Securing DoD workloads in the cloud is no task to be taken lightly. Today's ever-changing threat landscape requires the advanced capabilities of Palo Alto Networks VM-Series Next Generation Firewall to secure your AWS deployment. Granular security controls based upon users, their applications and the content within those applications give you complete visibility into, and control over, the "who" (via User-ID), and "what" (via App-ID) of your cloud traffic while preventing both known and unknown threats. Coupled with Palo Alto Networks and Amazon's Secure Cloud Computing Architecture (SCCA) Quick Start deployment template, the process of attaining your accreditation is greatly streamlined. Automate your deployment on AWS with many required SCCA security controls both pre-configured and documented at the time of deployment. This session will relate the capabilities that Palo Alto Networks Next Generation Firewall brings to the cloud- including a product demonstration conducted on a VM-Series firewall running on AWS. The target audience is technical security practitioners and information assurance professionals who want to understand the capabilities of Palo Alto Networks on AWS, prevent data breaches, and efficiently attain their accreditation. Learn More: https://aws.amazon.com/government-education/

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
George Balulis, Systems Engineer, Palo Alto Networks
Jim Caggy, Manager, DoD Solutions, Amazon Web Services
June 16, 2017
Palo Alto Networks and AWS:
Streamline Your Accreditation with Superior Security

2. • AWS has achieved FedRAMP HIGH
• DoD Provisional Authorizations (PA) for IL4 under the DoD Cloud
Security Requirements Guidance.
• DoD PA for IL5 – Soon!
• Connectivity to DODIN on both the East Coast and West Coast
• NIPRNET/DREN–connected AWS VPCs since 2014
AWS Accreditations and Authorizations

3. DoD Secure Cloud Computing Architecture
• DoD Secure Cloud Computing
Architecture (SCCA) Functional
Requirements Document (FRD)
• Released March 9, 2017
• Replaces the Draft CAP FRD
• Provides implementation flexibility
• Freedom to architect and manage
as a shared services enclave

4. DoD SCCA Component Functional Requirements
Virtual Datacenter Security Stack (VDSS)
Provides network and application security capabilities, such as an
application-aware firewall or intrusion prevention system.
Virtual Datacenter Management Stack (VDMS)
Provides system support services for mission owner environments
(AD/LDAP, DNS, patch repos). Potentially CSSP offerings as well.
Trusted Cloud Credential Manager (TCCM)
An individual or entity appointed by the Authorizing Official to establish
policies for controlling privileged user access to connect VPCs to DISN and
for administrating cloud services
Cloud Access Point (CAP)
Provides network access to the cloud and boundary protection of DISN from
the cloud.

5. DoD SCCA FRD Recommended Leveraged Services Model
Virtual Datacenter Security Stack (VDSS)
Leveraged network and application security services:
• WAF - application-aware firewall
• Network intrusion prevention/detection system
• Network firewall w/ full packet capture
• Network flow logs
Virtual Datacenter Management Stack (VDMS)
Leveraged infrastructure management support services:
• ACAS / vulnerability scanning
• HBSS / endpoint protection
• AD / LDAP / SSO / OCSP
• DHCP / DNS / NTP
• Patching services
• Log management

6. SCCA Architecture Approach in AWS
GovCloud Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
security groupsecurity group
synchronous
replication
CND
Direct
Connect
Co-
Location
CAP
CND
DoDIN
IAP
VGW
Mission Owner Virtual Private Cloud (VPC)
Virtual Datacenter Security Stack (VDSS)
Availability Zone BAvailability Zone A
Network Firewall Services
Network Intrusion Detection/Prevention Services
Full Packet Capture Services
Web Application Firewall Services
Availability Zone B
ACAS / Vulnerability Scanning Services
HBSS / Endpoint Protection Services
AD / DNS / SSO / OCSP / DCHP Services
Other Shared Services
Availability Zone A
VGW
VGW
Virtual Datacenter Management Stack (VDMS)Inernet

7. The Power of Context
Seeing the entire picture makes all the difference

8. 344 KBfile-sharing
URL category
PowerPoint
file type
“Confidential and
Proprietary”
content
mjacobsen
user
prodmgmt
group
canada
destination country
172.16.1.10
source IP
64.81.2.23
destination IP
TCP/443
destination port
SSL
protocol
HTTP
protocol
slideshare
application
slideshare-uploading
application function

