Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security for Complex Networks on AWS

2,942 views

Published on

When organizations start using AWS, they may initially use a single VPC and a very simple network implementation. In many cases, however, companies are leveraging multiple VPCs, regions and accounts. Companies are also connecting cloud networks to corporate headquarters and remote locations. They may even be connecting different cloud providers. This presentation will consider some of these use cases and the implications of connecting different networks. Material covered will include security considerations, sample architectures and tools that can help protect your account and your data.

Published in: Technology
  • Hi there! I just wanted to share a list of sites that helped me a lot during my studies: .................................................................................................................................... www.EssayWrite.best - Write an essay .................................................................................................................................... www.LitReview.xyz - Summary of books .................................................................................................................................... www.Coursework.best - Online coursework .................................................................................................................................... www.Dissertations.me - proquest dissertations .................................................................................................................................... www.ReMovie.club - Movies reviews .................................................................................................................................... www.WebSlides.vip - Best powerpoint presentations .................................................................................................................................... www.WritePaper.info - Write a research paper .................................................................................................................................... www.EddyHelp.com - Homework help online .................................................................................................................................... www.MyResumeHelp.net - Professional resume writing service .................................................................................................................................. www.HelpWriting.net - Help with writing any papers ......................................................................................................................................... Save so as not to lose
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • ➤➤ 3 Reasons Why You Shouldn't take Pills for ED (important) ▲▲▲ https://tinyurl.com/rockhardxxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Security for Complex Networks on AWS

