Enterprise-sanctioned application deployments on Infrastructure as a Service (IaaS) cloud platforms are fast becoming a reality. But while IaaS’s flexibility and cost-savings benefits are important, its success as a business solution hinges on its security.
Presented by the renowned industry expert Dr. Avishai Wool, this technical webinar covers security best practices for the Amazon Web Services (AWS) IaaS, including:
* The AWS firewall: what is it, how it differs from traditional firewalls, how it works, and tips for how to use it based on your business and technical needs
* AWS Security Groups: understanding them, recommendations for how to structure Security Groups to gain visibility and control of security polices effectively
* Integrating AWS into your enterprise data center: recommendations for setup, organization and configuration considerations on AWS
* Auditing and compliance: tools and techniques for tracking security policies across the hybrid data center
6. • Rent servers
• Compute boxes (EC2)
• Storage (S3)
• Networking
• Low cost
• Outsourced – No IT department
• Elastic (power-up/shut-down lots of servers fast)
• Web UI, and programmable web-service API
What Amazon Provides
6
8. • Amazon guarantees customer/customer separation
• But what about filtering policy (firewalls) for:
• Internet <-> Amazon-server,
• Amazon-server <-> Datacenter
• Amazon-server <-> Amazon-server
• Amazon’s solution: “AWS firewall”
• Free (price included in the server cost)
• Embedded in infrastructure
What About Security?
8
12. • A key concept in AWS is “Security Group”
• A Security Group is a list of rules
• Comparable to a Check Point “Policy” or Cisco “Access List”
• Has a name
• A Security Group is associated with an instance:
• Like a “host-based firewall”
Security Groups – Basics
12
16. • Consists of 2 lists of rules: Inbound and Outbound
• One side of the rule is implicitly “me”
• Inbound rules: from <Somewhere> to “me” with service S
• Outbound rules: from “me” to <Somewhere> with service S
• “my” IP address is not listed in the rule
• Result: the security group can be associated with any instance
without any modification
Security Groups – Details
16
19. • All rules are “PASS” rules
• Not an oversight but a deliberate feature
• Rules do not perform NAT
• The instance can have public and private IP addresses
• AWS infrastructure takes care of this
• The order of rules inside a Security Group does not
matter
19
Security Groups – More Details
20. A Security Group can be associated with many instances
An instance can be associated with many Security Groups!
• This is a unique AWS innovation
Why this works:
• All rules are PASS rules
• The order of security groups on an instance does not matter
Security Groups and Instances: Many to Many
20
23. • Only a single subnet per rule
• No named network objects
• No network object groups
• Only a single service (protocol+port range) per rule
• No named service objects
• No service object groups
• No comments per rule
• No per-rule hit counting or logging
• No “next-generation firewall” capabilities
Current Policy Management Limitations
23
24. Things to think about
• Modularity
• Make it understandable
• Directionality
How to Organize the Policy?
24
25. • Create separate Security Groups for instances that
have the same function:
• Web servers
• Database servers
• Etc…
• Create Security Groups for “default” or
“infrastructure” services
• Separate per operating system (Linux/Windows/…)
Modular Policy Design
25
26.
27. 27
• SSH access to command line (Linux)
• NTP to synchronize clocks
• ICMP to allow network troubleshooting (ping)
• Etc…
29. Keep it understandable:
• Which policy protects a particular instance?
KISS principle: Keep It Simple…
Pitfall: Too many Security Groups per Instance
29
Security Groups per Instance
1-2 Simple
3 Borderline
4 or more Complicated
32. • Understandable – as long as policy is simple
• Not too many rules (without scrolling)
• Not too many Security Groups (without many columns)
33. • By default a Security Group allows anything in the
outbound direction:
• any service
• to any IP address
• Instance creation wizard does not suggest changing
the default
Pitfall: Insecure Outbound Rules
33
37. • Keys to the kingdom: the AWS web interface
• Power instances on/off
• Change filtering policy and access controls
Tip: Protect the access with more than just a password!
Authentication
37
38.
39.
40. • Instead of a simple password
• Use a smartphone app (“Google
Authenticator”)
• Provides a time-varying password
MFA: Multi-Factor Authentication
40
41. • CloudWatch: Health monitoring and log server
• CloudTrail: Audit log for API calls
• 3rd party change tracking: AlgoSec
System Logs and Audit Trail
41
42.
43.
44. • Send API call activity to CloudTrail
• View log via S3
45. • Extends On-Premise Visibility to the Cloud
• Centrally manage on-premise
firewalls policies alongside Amazon security groups
• Monitor changes to Amazon Security Groups for
unified auditing and troubleshooting
45
AlgoSec: Unified Policy Management
46.
47. Infographic: Managing Security
Policies Across Hybrid Cloud
Environments: Visibility is
Obscured by Clouds
47
Attachments
Research: Examining Security
Policy Management in Hybrid
Cloud Environments
eBook: Security Policy
Management in the Data
Center for Dummies
48. Q&ALearn more algosec.com
Learn even more blog.algosec.com
Seeing is believing algosec.com/demo
Contact us/slides marketing@algosec.com
48