A hybrid Architecture is one of the easiest ways to securely address new application requirements and cloud-first development initiatives. This approach allows you to start small and expand as your requirements change while maintaining a strong security posture. In this session, you will learn the 5 key steps to building a hybrid architecture on AWS using the VM-Series next-generation firewall.
2. 2015 Data Loss Incidents
Source: http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf
781Data breaches reported in 2015
169MRecords compromised
3. The Common Thread in Data Loss Incidents
SPEAR
PHISHING
EMAIL
EXPLOIT KIT
or
INFECT
USER
MOVE ACROSS
THE NETWORK
INFECT THE
DATA CENTER
ADVERSARY
COMMANDS
STEAL
DATA
Same lifecycle is followed across both physical or virtualized network
5. Security: A Shared Responsibility
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Encryption Key
Management
Client & Server
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers are
responsible for their
security IN the Cloud
AWS looks after the
security OF the
platform
6. Security Groups, WAF or Next-gen Firewall?
• Native AWS security includes Security Groups and Web Application Firewall
• Security Groups and ACLs
• Port-based filtering only
• No visibility traffic at the application level
• Unable to prevent threats
• Cannot control file movement
• Web Application Firewalls
• Customized for each application/environment
• Focused narrowly on public facing web applications on HTTP/HTTPs
• No visibility, control, or protection for non-HTTP/HTTPs applications
10. Palo Alto Networks VM-Series for AWS
Gathers potential threats from network
and endpoints
Analyses and correlates threat
intelligence
Disseminates threat intelligence to
network and endpoints
Threat Intelligence Cloud
Identify and Inspect all traffic
Blocks known threats
Sends unknown to cloud
Extensible to mobile & virtual networks
Next-Generation Firewall
Inspects all processes and files
Prevents both known & unknown exploits
Integrates with cloud to prevent known &
unknown malware
Advanced Endpoint Protection
11. VM-Series for AWS
• Visibility into, and control over applications, not ports
• Segment applications to prevent malware propagation
• Prevent known and unknown threats
• Centrally manage system configuration, streamline policy updates
AZ1b
14. Segmentation for Data Center Applications
• Applications and data isolated by policy (whitelisting)
• Users granted access based on need
• Traffic is protected from malware
Credit Card
Zone
Customer Support
Zone
Customer
service
Finance
Subnet1 Subnet2
Subnet3
15. Segmentation in AWS
• VMs and data (VPCs) protected by
whitelist policy
• VPC-to-VPC traffic is protected from
malware
• Subnet to subnet traffic is also
controlled and protected
• Users granted access based on
need/credentials
AZ2c
DB VPC
DB1
DB2
AZ1b
Web VPC
Web
1
Web2
Subnet1
Subnet2
Subnet1
Subnet2
16. Attack Lifecycle Prevention
AZ1b
Web
1
DB1
Subnet1
Subnet2
Leverage Exploit
Next-Generation
Firewall
Threat Prevention
(Block Known Threats)
Execute Malware
WildFire
(Block Unknown Threats)
Threat Prevention
(Anti-Malware)
Threat Prevention
(Prevent C&C)
Control Channel
Threat Prevention
(Block Lateral Movement)
Threat Prevention
(Prevent C&C)
Steal Data
File Blocking & Data
Filtering
17. • Centrally manage configuration and policy
across enterprise and cloud
• Aggregate traffic logs for visibility, forensics and
reporting
• Streamline policy updates with APIs and
dynamic monitoring of Amazon VPC
Streamline Management and Policy Updates
APIs
Application
Network
Security
AZ1b
Web
1
DB1
Subnet1
Subnet2
19. Combines best of both worlds
• Private data center for static, older workloads
• Public cloud for newer apps, agility, scalability
Hybrid Cloud Topology
IPSec VPNDC-FW1
DC-FW2
AZ1cAZ1b
Web1-01
Web1-02
Web2-01
Web2-02
20. • Subnet and route tables should be
established in AWS first
• Each subnet gets a unique route
table
• External subnet routes to the IGW
• Internal subnet and route table
should exclude IGW
• Eliminates internal subnet to
Internet routing – even if firewall
is misconfigured
Step 1: Getting the Subnets Right
21. Step 2: Deploy the VM-Series for AWS
• Two licensing options enabled via AWS Marketplace
