Five Steps to Creating a Secure Hybrid Cloud Architecture

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
David Guretz, System Engineer, Palo Alto Networks
April 19, 2016
Five Steps to a Secure Hybrid
Architecture in AWS

2015 Data Loss Incidents
Source: http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf
781Data breaches reported in 2015
169MRecords compromised

The Common Thread in Data Loss Incidents
SPEAR
PHISHING
EMAIL
EXPLOIT KIT
or
INFECT
USER
MOVE ACROSS
THE NETWORK
INFECT THE
DATA CENTER
ADVERSARY
COMMANDS
STEAL
DATA
Same lifecycle is followed across both physical or virtualized network

Additional Cloud Security Challenges
Limited visibility Outdated, inconsistent threat
prevention technology
Cumbersome
processes

Security: A Shared Responsibility
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Encryption Key
Management
Client & Server
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers are
responsible for their
security IN the Cloud
AWS looks after the
security OF the
platform

Security Groups, WAF or Next-gen Firewall?
• Native AWS security includes Security Groups and Web Application Firewall
• Security Groups and ACLs
• Port-based filtering only
• No visibility traffic at the application level
• Unable to prevent threats
• Cannot control file movement
• Web Application Firewalls
• Customized for each application/environment
• Focused narrowly on public facing web applications on HTTP/HTTPs
• No visibility, control, or protection for non-HTTP/HTTPs applications

CVE-2014-4061
vulnerability
root
user
Application
Server
SQL Server
172.16.1.10
source IP
172.16.2.10
destination IP
TCP/1433
destination port
MSSQL-DB
protocol
Context – Moving Beyond Layer 4
11344 KB
DoS Vuln
CVE-2014-4061
vulnerability
Remote Exec

web-browsing
application
.exe
file type
root
user
shipment.exe
file name
unknown
URL category
North Korea
destination country
172.16.1.10
source IP
64.81.2.23
destination IP
TCP/443
destination port
SSL
protocol
HTTP
protocol
Context – Outbound from AWS
344 KB
Application
Server

Protecting Your AWS
Deployment

Palo Alto Networks VM-Series for AWS
 Gathers potential threats from network
and endpoints
 Analyses and correlates threat
intelligence
 Disseminates threat intelligence to
network and endpoints
Threat Intelligence Cloud
 Identify and Inspect all traffic
 Blocks known threats
 Sends unknown to cloud
 Extensible to mobile & virtual networks
Next-Generation Firewall
 Inspects all processes and files
 Prevents both known & unknown exploits
 Integrates with cloud to prevent known &
unknown malware
Advanced Endpoint Protection

VM-Series for AWS
• Visibility into, and control over applications, not ports
• Segment applications to prevent malware propagation
• Prevent known and unknown threats
• Centrally manage system configuration, streamline policy updates
AZ1b

Segmentation for Data Center Applications
• Applications and data isolated by policy (whitelisting)
• Users granted access based on need
• Traffic is protected from malware
Credit Card
Zone
Customer Support
Zone
Customer
service
Finance
Subnet1 Subnet2
Subnet3

Segmentation in AWS
• VMs and data (VPCs) protected by
whitelist policy
• VPC-to-VPC traffic is protected from
malware
• Subnet to subnet traffic is also
controlled and protected
• Users granted access based on
need/credentials
AZ2c
DB VPC
DB1
DB2
AZ1b
Web VPC
Web
1
Web2
Subnet1
Subnet2
Subnet1
Subnet2

Attack Lifecycle Prevention
AZ1b
Web
1
DB1
Subnet1
Subnet2
Leverage Exploit
Next-Generation
Firewall
Threat Prevention
(Block Known Threats)
Execute Malware
WildFire
(Block Unknown Threats)
Threat Prevention
(Anti-Malware)
Threat Prevention
(Prevent C&C)
Control Channel
Threat Prevention
(Block Lateral Movement)
Threat Prevention
(Prevent C&C)
Steal Data
File Blocking & Data
Filtering

• Centrally manage configuration and policy
across enterprise and cloud
• Aggregate traffic logs for visibility, forensics and
reporting
• Streamline policy updates with APIs and
dynamic monitoring of Amazon VPC
Streamline Management and Policy Updates
APIs
Application
Network
Security
AZ1b
Web
1
DB1
Subnet1
Subnet2

AWS Hybrid Cloud Security
with the VM-Series

Combines best of both worlds
• Private data center for static, older workloads
• Public cloud for newer apps, agility, scalability
Hybrid Cloud Topology
IPSec VPNDC-FW1
DC-FW2
AZ1cAZ1b
Web1-01
Web1-02
Web2-01
Web2-02

• Subnet and route tables should be
established in AWS first
• Each subnet gets a unique route
table
• External subnet routes to the IGW
• Internal subnet and route table
should exclude IGW
• Eliminates internal subnet to
Internet routing – even if firewall
is misconfigured
Step 1: Getting the Subnets Right

