Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure Content Delivery with AWS

1,905 views

Published on

by Andrew Kiggins, Solutions Architect, AWS

  • Be the first to comment

Secure Content Delivery with AWS

  1. 1. © 2016 AWS and affiliates, all rights reserved Security Architecture Loft Secure Content Delivery with AWS Andrew Kiggins Security Solutions Architect
  2. 2. © 2016 AWS and affiliates, all rights reserved Agenda • Amazon CloudFront • AWS Certificate Manager (ACM) • Deep Dive: Secure Content Delivery • AWS WAF
  3. 3. © 2016 AWS and affiliates, all rights reserved Amazon CloudFront
  4. 4. © 2016 AWS and affiliates, all rights reserved CloudFront: Global Content Delivery Network  Accelerate your application and APIs  Including static content such as images and video  Massively scalable  Highly secure  Self service  Priced to minimize cost
  5. 5. © 2016 AWS and affiliates, all rights reserved Our growing global footprint… North America South America EMEA APAC POPs Cities Countries Continents AWS Region CloudFront Edge Location
  6. 6. © 2016 AWS and affiliates, all rights reserved Dynamic Static Video User Input SSL Amazon CloudFront: Whole Site Delivery
  7. 7. © 2016 AWS and affiliates, all rights reserved Accelerate ALL Types of Content ALB/ELB Dynamic Content Amazon EC2 Static Content Amazon S3 Custom Origin OR OR Custom Origin Amazon CloudFront example.com *.jpg *.php
  8. 8. © 2016 AWS and affiliates, all rights reserved Can Dynamic Content Be Optimized? Application is Not Cachable: Dynamic Proxied to the Origin and Back How to Accelerate Applications?
  9. 9. © 2016 AWS and affiliates, all rights reserved Application Acceleration • CloudFront latency-based routing • TCP/IP optimizations for the network path • Keep-alive connections to reduce RTT • AWS backbone network • SSL/TLS optimizations
  10. 10. © 2016 AWS and affiliates, all rights reserved Choose your own security • Half bridge or full bridge termination • Only encrypt what’s really necessary Amazon CloudFront HTTP region Amazon CloudFront HTTPS region Half bridge termination Full bridge termination
  11. 11. © 2016 AWS and affiliates, all rights reserved What’s new in Amazon CloudFront? • IPv6 support • HTTP/2 support • Query string whitelisting • Cost allocation tagging • New edge locations, making the total now 63 globally • Learn more here: https://aws.amazon.com/cloudfront/whats-new/
  12. 12. © 2016 AWS and affiliates, all rights reserved AWS Certificate Manager
  13. 13. © 2016 AWS and affiliates, all rights reserved What is AWS Certificate Manager (ACM)? AWS Certificate Manager (ACM) is a service which makes it easy to provision, manage, deploy, and renew SSL/TLS certificates on the AWS platform.
  14. 14. © 2016 AWS and affiliates, all rights reserved ACM Benefits • Provision certificates quickly and easily • Protect and secure websites and applications • Managed certificate renewal • Secure key management • Centrally manage certificates on the AWS Cloud • Integrated with other AWS Cloud Services • Free
  15. 15. © 2016 AWS and affiliates, all rights reserved Amazon CloudFront and ACM integration 1. Request certificate 2. Validate Request 3. Use • Easy to procure new certificate • (Directly from CloudFront console) • Fast turn around (minutes) • Immediately available for use in CloudFront (and ELB) • SNI support of custom certs generated with ACM is free • Hassle-free automatic certificate renewal Elastic Load Balancing AWS Certificate Manager CloudFront
  16. 16. © 2016 AWS and affiliates, all rights reserved Deep Dive: Secure Content Delivery
  17. 17. © 2016 AWS and affiliates, all rights reserved History of TLS/SSL Evolution of Web Encryption Technologies 1995 SSL2.0 1996 SSL3.0 2006 TLS1.1 2008 TLS1.2 2014/09 POODLE 2011 BEAST 2014/04 Heartbleed 2016/03 DROWN Battle Against Vulnerabilities 1999 TLS1.0 2015 FREAK 2013 Planning of TLS1.3 starts
  18. 18. © 2016 AWS and affiliates, all rights reserved Greater Enforcement by Industry/Vendors Battle Against Vulnerabilities 2014/09 POODLE 2011 BEAST 2014/04 Heartbleed 2016/03 DROWN Industry Enforcement 2015 FREAK 2015/12 Indexing HTTPS Pages by Default 2016/04 PCI DSS v3.2 2016/07 Mandatory ATS 2016/08 HTTP Strict Transport Security (HSTS) 2017/06/30 Mandatory TLS1.2
