More Related Content Similar to 5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Networks (20) More from Amazon Web Services (20) 5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Networks1. 1 | © 2015,Palo Alto Networks. Confidential and Proprietary.
PALO ALTO NETWORKS
NEXT-GENERATIONSECURITY PLATFORM
5 Steps
To a Secure HybridArchitecture
- Bisham Kishnani
3. Bisham
Kishnani
Consulting Engineer – Data Center & Virtualization (APJC)
- Industry experience – 16+ years
- With Palo Alto Networks – 1+ year
- Previous Employer
- Juniper Networks – 9+ years
- US Telecoms – 2 years
- Apara Enterprises – 2years
- Wipro – 2 years
4. June
29,
2007
One
of
the
main
features
of
the
iPhone was
its
full-‐featured
browser.
The
thing
could
actually
visit
normal
webpages like
those
displayed
on
computers.
iPhone 1
7. Applications Have Changed, Security Hasn't
Network security policy is enforced at the
firewall
• Sees all traffic
• Defines boundary
• Enables access
Traditional firewalls don’t work any more
8. How Can You Build Security Using…..
• Two applications: browsing and email
• With predictable application behavior
• In a basic threat environment
Stateful inspection addresses:
9. Some Examples of How Applications Work
• Antivirus applications began using port 80 as their avenue for updates back in 1997. AV
is not a web application. The vendors did this to simplify access and better support their
customers
• AOL instant messenger (AIM) used to prompt you with “Find an open port?” if it could
not establish a connection
• BitTorrent, Skype both port hop and MS sharepoint uses a range of ports.
• Finally, MS-Lync – the messaging component for MS live 365 requires port 443, 3478
(stun), 5223 and a range of ports between 20,000-45,000 and 50,000-59,999
12. Private
Cloud
(NSX,
ACI,
Openstack)
DATA CENTEREVOLUTION
Public
Cloud
(IaaS,
PaaS)
Software
as
a
Service
(SaaS)
INTERNET
• Shift
to
dynamic,
scalable,
self-‐provisioned
DC
infrastructure
• Transition
to
Network
Virtualization
in
addition
to
compute
and
storage
virtualization
Virtualized Compute, Network &
Storage
13. This PutsMore Security Pressuresin the DataCenter…
Wired Wireless VPN VDI
Employees, Guests, Partners, Contractors, and Temporary Workers
•Modern threats –
targeted, multi-vector,
persistent
SAAS
Private
/
Public
Cloud
14. Cyber Crime Today
THE
EVOLUTION
OF
THE
ATTACKER
$1+
CYBERCRIME NOW
trillion industry
100+nations
CYBER WARFARE
14 | © 2015,Palo Alto Networks. Confidential and Proprietary.
17. Additional Cloud Security Challenges
17 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Limited visibility Outdated, inconsistent
technology
Cumbersome
processes
18. 18 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Security: A Shared Responsibility
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Encryption Key
Management
Client & Server
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
are
responsible
for
their
security
IN the
Cloud
AWS
looks
after
the
security
OF
the
platform
19. • Native AWS security includes Security Groups and Web Application Firewall
• Security Groups and ACLs
• Port-based filtering only
• No visibility traffic at the application level
• Cannot control file movement
• Web Application Firewalls
• Customized for each application/environment
• Focused narrowly on public facing web applications on HTTP/HTTPs
• No visibility, control, or protection on other applications
19 | © 2015,Palo Alto Networks. Confidential and Proprietary.
What Extra Can You ADD to Native Security ?
21. The VM-Series Next-generation Security Platform for AWS
§ Gathers potential threats from network
and endpoints
§ Analyses and correlates threat
intelligence
§ Disseminates threat intelligence to
network and endpoints
Threat Intelligence Cloud
§ Identify and Inspect all traffic
§ Blocks known threats
§ Sends unknown to cloud
§ Extensible to mobile & virtual networks
Next-Generation Firewall
§ Inspects all processes and files
§ Prevents both known & unknown exploits
§ Integrates with cloud to prevent known &
unknown malware
Advanced Endpoint Protection
21 | © 2015,Palo Alto Networks. Confidential and Proprietary.
22. 1. Visibility into, and control over
applications, Not Ports
2. Segment applications to prevent
malware propagation
3. Prevent known and unknown threats
4. Centrally manage system
configuration, streamline policy
updates
VM-Series for AWS
22 | © 2015,Palo Alto Networks. Confidential and Proprietary.