9. 344 KBunknown
URL category
EXE
file type
shipment.exe
file name
stomlinson
user
finance
group
china
destination country
172.16.1.10
source IP
64.81.2.23
destination IP
TCP/443
destination port
SSL
protocol
HTTP
protocol
web-browsing
application

10. Failure of Legacy Security Architectures
Anti-APT for
port 80 APTs
Anti-APT for
port 25 APTs
Endpoint AV
DNS protection cloud
Network AV
DNS protection for
outbound DNS
Anti-APT cloud
Internet
Enterprise Network
UTM/Blades
Limited visibility Manual responseLacks correlation
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Internet Connection
Malware Intelligence
DNS Alert
Endpoint Alert
AV Alert
SMTP Alert
AV Alert
Web Alert
Web Alert
SMTP Alert
DNS Alert
AV Alert
DNS Alert
Web Alert
Endpoint Alert

11. Security Framework

12. • Exploits
• Malware
• Command &
control
• Malicious
websites
• Bad domains
• Stolen
credentials
• All applications
• All users
• All content
• Encrypted traffic
• SaaS
• Cloud
• Mobile
• Enable business
apps
• Block “bad”
apps
• Limit app
functions
• Limit file types
• Block websites
• Dynamic
analysis
• Static analysis
• Attack
techniques
• Anomaly
detection
• Analytics
Natively Integrated

13. Application whitelisting in AWS
• VMs and data (VPCs) protected by
whitelist policy
• VPC-to-VPC traffic is protected from
malware
• Subnet-to-subnet traffic is also
controlled and protected
• Users granted access based on
need/credentials
Enable and Protect Applications in AWS
AZ2c
DB VPC
DB1
DB2
AZ1b
Web VPC
Web
1
Web2
Subnet1
Subnet2
Subnet1
Subnet2

14. Automate Firewall Deployments
• PAN-OS
configuration
• Security policies
• BYOL licenses
Software updates
dynamic content
Attach to Panorama
device group
vm-series-bootstrap-aws-s3-
bucket=<bucketname>
S3
bucket

15. External and internal load balancers
employed to facilitate independent scaling
VM-Series deployed using a
CloudFormation Template and a
bootstrapped VM-Series
Automatically Scaling the VM-Series for AWS
Region 1
Availability Zone 1
External ELB
Availability Zone 2
Internal load balancer
Auto Scaling group 1
Web Auto Scaling group
Auto Scaling group 2

16. Region 1
Availability Zone 1
External ELB
Availability Zone 2
Internal load balancer
Automatically Scaling the VM-Series for AWS
As workload traffic
increases, security scales
independently of workloads
Services used for Auto Scaling
• CloudFormation template: Automates deployment
• Worker node: Traffic monitoring and signaling
• CloudWatch: Monitor workload metrics
• S3: Storage of bootstrapping files
• PAN-OS APIs: Enables Auto Scaling integration
• Bootstrapping: Automates firewall deployment
• Panorama: Centralized management and logging
Auto Scaling group 1
Web Auto Scaling group
Auto Scaling group 2

17. PAN-OS 7.1 &
prior
Unmatched threat prevention
performance
NFV component; protect workloads in
100% virtualized data center
Branch office, small
resource footprint for
high-density, multi-
tenancy
environments
Up to 2x and 4x
previous model
performance
Hybrid cloud,
segmentation, and
Internet gateway
200M
2
4
8
100M
1
2
4
0
4
8
12
16
VM-50 Legacy vm-series VM-100/VM-200 VM-300 VM-500
Gbps
VM-Series Industry Leading Performance and Breadth

18. AWS SCCA Quick Start
Accelerate your ATO attainment
• CloudFormation template-based deployment preconfigured Palo
Alto Networks next generation firewalls
• Many DoD RMF security controls are in place
• Some controls require you to configure settings based upon your
environment:
• Examples: zone protection, RADIUS server, syslog server
Complete your config and save as a CloudFormation
template
• Rinse, repeat, re-deploy

19. PRODUCT DEMONSTRATION

20. Thank you!