migrating application connectivity and network security to aws
TRANSCRIPT
![Page 1: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/1.jpg)
MIGRATING APPLICATION CONNECTIVITY AND NETWORK SECURITY TO AWS: WHAT YOU NEED TO KNOWProf. Avishai Wool, CTO and Co-Founder
![Page 2: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/2.jpg)
AGENDA
• Introduction to Amazon AWS Firewall and Security Groups
• AWS Network ACLs• Challenges, pitfalls, and tips for a manageable AWS
firewall policy• Visibility in the AWS firewall• Hybrid environments: AWS firewall alongside traditional
firewalls
2
![Page 3: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/3.jpg)
POLL
![Page 4: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/4.jpg)
INTRODUCTION TO AMAZON AWS
![Page 5: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/5.jpg)
WHAT AMAZON PROVIDES• Rent servers• Compute boxes (EC2)• Storage (S3)• Networking
• Low cost• Outsourced – No IT department• Elastic (power-up/shut-down lots of servers fast)• Web UI, and programmable web-service API
5
![Page 6: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/6.jpg)
WHAT ABOUT SECURITY?• Amazon guarantees tenant/tenant separation• But what about filtering policy (firewalls) for: • Internet <-> Amazon-server, • Amazon-server <-> Datacenter• Amazon-server <-> Amazon-server
• Amazon’s solution: “AWS firewall”• Free (price included in the server cost)• Embedded in infrastructure
6
![Page 7: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/7.jpg)
AWS FIREWALL: SECURITY GROUPS
7
![Page 8: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/8.jpg)
SECURITY GROUPS – BASICS• A key concept in AWS is “Security Group”• A Security Group is a list of rules• Comparable to a Check Point “Policy” or Cisco “Access List”• Has a name
• A Security Group is associated with an instance: • Like a “host-based firewall”
8
![Page 9: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/9.jpg)
9
![Page 10: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/10.jpg)
10
![Page 11: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/11.jpg)
ZOOM INTO RULES: WHERE IS THE DESTINATION?
11
![Page 12: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/12.jpg)
SECURITY GROUPS – DETAILS
• Consists of 2 lists of rules: Inbound and Outbound• One side of the rule is implicitly “me” • Inbound rules: from <Somewhere> to “me” with service S• Outbound rules: from “me” to <Somewhere> with service S
• “my” IP address is not listed in the rule
Result: the security group can be associated with any instance without any modification
12
![Page 13: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/13.jpg)
INBOUND RULES
13
![Page 14: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/14.jpg)
OUTBOUND RULES
14
![Page 15: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/15.jpg)
SECURITY GROUPS – MORE DETAILS• All rules are “PASS” rules • Not an oversight but a deliberate feature
• Rules do not perform NAT • The instance can have public and private IP
addresses• AWS infrastructure takes care of this
• The order of rules inside a Security Group does not matter
15
![Page 16: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/16.jpg)
SECURITY GROUPS AND INSTANCES: MANY TO MANYA Security Group can be associated with many instances
An instance can be associated with many Security Groups!
• This is a unique AWS innovation
Why this works:• All rules are PASS rules• The order of security groups on an instance does not matter
16
![Page 17: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/17.jpg)
17
![Page 18: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/18.jpg)
AWS FIREWALL: NETWORK ACCESS LISTS (NACL)
18
![Page 19: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/19.jpg)
NACL– BASICS
19
• A Network Access List (NACL) is also a list of rules, with a name• Has separate Inbound and Outbound rules• One side of the rule is implicitly “me”• Similar to Security Groups
• A NACL is associated with the Subnet: • Applies to traffic into and out of all instances in the Subnet• “me” in NACL rules is really “all instances in the Subnet”
• A Subnet can have a single NACL• An instance belongs to a single Subnet• … so at most one NACL applies to each instance
![Page 20: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/20.jpg)
NACL– EVALUATION ORDER• A NACL can have both Allow and Deny rules
• So rule order matters inside a NACLs
• Traffic incoming into an instance is evaluated against:1. The one NACL associated with the Subnet2. Then all the security groups associated with the instance (in some order)
• Traffic outgoing from an instance is evaluated against:1. All the security groups associated with the instance (in some order)2. Then the one NACL associated with the Subnet
• Traffic must be allowed by both the NACL and some Security group
20
![Page 21: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/21.jpg)
Control rule order inside a NACL
Deny rules
21
![Page 22: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/22.jpg)
CHALLENGES AND TIPS
![Page 23: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/23.jpg)
HOW TO ORGANIZE THE POLICY?