AZ1b
25. • Applications and data isolated by
policy (whitelisting)
• Users granted access based on
need
• Traffic is protected from malware
25 | © 2015,Palo Alto Networks. Confidential and Proprietary.
2. Segmentation For Data Center Applications
Credit Card
Zone
Customer Support
Zone
Customer
service
Finance
Subnet1 Subnet2
Subnet3
26. NGFW as an AWS Gateway
§ VMs and data (VPCs) protected by
whitelist policy
§ VPC-to-VPC traffic is protected from
malware
§ Subnet to subnet traffic is also
controlled and protected
§ Users granted access based on
need/credentials
26 | © 2015,Palo Alto Networks. Confidential and Proprietary.
2. Segmentation In AWS Environment
AZ2c
DB VPC
DB1
DB2
AZ1b
Web VPC
Web1
Web2
Subnet1
Subnet2
Subnet1
Subnet2
27. 3. Prevention at all Phases of the Attack Life Cycle
27 | © 2015,Palo Alto Networks. Confidential and Proprietary.
AZ1b
Web1
DB1
Subnet1
Subnet2
Leverage Exploit
Next-Generation
Firewall
Threat Prevention
(Block Known Threats)
Execute Malware
WildFire
(Block Unknown Threats)
Threat Prevention
(Anti-Malware)
Threat Prevention
(Prevent C&C)
Control Channel
Threat Prevention
(Block Lateral Movement)
Threat Prevention
(Prevent C&C)
Steal Data
File Blocking & Data
Filtering
28. • Centrally manage configuration and policy across
enterprise and cloud
• Aggregate traffic logs for visibility, forensics and reporting
• Streamline policy updates with API’s and dynamic
monitoring of AWS VPC
4. Streamline Management and Policy Updates
APIs
Application
Network
Security
28 | © 2015,Palo Alto Networks. Confidential and Proprietary.
AZ1b
Web1
DB1
Subnet1
Subnet2
30. • Combines best of both worlds
• Private data center for static, older workloads
• Public cloud for newer apps, agility, scalability
30 | ©2014,Palo Alto Networks. Confidential and Proprietary.
Hybrid Cloud Topology
IPSec VPNDC-FW1
DC-FW2
AZ1cAZ1b
Web1-01
Web1-02
Web2-01
Web2-02
31. • Subnet and route tables should be
established in AWS first
• Each subnet gets a unique route table
• External subnet routes to the IGW
• Internal subnet and route table should
exclude IGW
• Eliminates internal subnet to Internet
routing – even if firewall is
misconfigured
31 | ©2014,Palo Alto Networks. Confidential and Proprietary.
Step 1: Getting the Subnets Right
32. • Two licensing options enabled via AWS Marketplace
• Bring your own license (BYOL): Pick and choose licenses,
subscriptions and support to best suite our needs
• Consumption-based licensing in AWS marketplace: Fixed
bundles purchased for annual or hourly time periods
• Instances: Small c3 to c4.4xlarge. Confirm latest list in
AWS Marketplace
• Elastic Network Interfaces (ENI): Up to 8 ENIs with the first
ENI always dedicated to management
• Interface Modes: L3 only due to the AWS infrastructure requirements. TAP, L2, and virtual wire
interface modes are not supported
• CPU, Memory and Storage: All Instance types support 2, 4, or 8 vCPUs, and they all require at
least 4 GB of dedicated memory and 40 GB of EBS-optimized volume storage
32 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Step 2: Deploy the VM-Series for AWS
33. • VM-Series for AWS acts as a VPN
termination point
• Fully supports IPSec VPN standards
33 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Step 3: Establishing the IPSec VPN Connection
34. Challenge
• With two or more subnets, firewall can
intentionally or accidentally be bypassed
34 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Step 4: Ensuring All Traffic Flows Through the Firewall
AZ1b
DB1
Web1
35. Solution
• Force all traffic to the firewall by adding a
self referencing security group
35 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Step 4: Ensuring All Traffic Flows Through the Firewall
AZ1b
DB1
Web1
Challenge
• With two or more subnets, firewall can
intentionally or accidentally be bypassed
AZ1b
DB1
Web1
36. 36 | ©2014,Palo Alto Networks. Confidential and Proprietary.
AWS Configuration to Force Traffic Through Firewall
Self referencing security groups
37. 37 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Validating the Configuration
Web to DB connection via the
VR and firewall succeeds
ubuntu@web1:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.4.3.101 0.0.0.0 UG 0 0 0 eth0
10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
ubuntu@web1:~$ ping -c 3 db1
PING db1 (10.4.5.201) 56(84) bytes of data.
