AWS User Group Sydney - Meetup #60

Tonight
•  Introductions
•  Lightning Talk - David Williams – PolarSeven
“AWS Updates & News”
•  Speaker 1 – Rhys Shannon – Director, CIoud & Service Solutions ANZ - Westcon
“Reserved Instances. Optimisation, Selection & Utilisation”
•  Break – Networking, Beers, Pizza
•  Session 2 – Spike Lee – System Engineer - Brocade
“Enabling Advanced Security for your cloud”
•  Networking

AWS Updates & News:
David Williams – Service Technician
AWS Knowledge Updates
What’s New - EFS and step functions.
AWS Filesystems - understanding how EBS and Instance store are
implemented

EFS & Lambda
EFS
•  Elastic File System
Lambda
•  Step Functions

Scheduling
Scheduling SSH jobs using AWS Lambda
•  Trigger function
•  Worker function

Session 1:
Rhys Shannon - Director, CIoud & Service Solutions ANZ
Reserved Instances
Learn about the new types of Reserved Instances that are now
available, the importance of optimising your environment before
purchasing RI's and making sure that once purchased they are correctly
utilised.

Reserved Instances
Cloud and Services
  Rhys Shannon

Reserved Instances or Capacity
•  A brief History of Reserved Instances.
–  Launched 2009 > RI Marketplace 2012 > Payment Options 2014 > Scheduled RI 1/2016 >
convertible 9/2016
•  AWS Services that offer reserving:
–  EC2
–  RDS
–  DynamoDB
–  Redshift
–  ElastiCache

Ways to save.
 RI’s and Spot Purchasing Available today.
•  Standard Reserved Instance ~40% (1y) and ~60% (3y)
•  Convertible Reserved Instance ~45% (3y)
•  Dedicated Hosts ~40-60% (1-3y)
•  Scheduled Instances (limited regions) ~5-10% (1y)
•  Spot Instances – up to 90% (on demand)
•  Spot Fleets – up to 90% (on demand)
•  Spot Blocks ~30-45% (1-6 hours)

Reserved Instances.
 The Steps to success.
•  Someone needs to own it.
•  Get Visibility
•  Allocate costs – Tag like you mean it.
•  Use what you need (Optimise)
•  Lower Costs Per Hour (RI’s) and right size.
•  Optimise your cash.

Somebody needs own this
•  Single accountable source for monitoring and managing of spend.
•  AWS Partners are a big help.

Get Visibility
•  No Visibility = monthly surprises = lets buy a server = we probably wont buy a server
•  Analytics and Optimisation tools are not hard to find – Cheap, easy ROI and simple to
integrate
–  AWS Trusted Advisor
–  Cloudyn (Whitelablled via Westcon-Comstor)
–  Cloud Health

Allocate Costs – Tag
 
•  Tags should reference (relating to spend)
–  Business Unit or Cost Center
–  Application Name
–  Application Role
–  Application ID
–  Environment
–  Optional but useful:
•  Business Owner
•  Technical Owner
•  Terminate all resources without tags.
•  Tagging strategies should also consider
–  Automation
–  Other Technical requirements (versioning, clusters etc..)
–  Security Tags (Confidentiality, Compliance)

Use what you need
•  Correct Sizing
–  Under utilised = wasted cash
–  Over utilised = performance.
–  Just right = pat on the back
–  Usage over time = pathway to RI Vs Spot Vs Stay where you are.

Buy an RI (or more)
 Lower costs.
•  Standard Reserved Instance ~40% (1y) and ~60% (3y)
–  Change AV, Region, network, Instance size (linux only).
•  Convertible Reserved Instance ~45% (3y)
–  Change AV, Region, network, Instance size (linux only).
–  Change Instance Family, OS, tenancy, payment option
–  Can change the instance exchange for equal or greater value for the duration of the contract
–  Can exchange as many times as you want.
•  Scheduled Instances (limited regions) ~5-10% (1 yr)
–  Time based RI.

Optimise your Cash
•  Paying for RI’s has three options that impact the discount
–  Upfront
–  Partial
–  Not upfront
•  The other option is financing.
•  You should also consider Spot Instances for some workloads.