  1. 1. Security for Complex Networks on AWS Teri Radichel | @teriradichel WatchGuard Technologies
  2. 2. Story Of A Breach
  3. 3. The Network Doesn’t Lie
  4. 4. http://www.wikihow.com/Address-a-Business-Envelope-Effectively
  5. 5. RandomInternetConnections.BlogSpot.Com
  6. 6. Port Scan
  7. 7. INFECT VICTIM CALL HOME
  8. 8. INFECTED VICTIM NEW VICTIM
  9. 9. EC2 EC2 EVIL INTERNET Every Host Accessible From Internet: Bad
  10. 10. 70.70.70.70 10.0.3.010.0.1.0 10.0.2.0 XNO ROUTE FOR 70.70.0.70 WEB APP DATAEVIL Subnets and Route Tables
  11. 11. WEB APP DATAEVIL ALLOW OR DENY TRAFFIC 70.70.70.70 10.0.3.010.0.1.0 10.0.2.0 Subnet NACLs X
  12. 12. Tips for Subnets • Keep subnets as big as possible • Have to track CIDRS, changes, fix conflicts, firewall rules inside/outside AWS • Too many - Run out of IP Space • Too small – reallocation takes down applications • Understand where data can flow based on Route Tables • Limit routes to what is required • Limit Internet Gateway Routes • NACL rules are limited to 20. Use for broad rules that always apply.
  13. 13. WHITE LIST XEVIL RESIDE ON HYPERVISOR TRAFFIC IN THE SAME SUBNET Security Groups
  14. 14. Structuring Security Groups • A group of rules, not a group of instances • Whitelist • Use security group IDs in rules whenever possible • Abstract out common rules • – and only common rules (DNS, AD, Amazon IPs) • Security group rules are limited • Consolidate contiguous CIDR blocks into a single rule • Check what ports products require prior to purchase • May need to re-architect to get around limits Common App Specific
  15. 15. 70.70.70.70 10.0.3.010.0.1.0 10.0.2.0 WEB APP DATAEVIL 70.70.70.70 ALLOWED ON PORT 80 10.0.1.0 ALLOWED ON PORT 8080 10.0.2.0 ALLOWED ON PORT 3389 An Example. We’re Good, Right?
  16. 16. 70.70.70.70 10.0.1.0 EVIL Proxy VICTIM 10.0.1.0 ALLOWED ON PORT 80 PROXY TRAFFIC AS 10.0.1.0 Proxies send traffic that originated from blocked hosts via software on allowed hosts and ports Not quite. About Proxies…
  17. 17. THIS TRAFFIC WOULD BE OTHERWISE BLOCKED LOOKS LIKE HTTPS ON PORT 443 TO FIREWALL …ALLOWED Proxies and Tunnels Proxies wrap disallowed traffic in allowed protocols and communicate on allowed ports
  18. 18. Only Allow Direction You Want • For a given data flow: • Is it initiated inside your network? • Outside your network • Or both? • If only one direction, block the opposite direction • Traffic is initiated to typically on lower numbered ports • Responses are generally on higher numbered ephemeral ports • Security Groups are stateful, always allowing response to sender • NACLs can ALLOW or DENY explicitly including response traffic
  19. 19. APP PORTS FOR REQUEST e.g. HTTPS 443 Amazon Linux: 32768-61000 ELB: 1024-65535 Windows Server 2008+: 49152-65535 NACLS and Ephemeral Ports WEB X EVIL NACL BLOCKS 443 OUT EPHEMERAL PORTS FOR RESPONSE
  20. 20. Look for DENY log entries • Block host to host traffic inside your network unless required • Turn on VPC Flow Logs • Look for DENY traffic to indicate a host is misbehaving • Valid applications should never generate a DENY log entries • Use other tools for more in depth analysis if needed • VPC Flow Logs has some limitations
  21. 21. Other Potentially Problematic Patterns • Traffic from countries with whom you do not do business • Excessive connections over time • Many connections in quick succession • Excessive connection length • Excessive data in or out • Encrypted connections via unknown keys • Traffic to honey pots < Only run these in air-gapped accounts
  22. 22. More Considerations • AWS Services You Choose – Do they leave the VPC? • NTP • DNS • Active Directory • Proxies • Amazon IP Ranges • Installing software packages – secure access to repositories • Backhauling traffic • Data transfer costs
  23. 23. Is it easier to patch all your hosts? Or block a traffic to a network port? Depends on your network.
  24. 24. Understand paths traffic can take. Data is like water. Open a hole - it will flow there.
  25. 25. Limit Entry and Exit Points
  26. 26. SECURITY CHECK PROTECTED HOST NO INTERNET ROUTE WAF NAT HTTP/S PROXY IDS/IPS DLP UTM/NGF BASTION API GATEWAY DEPLOY SYSTEM DDOS (SHIELD) INTERNET ROUTE Deploy Security Controls at Entry + Exit Points X X EVIL
  27. 27. Transit VPC • Less connections vs trying to connect every network • Easier to manage a single point of intersection • Capture traffic crossing boundaries • Extra protection and inspection at this point
  28. 28. IF A CONTROL CAN BE CHANGED BY ANYONE, THE CONTROL IS USELESS • Root Company Account • AWS Organizations • AD + MFA • Roles + Policies • Developers are rarely network security professionals • ^ That could change! • Security team for network changes, transit VPC
  29. 29. Implementation Bottlenecks ~ Some Tips • If network deployments become bottlenecks there will be a revolt • Create rules that people can understand and follow • Create common network patterns: WAF > Web > App > DB • Don’t throw network implementation over the wall to developers • Have app developers present to test networking when deployed • QA / pen test your networking implementation (follow AWS rules) • Allow developers to propose changes such as GitHub fork • Automate ~ wisely!
  30. 30. Accounts and VPCs • Design accounts, VPCs and subnets to limit entry and exit points • Break into separate accounts for: • Groups with different permissions: teams, line of business, departments • Sandbox (Air-gapped) • Lift and shift not matching security standards and policies • Separate environment to limit PCI scope, HIPAA, PII • Consider peering connection costs and route implications
  31. 31. SDLC: Dev, QA, Staging, Prod DEV QA PROD CI/CD Check In Code Deploy • Separate accounts for separate teams • Test deployments • Different levels of network access • Embedded security checks Staging Deploy Deploy Deploy
  32. 32. Direct Connect or VPN • Use VPN or Direct Connect between regions and locations • Direct Connect = private line, less issues with latency – Data Center • VPN = encrypted tunnel for traffic to traverse instead of going over the Internet more exposed • An IPSEC VPN is at layer 3 – less information for attackers; VPN endpoints must be secured. • SSL is layer 7. Exposes more information in unencrypted portions of packet header. Must secure every SSL endpoint. End to end. • Use both IPSEC + HTTPS APIs for private traffic if possible.
  33. 33. An IBM report finds that human error contributes to 95% of all security breaches.
  34. 34. Secure and Automated Deployments Public ENI on eth0 security group Private ENI on eth1 security group Availability Zone Lambda function for CLI Commands security group Elastic IP Private Management Subnet No public Internet Access Network Access for Firebox Configuration Only Public Subnet IGW in Route Table Public ENI Public IP (EIP) Bucket for Lambda and EC2 Key for Firebox CLI Firebox Cloud Port 4118 Bucket Policy Port 4118 https://github.com/tradichel/FireboxCloudAutomation S3 Endpoint
  35. 35. Event Driven Security • Example: honey pot and event driven incident response • Balancing Security and Innovation with Event Driven Automation • https://www.sans.org/reading- room/whitepapers/incident/balancing-security-innovation-event- driven-automation-36837 • Github: • https://github.com/tradichel/AWSSecurityAutomationFramework
  36. 36. Reporting & Monitoring • VPC Flow Logs, CloudWatch • Logs in S3, Databases • ElastiSearch • QuickSight • Third Party Tools • AWS Marketplace • Cloud Services • SIEM (Splunk, Graylog) • Get Help (MSSPs) WatchGuard - Dimension
  37. 37. Packet Capture • Packet Capture is Possible, but must be done differently • Will be publishing a paper on this shortly…
  38. 38. Collective Data
  39. 39. Thank you! • Teri Radichel • Director of Security Strategy & Research • WatchGuard Technologies • @teriradichel – DM me if questions • If you cannot see my tweets send a note to @support on twitter • Slides: https://www.slideshare.net/TeriRadichel
  40. 40. Related AWS Videos • Billion Packets: • https://www.youtube.com/watch?v=St3SE4LWhKo • One To Many: • https://www.youtube.com/watch?v=3Gv47NASmU4 • VPN/Direct Connect • https://www.youtube.com/watch?v=Qep11X1r1QA • VPN/Direct Connect • https://www.youtube.com/watch?v=SMvom9QjkPk • Connecting Datacenters • https://www.youtube.com/watch?v=F2AWkGem7Sw

×