Things to think about:• Modularity • Making it understandable
Suggestions: • General manageability Security Group (e.g., per OS)• Specific functionality Security Group (e.g. by
application)
23
![Page 24: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/24.jpg)
24
![Page 25: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/25.jpg)
25
• SSH access to command line (Linux)• NTP to synchronize clocks• ICMP to allow network troubleshooting
(ping)• Etc…
![Page 26: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/26.jpg)
26
• Web Access etc…
![Page 27: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/27.jpg)
NACL OR SECURITY GROUP? • NACL are broader: applied to a whole Subnet• NACL can have Deny rules
Possibilities:• Put black-list IP ranges in NACL• If all Subnet should use a small list of services:• Allow (only) those services in NACL, drop the rest• In Security Groups only do IP-address-based filtering (Service=Any)
• Or the other way around: • IP-based filtering in NACL• Only service-based filtering in Security Groups (Source=Any)
27
![Page 28: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/28.jpg)
Broadly allowed services (from anywhere)
Black-List
28
![Page 29: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/29.jpg)
PITFALL: TOO MANY SECURITY GROUPS PER INSTANCE Keep it understandable:• Which policy protects a particular instance?• Don’t forget the NACLs too
KISS principle: Keep It Simple…
29
Security Groups per Instance
1-2 Simple3 Borderline
4 or more Complicated
![Page 30: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/30.jpg)
How to view the policy on an instance
30
![Page 31: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/31.jpg)
31
![Page 32: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/32.jpg)
32
• May be understandable – as long as policy is really simple…• Not too many rules (without scrolling)• Not too many Security Groups (without
many columns)• What about NACLs?• No search…
![Page 33: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/33.jpg)
PITFALL: FINE-PRINT LIMITATIONSAWS limitations:• At most 20 rules per NACL (in each direction)• At most 50 rules per Security Group (in each direction)• At most 5 Security Groups per instance
Grand total of 5 x 50 + 20 = 270 rules per instance
• These are not large numbers!• Plan your policy carefully so you don’t run out
33
![Page 34: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/34.jpg)
AWS FIREWALL: VISIBILITY WITH ALGOSEC
![Page 35: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/35.jpg)
• All rules applied to an instance:• NACL • Plus all associated Security Groups
35
![Page 36: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/36.jpg)
• Searchable• Across all vendors in
security estate
36
![Page 37: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/37.jpg)
Risk reporting all rules (NACL + security groups) into account
37
![Page 38: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/38.jpg)
Change reporting takes all rules (NACL + security groups) into account
37
![Page 39: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/39.jpg)
38
![Page 40: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/40.jpg)
CHANGE MANAGEMENT IN A HYBRID CLOUD
![Page 41: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/41.jpg)
THE BIGGER PICTURE: AWS IS PART OF THE ESTATEBusiness applications have:• Resources in the AWS cloud • Resources in the traditional data center• … and connectivity requirements between them
Network security policy change process should support all devices
41
![Page 42: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/42.jpg)
Requestor does not know or care which security policies need to be updated
42
![Page 43: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/43.jpg)
AWS instance identified – together with traditional firewalls
43
![Page 44: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/44.jpg)
How does the system know?
44
![Page 45: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/45.jpg)
45
![Page 46: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/46.jpg)
Work Orders for AWS security groups + Traditional device policies
46
![Page 47: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/47.jpg)
SUMMARY• Amazon AWS Firewall: Security Groups and Network
ACLs• Challenges, pitfalls, and tips for a manageable AWS
firewall policy• Achieving visibility in the AWS firewall with AlgoSec• Managing hybrid cloud+traditional environments with
AlgoSec• Make sure to stop by our booth at AWS re:invent in Las
Vegas, Booth 207
47
![Page 48: Migrating Application Connectivity and Network Security to AWS](https://reader035.vdocuments.us/reader035/viewer/2022070522/58eed7f91a28abdb058b45f1/html5/thumbnails/48.jpg)
MORE RESOURCES
48