 3rd party change tracking: AlgoSec System Logs and Audit Trail 41
  38. 38. • Send API call activity to CloudTrail • View log via S3
  39. 39. • Extends On-Premise Visibility to the Cloud • Centrally manage on-premise firewalls policies alongside Amazon security groups • Monitor changes to Amazon Security Groups for unified auditing and troubleshooting 45 AlgoSec: Unified Policy Management
  40. 40. Infographic: Managing Security Policies Across Hybrid Cloud Environments: Visibility is Obscured by Clouds 47 Attachments Research: Examining Security Policy Management in Hybrid Cloud Environments eBook: Security Policy Management in the Data Center for Dummies
  41. 41. Q&ALearn more Learn even more Seeing is believing Contact us/slides 48
  42. 42. Confidential Thank you