Step 2: Deploy the VM-Series for AWS
• Two licensing options enabled via AWS Marketplace
• Consumption-based licensing in AWS marketplace: Fixed
bundles purchased for annual or hourly time periods
• Bring Your Own License (BYOL): Pick and choose licenses,
subscriptions and support to best suite our needs
• Instances: Small c3 to c4.4xlarge. Confirm latest list in
AWS Marketplace
• Elastic Network Interfaces (ENI): Up to 8 ENIs with
the first ENI always dedicated to management
• Interface Modes: L3 only due to the AWS infrastructure requirements. TAP, L2, and
virtual wire interface modes are not supported
• CPU, Memory and Storage: All Instance types support 2, 4, or 8 vCPUs, and they all
require at least 4 GB of dedicated memory and 40 GB of EBS-optimized volume
storage

• VM-Series for AWS acts as a VPN
termination point
• Fully supports IPSec VPN standards
Step 3: Establishing the IPSec VPN Connection

Challenge
With two or more subnets, firewall
can intentionally or accidentally
be bypassed
Step 4: Ensuring Traffic Flows Through the Firewall
AZ1b
DB1
Web1

Challenge
With two or more subnets, firewall
can intentionally or accidentally
be bypassed
Step 4: Ensuring Traffic Flows Through the Firewall
Solution
Force all traffic to the firewall by
adding a self referencing security
group
AZ1b
DB1
Web1
AZ1b
DB1
Web1

AWS Configuration to Force Traffic Through Firewall
Self referencing security groups

Validating the Configuration
Web to DB connection via the
VR and firewall succeeds
ubuntu@web1:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.4.3.101 0.0.0.0 UG 0 0 0 eth0
10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
ubuntu@web1:~$ ping -c 3 db1
PING db1 (10.4.5.201) 56(84) bytes of data.
64 bytes from db1 (10.4.5.201): icmp_seq=1 ttl=63 time=0.891 ms
--- db1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.891/0.951/1.047/0.072 ms

Validating the Configuration
Attempted bypass by altering
default route is dropped
ubuntu@web1:~$ sudo route add default gw 10.4.3.1
ubuntu@web1:~$ sudo route del default gw 10.4.3.101
0.0.0.0 10.4.3.1 0.0.0.0 UG 0 0 0 eth0
10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Web to DB connection via the
VR and firewall succeeds
0.0.0.0 10.4.3.101 0.0.0.0 UG 0 0 0 eth0
10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
rtt min/avg/max/mdev = 0.891/0.951/1.047/0.072 ms

Step 4: Scaling with ECMP
• ECMP weighted round robin in private data center
• Distributes the load across multiple VM-Series instances
AZ1cAZ1b
Web1-01
Web1-02
Web2-01
Web2-02
DC-FW1
DC-FW2
Web0-01
Web0-01

Scaling with On-Premises Load Balancer
• Traffic load is shared across both private and
public cloud
• Static routes on firewall across multiple VPN
tunnels adds redundancy
• Single load balancer configuration minimizes
management effort
AZ1c
DC-FW1
AZ1b
Web1-01
Web1-02
Web2-01
Web2-02
DC-FW2
Web0-01

Scaling with Elastic Load Balancing
• Elastic Load Balancing supported natively
for security scaling
• Citrix NetScaler – documented in tech
pubs
• NGINX also proven to work
AZ1cAZ1b
Web2-01
Web2-02
Web1-01
Web1-02
Web1-03
Web2-03
DC-FW1
DC-FW2
Web0-01
Web0-01

Step 5: Security Automation
AWS CloudFormation Templates (CFT)
• Scripted to deploy AWS resources
• Ranges from basic install of the VM-Series to a fully configured
environment
• Check out the Hybrid Deployment Guidelines Whitepaper for a
two tiered CFT example
z
AZ1b
Web1
DB1

Automating Firewall Deployments
PAN-OS configuration
Security policies
BYOL licenses
Software updates
Dynamic content
Attach to Panorama
Device Group
vm-series-bootstrap-aws-s3-
bucket=<bucketname>
Amazon
S3 bucket

Automate Security Policy Updates

Hybrid: extend your data
center into AWS
Segmentation: Separate
applications and data for security
and compliance
Additional Deployments Scenarios
Gateway: Protection from
Internet borne threats
GlobalProtect: Policy
consistency for the
cloud, the network, and
your devices

Five Steps to Creating a Secure Hybrid Cloud Architecture

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Five Steps to Creating a Secure Hybrid Cloud Architecture

Similar to Five Steps to Creating a Secure Hybrid Cloud Architecture (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Five Steps to Creating a Secure Hybrid Cloud Architecture