  19. 19. © 2016 AWS and affiliates, all rights reserved Shifting to the Era of Complete HTTPS Industry Enforcement HTTP/HTTPS Hybrid 2016/04 PCI DSS v3.2 Complete HTTPS Increase in Marketing Benefits Lower Costs Increase in User Benefits 2015/12 Indexing HTTPS Pages by Default 2016/07 Mandatory ATS 2017/06/30 Mandatory TLS1.2 2016/08 HTTP Strict Transport Security (HSTS)
  20. 20. © 2016 AWS and affiliates, all rights reserved iOS App Transport Security (ATS) • Mandatory for AppStore applications from Jan. 1, 2017 • Supported in iOS 9.0 and later and in OS X v10.11 and later • iOS developers can meet ATS requirements 1. Enable HTTPS on connecting servers with the following exclusions: • Web page loads (e.g., browsers) • Bulk encoded streaming 2. Use best practices for secure communications • TLS 1.2 • Server Cert: 2048bit RSA Key, SHA2 Hash • Cipher Suite must support Forward Secrecy
  21. 21. © 2016 AWS and affiliates, all rights reserved CloudFront Supports Apple ATS • Required Jan 2017 • TLS1.2 (supported via MinimumProtocolVersion option) • Perfect Forward Secrecy • Server Certificates • 2048-bit RSA keys RSA Certificates TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  22. 22. © 2016 AWS and affiliates, all rights reserved CloudFront can protect Data in Transit
  23. 23. © 2016 AWS and affiliates, all rights reserved edge location CloudFront Protects Data in Transit • Deliver content over HTTPS to protect data in transit • HTTPS Authenticates CloudFront to Viewers • HTTPS Authenticates Origin to CloudFront Origin User Request A
  24. 24. © 2016 AWS and affiliates, all rights reserved HTTPS Delivery on CloudFront • HTTP/HTTPS using our entire global network • No need for major re-planning of capacity and performance • No restrictions in use cases • Data Transfer Out fees are the same for HTTP/HTTPS* • Available SSL/TLS Certs • CloudFront Default Domain (*.cloudfront.net), at no additional cost • Custom Domain Certs – SNI-only, at no additional cost • Custom Domain Certs – Dedicated IP, with a monthly fee • Free SSL/TLS certs in minutes with ACM integration * Request pricing may vary
  25. 25. © 2016 AWS and affiliates, all rights reserved Dedicated custom IP SSL vs SNI Custom SSL • Dedicated custom IP SSL (Legacy SSL/TLS) • Only one Global IP can handle one domain for SSL/TLS → Sacrifice system scalability and cannot allocate servers in realtime • Pro-rated monthly fee • SNI (Server Name Indication) • One Global IP can handle multiple domain names for SSL/TLS → System scalability can increase • No additional charge to “Bring Your Own Certificate” • Standard rates for data transfer; regular HTTPS request fees apply
  26. 26. © 2016 AWS and affiliates, all rights reserved Benefits of SSL/TLS on Amazon CloudFront Ease of Use • Integrated with AWS Certificate Manager (ACM) Economical • Free SSL/TLS Certificate • SNI Custom SSL • Default CloudFront Certificate Security and Performance • Built-in SSL/TLS Optimizations
  27. 27. © 2016 AWS and affiliates, all rights reserved CloudFront enables Advanced SSL features automatically
  28. 28. © 2016 AWS and affiliates, all rights reserved Built-in SSL/TLS Optimizations Improved Security • High security ciphers • Perfect forward secrecy Improved SSL Performance • Online Certificate Status Protocol (OCSP stapling) • Session tickets
  29. 29. © 2016 AWS and affiliates, all rights reserved Advanced SSL/TLS: Improved Security CloudFront • Uses high-security ciphers • Employs ephemeral key exchange • Enables perfect forward secrecy CloudFront Edge location
  30. 30. © 2016 AWS and affiliates, all rights reserved Advanced SSL/TLS: Improved Performance • Session Tickets • Online Certificate Status Protocol (OCSP Stapling)
  31. 31. © 2016 AWS and affiliates, all rights reserved Session Tickets • Session tickets allow client to resume session. • CloudFront sends encrypted session data to client. • Client does an abbreviated SSL handshake. CloudFront Edge location