Spot Instance
•  Why?
–  It can be seriously cheap + great scale
–  You must bring a fault tolerant & interrupt tolerant
workload.
–  Use cases
•  Testing
•  Document Transformation
•  Map Reduce (Big Data)
•  Analysis Services (Finance, Science, Engineering),
•  Batch Workloads
•  Web Crawling
•  Encoding (Audio/Video)
–  Like the Stock market you need to understand it and
manage it.

To recap
 The steps to success.
•  Someone needs to own it.
•  Get Visibility
•  Allocate costs – Tag like you mean it.
•  Use what you need (Optimise)
•  Lower Costs Per Hour (RI’s) and right size.
•  Optimise your cash.

How can we help?
 Westcon-Comstor
•  We make things easier.
–  Allow Resellers and MSP’s to take RI Strategies across their customer base
–  Help Customers to maximise RI utilisation
–  Access to Analytics and Optimisation tools.
•  Multi Cloud
•  Whitelablled
•  Reseller and Customer access.
•  Optimisation analyst on staff.
–  Financing of RI’s.
–  Managed Spot Instance Services.
–  Access to Pre and Post sales resources.
–  True partnering with AWS.

Session 2:
Spike Lee - System Engineer
Enabling Advanced Security for your cloud
When using your AWS resources, network optimisation and traffic
inspection remains a challenge, in this session we'll look at how to get
visibility for your internet traffic and secure your website.

© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
Brocade vADC
Enabling Advanced Security for your cloud
Spike Li
Senior Systems Engineer
shli@brocade.com

Why using ADC in cloud/AWS
•  Global traffic steering (Route53)
•  TLS session management (SSL offload)
•  SLB/Health Checks for service availability
•  Session Persistence
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 2
•  GSLB across hybrid cloud? L7 & Content-based routing?
•  Support HTTP2 connection?
•  Bandwidth & QoS management for SLA
•  Security?

AWS ELB Architecture Overview
Basic Deployment Model – Classic Load balancer
•  Note ELB VPC is not visible to customer
•  ELB fronting Customer Virtual Private
Cloud (VPC)
‒  Allowing further fine control of web traffic
•  Route53 is AWS Global Load Balancing
service (DNS based load balancing)
•  EC2 Instance i.e. Customer Application

Brocade AWS Cloud Formation Template
4© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
VADC-3

vADC in
Private
DataCentre
Hybrid Cloud Cluster
Go to AWS IP
Or other

More LB algorithm and Protocol support
Brocade
vTM
• vTM supports all 4 ELB web traffic
types plus 20 more advanced types
Brocade vTM Benefits
• vTM multiple advanced LB
Algorithm options

Brocade vTM Benefits
Persistence & Health Monitor Feature Assessment…
6
• Brocade vTM Health Monitor
‒ Truly know the health of backend
servers and what’s really going on
Change from using
Simple “Ping” to
Advanced & Custom
Monitors
• Brocade vTM Advanced
Session Persistence Options

•  Do what ELB can plus tons more;
•  Supports more protocols, more checks, customized rules;
•  Scale out your ELB without blowing your budget;
•  Hybrid cloud friendly;
•  Solve unexpected application problems with TrafficScript;
•  CloudFormation Template makes this easy to try!
Swiss army knife for your application with vWAF, Caching, SLB/GSLB
Brocade vADC LB functions can help to:
7

Question:
Is this firewall rule or ACL protecting me?
8
Answer: NO
•  Because attacks are
moving up the stack
OSI Model DoS Attack
7 Application HTTP, SSL, DNS, NTP
6 Presentation
5 Session
4 Transport SYN Flood, ICMP Flood, TCP
Fragmentation
3 Network ARP Poisoning
2 Data Link MAC Flood
1 Physical Cutting a cable

Most common application layer attacks
OWASP Top 10
OWASP Top 10 – 2010 (Previous) OWASP Top 10 – 2013 (latest)
A1 - Injection A1 - Injection
A3-Broken Authentication and Session Management A2-Broken Authentication and Session Management
A2-Cross Site Scripting (XSS) A3-Cross-Site Scripting (XSS)
A4-Insecure Direct Object References A4-Insecure Direct Object References
A6-Security Misconfiguration A5-Security Misconfiguration
A7-Insecure Cryptographic Storage – Merged with A9 à A6-Sensitive Data Exposure
A8-Failure to Restrict URL Access – Broadened into à A7-Missing Function Level Access Control
A5-Cross Site Request Forgery (CSRF) A8-Cross-Site Request Forgery (CSRF)
<buried in A6: Security Misconfiguration> A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards A10-Unvalidated Redirects and Forwards
A9 – Insufficient Transport Layer Protection Merged with 2010 A7 into 2013 – A6