• Consumption-based licensing in AWS marketplace: Fixed
bundles purchased for annual or hourly time periods
• Bring Your Own License (BYOL): Pick and choose licenses,
subscriptions and support to best suite our needs
• Instances: Small c3 to c4.4xlarge. Confirm latest list in
AWS Marketplace
• Elastic Network Interfaces (ENI): Up to 8 ENIs with
the first ENI always dedicated to management
• Interface Modes: L3 only due to the AWS infrastructure requirements. TAP, L2, and
virtual wire interface modes are not supported
• CPU, Memory and Storage: All Instance types support 2, 4, or 8 vCPUs, and they all
require at least 4 GB of dedicated memory and 40 GB of EBS-optimized volume
storage
22. • VM-Series for AWS acts as a VPN
termination point
• Fully supports IPSec VPN standards
Step 3: Establishing the IPSec VPN Connection
23. Challenge
With two or more subnets, firewall
can intentionally or accidentally
be bypassed
Step 4: Ensuring Traffic Flows Through the Firewall
AZ1b
DB1
Web1
24. Challenge
With two or more subnets, firewall
can intentionally or accidentally
be bypassed
Step 4: Ensuring Traffic Flows Through the Firewall
Solution
Force all traffic to the firewall by
adding a self referencing security
group
AZ1b
DB1
Web1
AZ1b
DB1
Web1
25. AWS Configuration to Force Traffic Through Firewall
Self referencing security groups
26. Validating the Configuration
Web to DB connection via the
VR and firewall succeeds
ubuntu@web1:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.4.3.101 0.0.0.0 UG 0 0 0 eth0
10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
ubuntu@web1:~$ ping -c 3 db1
PING db1 (10.4.5.201) 56(84) bytes of data.
64 bytes from db1 (10.4.5.201): icmp_seq=1 ttl=63 time=0.891 ms
64 bytes from db1 (10.4.5.201): icmp_seq=2 ttl=63 time=0.916 ms
64 bytes from db1 (10.4.5.201): icmp_seq=3 ttl=63 time=1.04 ms
--- db1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.891/0.951/1.047/0.072 ms
27. Validating the Configuration
Attempted bypass by altering
default route is dropped
ubuntu@web1:~$ sudo route add default gw 10.4.3.1
ubuntu@web1:~$ sudo route del default gw 10.4.3.101
ubuntu@web1:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.4.3.1 0.0.0.0 UG 0 0 0 eth0
10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
ubuntu@web1:~$ ping -c 3 db1
PING db1 (10.4.5.201) 56(84) bytes of data.
--- db1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
Web to DB connection via the
VR and firewall succeeds
ubuntu@web1:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.4.3.101 0.0.0.0 UG 0 0 0 eth0
10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
ubuntu@web1:~$ ping -c 3 db1
PING db1 (10.4.5.201) 56(84) bytes of data.
64 bytes from db1 (10.4.5.201): icmp_seq=1 ttl=63 time=0.891 ms
64 bytes from db1 (10.4.5.201): icmp_seq=2 ttl=63 time=0.916 ms
64 bytes from db1 (10.4.5.201): icmp_seq=3 ttl=63 time=1.04 ms
--- db1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.891/0.951/1.047/0.072 ms
28. Step 4: Scaling with ECMP
• ECMP weighted round robin in private data center
• Distributes the load across multiple VM-Series instances
AZ1cAZ1b
Web1-01
Web1-02
Web2-01
Web2-02
DC-FW1
DC-FW2
Web0-01
Web0-01
29. Scaling with On-Premises Load Balancer
• Traffic load is shared across both private and
public cloud
• Static routes on firewall across multiple VPN
tunnels adds redundancy
• Single load balancer configuration minimizes
management effort
AZ1c
DC-FW1
AZ1b
Web1-01
Web1-02
Web2-01
Web2-02
DC-FW2
Web0-01
30. Scaling with Elastic Load Balancing
• Elastic Load Balancing supported natively
for security scaling
• Citrix NetScaler – documented in tech
pubs
• NGINX also proven to work
AZ1cAZ1b
Web2-01
Web2-02
Web1-01
Web1-02
Web1-03
Web2-03
DC-FW1
DC-FW2
Web0-01
Web0-01
31. Step 5: Security Automation
AWS CloudFormation Templates (CFT)
• Scripted to deploy AWS resources
• Ranges from basic install of the VM-Series to a fully configured
environment
• Check out the Hybrid Deployment Guidelines Whitepaper for a
two tiered CFT example
z
AZ1b
Web1
DB1
35. Hybrid: extend your data
center into AWS
Segmentation: Separate
applications and data for security
and compliance
Additional Deployments Scenarios
Gateway: Protection from
Internet borne threats
GlobalProtect: Policy
consistency for the
cloud, the network, and
your devices