  32. 32. © 2016 AWS and affiliates, all rights reserved OCSP Stapling 1 2 3 4 5 Client OCSP Responder Origin Server Amazon CloudFront 1. Client sends TLS Client Hello. 2. CloudFront requests certificate status from OCSP responder. 3. OCSP responder sends certificate status. 4. CloudFront completes TLS handshake with client. 5. Request/response from origin server.
  33. 33. © 2016 AWS and affiliates, all rights reserved OCSP Stapling … OCSP Stapling Client Side Revocation Checks 0 50 100 150 200 250 … (time in milliseconds) 0 50 100 150 200 250 … (time in milliseconds) TCP Handshake Client Hello Server Hello DNS for OCSP Responder TCP to OCSP Responder OCSP Request/Response … Follow Certificate Chain Complete Handshake Application Data 30% Improvement 120 ms faster
  34. 34. © 2016 AWS and affiliates, all rights reserved Validate Origin Certificate • CloudFront validates SSL certificates to origin. • Origin domain name must match Subject Name on certificate. • Certificate must be issued by a Trusted CA. • Certificate must be within expiration window.
  35. 35. © 2016 AWS and affiliates, all rights reserved AWS WAF
  36. 36. © 2016 AWS and affiliates, all rights reserved What is a WAF? • Web Application Firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to HTTP traffic • WAFs Come in Four Flavors • Pure Play: stand alone appliance or software • CDN: bundled with Content Delivery Network • Load Balancer: bundled with a load balancer • Universal Threat Manager (UTM): catch-all for misc. security
  37. 37. © 2016 AWS and affiliates, all rights reserved Why use a WAF? • WAFs help protect web sites & applications against attacks that cause data breaches and downtime. • General WAF use cases • Protect from SQL Injection (SQLi) and Cross Site Scripting (XSS) • Prevent Web Site Scraping, Crawlers, and BOTs • Mitigate DDoS (HTTP/HTTPS floods) • Gartner reports that main driver of WAF purchase (25-30%) is PCI compliance
  38. 38. © 2016 AWS and affiliates, all rights reserved What is AWS WAF? • AWS WAF is a CDN bundled WAF that will allow customers to create Web Access Control Lists (ACLs) that can be used to block malicious requests based on rules: • Unique aspects of AWS WAF are: • Customizable rules created by customers to avoid false positives • Full-feature API: this is a DevOps WAF that can be deployed inline with new web sites and applications • Integrated with AWS (CloudFront, CloudWatch with more to come) and with partners (Alert Logic with more to come) • Pay as you pricing
  39. 39. © 2016 AWS and affiliates, all rights reserved Amazon CloudFront Edge Location Serving Unnecessary Requests Costs Money Scraper Bot Host: www.internetkitties.com User-Agent: badbot Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.InTeRnEkItTiEs.com/ Connection: keep-alive AWS WAF Host: www.internetkitties.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)….. Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.mysite.com/ Connection: keep-alive
  40. 40. © 2016 AWS and affiliates, all rights reserved Amazon CloudFront Edge Location Access Control: Web Application Firewall Scraper Bot Host: www.internetkitties.com User-Agent: badbot Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.InTeRnEkItTiEs.com/ Connection: keep-alive AWS WAF Host: www.internetkitties.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)….. Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.mysite.com/ Connection: keep-alive
  41. 41. © 2016 AWS and affiliates, all rights reserved MapBox uses WAF to protect from Bots • Good Users Bad Guys Serve r AWS WAF Logs Threat Analysis Rule Updater
  42. 42. © 2016 AWS and affiliates, all rights reserved Amazon Confidential. Under NDA Only  CloudFront Free Tier  Competitive pricing • No Data Transfer charges from S3 and EC2/ELB to CloudFront • Static and Dynamic cost the same • Price Classes to further optimize cost Learn more here https://aws.amazon.com/cloudfront/pricing/ CloudFront Getting Started
  43. 43. © 2016 AWS and affiliates, all rights reserved aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS

×