64 bytes from db1 (10.4.5.201): icmp_seq=1 ttl=63 time=0.891 ms
64 bytes from db1 (10.4.5.201): icmp_seq=2 ttl=63 time=0.916 ms
64 bytes from db1 (10.4.5.201): icmp_seq=3 ttl=63 time=1.04 ms
--- db1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.891/0.951/1.047/0.072 ms
38. 38 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Validating the Configuration
Attempted bypass by altering
default route is dropped
ubuntu@web1:~$ sudo route add default gw 10.4.3.1
ubuntu@web1:~$ sudo route del default gw 10.4.3.101
ubuntu@web1:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.4.3.1 0.0.0.0 UG 0 0 0 eth0
10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
ubuntu@web1:~$ ping -c 3 db1
PING db1 (10.4.5.201) 56(84) bytes of data.
--- db1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
Web to DB connection via the
VR and firewall succeeds
ubuntu@web1:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.4.3.101 0.0.0.0 UG 0 0 0 eth0
10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
ubuntu@web1:~$ ping -c 3 db1
PING db1 (10.4.5.201) 56(84) bytes of data.
64 bytes from db1 (10.4.5.201): icmp_seq=1 ttl=63 time=0.891 ms
64 bytes from db1 (10.4.5.201): icmp_seq=2 ttl=63 time=0.916 ms
64 bytes from db1 (10.4.5.201): icmp_seq=3 ttl=63 time=1.04 ms
--- db1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.891/0.951/1.047/0.072 ms
39. • ECMP weighted round robin in private data center
• Distributes the load across multiple VM-Series instances
39 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Step 4: Scaling the AWS Deployment Using ECMP
AZ1cAZ1b
Web1-01
Web1-02
Web2-01
Web2-02
DC-FW1
DC-FW2
Web0-01
Web0-01
40. • Traffic load is shared across both private and
public cloud
• Static routes on firewall across multiple VPN
tunnels adds redundancy
• Single load balancer configuration minimizes
management effort
40 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Scaling the AWS Deployment Using On-Prem Load Balancer
AZ1c
DC-FW1
AZ1b
Web1-01
Web1-02
Web2-01
Web2-02
DC-FW2
Web0-01
41. • AWS Elastic Load Balancer supported
natively
• Citrix NetScaler – documented in tech pubs
41 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Scaling the AWS Deployment Using AWS Load Balancing
AZ1cAZ1b
Web2-01
Web2-02
Web1-01
Web1-02
Web1-03
Web2-03
DC-FW1
DC-FW2
Web0-01
Web0-01
42. 42 | © 2015,Palo Alto Networks. Confidential and Proprietary.
• Cloud Formation Templates (CFT)
• Scripted to deploy AWS resources
• Ranges from basic install of the VM-Series to a fully configured environment
• Check out the Hybrid Deployment Guidelines Whitepaper for a two tiered CFT
example
Step 5: Security Automation to Keep Pace with the Business
Automating resource deployment
z
AZ1b
Web1
DB1
43. Automating Firewall Deployments
PAN-‐OS
configuration
Security
policies
BYOL
licenses
Software
updates
Dynamic
content
Attach
to
Panorama
Device
Group
vm-series-bootstrap-aws-s3-
bucket=<bucketname>
S3
bucket
44. 44 | © 2015,Palo Alto Networks. Confidential and Proprietary.
• Using AWS Tags and Dynamic Address Groups to drive policy updates
Security Automation to Keep Pace with the Business
Automating policy updates
45. 45 | © 2015,Palo Alto Networks. Confidential and Proprietary.
• Using AWS Tags and Dynamic Address Groups to drive policy updates
Security Automation to Keep Pace with the Business
Automating policy updates
46. • Gateway, Internet facing security
• Visibility: Classify all AWS traffic based on application identity
• Control: Enable those applications you want, deny those you don’t
• Authorize: Grant access based on user identity
• Inter-VPC, Subnet Protection Use Case
• Protect traffic within the VPC and traversing each subnet
• Control which applications can communicate with each other
• Prevent threats from moving laterally
• GlobalProtect Remote Access
• Leverage scale & availability of AWS to reach global employees
• Extend corporate security policies to remote users
46 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Additional VM-Series for AWS Use Cases
49. AWS Free Trial: Available now
Try one of the bundles for 15 days
• Just like an Eval
• PoC to production
• Free usage cannot be extended
• Automatically converts to hourly
purchase after 15 days if VM-
Series instance is running