Brand Damage/Reputation
• Australian government (Census)
• Lush (SQL injection)
• Many Australian universities (Parameter tampering)
• Sony PlayStation Network (SQL injection)
• X-Box Live
• Nintendo
• Distribute IT (Hosting business destroyed)
• The list goes on & on & on....
Plenty of examples – new attacks every week

Web Site Hacking, how does hacker a,ack?
1)  Find some sites ( .php?id= ) h,p://www.id.ee/index.php?id=30470
2)  Looking for error message (with apostrophe)
3)  Start sqlmap for SQL-injecJon & DB scan
4)  Try to get from database for user info/Psw/email/account numbers…
172.24.86.1 && ls -arl /var/www/html
'or 1=1#
Command/SQL InjecJon
HTTP a,ack/L7 DDoS
slow header attack
sudo slowhttptest -c 4080 -H -i 10 -r 4000 -t GET -u http://abc/login.php -x 10 -p 1
slow read attack
sudo slowhttptest -c 4080 -X -w 10 -r 4000 -n 5 -z 32 -u http://abc.com -p 1 -l 3000
PenetraJon
Using free tools: switchblade, hydra, Sqlmap…

sqlmap -u http://www.sallatykka.com/web/index.php?id=31 –dbs
sqlmap -u http://www.sallatykka.com/web/index.php?id=31 -D sallatykkaco –tables
sqlmap -u http://www.sallatykka.com/web/index.php?id=31 -D sallatykkaco -T salla_pages --column --threads 10
sqlmap -u http://www.sallatykka.com/web/index.php?id=31 -D sallatykkaco -T salla_pages -C title,priority,id,parent --dump
--threads 10

Brocade Web Application Firewall
•  A scalable, application-aware Layer 7 security solution
•  Offers highest protection and performance in web and cloud application security
•  Allows customers to mitigate web application security threats in a scalable manner
•  Distributed WAF
13© 2015 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
1.  Enforcer: lightweight,
agent for data inspection
2.  Decider: decides action
based on current security
for each app
3.  Admin Console: central
web-based admin console
to create and maintain
rule sets
Server Farm
Hacker
User
vWAF

© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
•  Regular updates to baseline protection rulesets for common vulnerabilities
•  Configurable alarms (e-mail, HTTP POST, and log file) when defined events occur
•  Easy-to-use configuration wizards
•  PDF reports of service activity and security alerts
•  Configuration version tracking
•  Detailed analysis of log files
•  Attack analysis
•  Full auditing of all configuration and ruleset changes
•  Comprehensive Real-time statistics and detailed log files
Administrative Overview

Security Overview
•  Proactive protection including secure session management, cookie protection, URL
encryption, and form field protection
•  Automated ruleset suggestions based on intelligent learning algorithms
•  Simultaneous enforcement (active) and monitoring (shadow) rulesets
•  Automatic basic protection, enhanced by fine-grained custom settings
•  Bidirectional HTTP inspection, including full analysis of requests and responses
•  Automatic configuration for protection of Microsoft Outlook Web Access
•  Dashboard of a centralized, real-time overview of security status of all applications
•  Comprehensive statistics and detailed log files

•  https://youtu.be/_R2VSctdEag (diagram & preparing)
•  https://youtu.be/huIk-yZLcbE (quick install)
•  https://youtu.be/akrDAWL3G5o (content Caching)
•  https://youtu.be/5_8-pTRKKJU (vWAF intro)
•  https://www.youtube.com/watch?v=XJiKd4b9OSk (vWAF demo)
Feel free to contact:
shli@brocade.com
+61 434 036 958
Want to see the results?
Standalone vADC install and configuration demos

Thanks For Coming
Join Us Next Month – June 7th
Presenters
&
Brought to you by
>> Register @ http://www.meetup.com/AWS-Sydney/ <<

AWS User Group Sydney - Meetup #60

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie AWS User Group Sydney - Meetup #60

Ähnlich wie AWS User Group Sydney - Meetup #60 (20)

Mehr von PolarSeven Pty Ltd

Mehr von PolarSeven Pty Ltd (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

AWS User Group Sydney - Meetup #60