AWS Cloud Firewalls
Download
Report
Transcript AWS Cloud Firewalls
AWS Cloud Firewall Review
Architecture Decision Group
October 6, 2015 – HUIT-Holyoke-CR 561
AWS Cloud Firewall Review
• What is current state?
• What are the problems with current state?
• What is Cloud Firewall and how does it solve the problems of current
state?
• Discussion/Questions
2
What is current state?
3
AWS Networking Current State
Internet
1 Summer
AWS Internet Gateways
AWS Virtual
Routers
Direct
Connect
Is a Harvard Network?
300 Bent
NAT Instances
Availability Zone
Availability Zone
virtual private cloud
Availability Zone
Availability Zone
virtual private cloud
Availability Zone
Availability Zone
virtual private cloud
VPC Peering Connections
Availability Zone
Availability Zone
virtual private cloud
What are the problems with current state?
5
What if?
Internet
1 Summer
AWS Internet Gateways
AWS Virtual
Routers
X
Direct
Connect
Is a Harvard Network?
X
X
X
300 Bent
NAT Instances
Availability Zone
Availability Zone
virtual private cloud
Availability Zone
Availability Zone
virtual private cloud
Availability Zone
Availability Zone
virtual private cloud
VPC Peering Connections
Availability Zone
Availability Zone
virtual private cloud
Current State Problems/Limitations
• All access controls operate at only the IP and Port Layers
• No ability to have network taps
– Limits visibility to active issues
– Limits response to incidents
• Limited High Availability due to AWS Network design
– No Multicast or Broadcast network traffic works in AWS
• No ability to enforce compliance requiring a proxy (for Level 3 & 4
Data)
– Currently it is based on the honor system and self-managed by the
teams
7
What is Cloud Firewall?
8
Cloud Firewall Design Goals
• Highly Available Design Extending Beyond the Harvard Campus
• Ability to Inspect both Ingress and Egress traffic via normal means
such as SPAN aggregators like Anue/Gigamon’s
• Web Proxy Filtering without server-level configuration
• Firewall Capabilities for Ingress and Egress from Layer 4 through
Layer 7 to security needs present and future
• Ability to provide faster change management and/or updates to
external firewall rules through the use of API programmatic updates
Architecture Vetting Process
• AWS Subject Matter Experts and Account Teams have reviewed the
proposal and approved the approach as valid and non-unique
• A Red Team review was done with several members of Network
Engineering, Network Operations, and Network Systems Operations
• A review was completed with Scott Bradner
• A review was completed with Enterprise Architecture Leadership
10
11
Cloud Firewall is
• A multiple geographic deployment of Direct Connect, Fortigate Next
Generation Firewalls, and DNS Global Site Load Balancing
• A highly available ingress and egress NAT solution for Cloud
deployments focusing on solving the problems with AWS but
designed to work with multiple Cloud vendors in the future
• A inline implicit web proxy (with SSL Inspection as required) for use
inside AWS
• A Layer 4 and Layer 7 firewall (layer implementation dependent on
Data Level or opt-in) for both ingress and egress into the VPC
– Not a intra-VPC ACL enforcement mechanism
• A compliance, control, and visibility endpoint
– Direct Connect enforces usage and physical nature provides Network
Tap visibility (with supporting hardware from InfoSec)
Cloud Firewall Design Issues
1. AWS requires a single ingress/egress point of access
2. Firewalls will provide NAT translation from Public IP to Private IP in
AWS
3. Global Site Selection via DNS will provide the outside access
active IP
4. Layer 7 Unified Threat Management including Intrusion Protection,
Web Filtering, Data Leak Protection, and Client Reputation requires
SSL inspection for full visibility on Egress
– Inbound traffic will have certificate inspection
– Egress traffic will have certificate inspection with the option for Man in
the Middle SSL Deep Packet Inspection
AWS Routing Design
• Ashburn Deployment will advertise default route into AWS
• Harvard Deployment will advertise default route into AWS artificially
appearing one network hop further
• All traffic will go to the BGP best path selected point which is by
default Ashburn
– Harvard traffic will transit a set of private network links between Ashburn
and Harvard
• AWS prefers the BGP learned route over any static routes entered by
the user
14
Internet
BGP Blend
Internet Provider
Private Links (2x)
300 Bent/60 Ox
1 Summer
Campus Network
39
38
37
1 0G S FP +
36
35
34
33
40
38
10G SFP+
37
31
1
4
3
6
5
8
7
10
9
29
2
36
MGM T 2
M G MT 1
28
26
25
24
23
22
21
20
19
18
17
16
15
14
13
12
4
2
M GMT 1
MGM T 2
1
3
16
C O NS O LE
HA
AL AR M
ST AT U S
PO W E R
U SB MGM T
Fo rtiGa te 15 00D
6
4
8
5
3
2
1
MGMT 2
MGMT 1
USB
CONSOLE
!
HA
ALA R M
PO W E R
39
S TA TU S
40
USB MGMT
37
FortiGate 1500D
38
Per VPC to vDOM
Direct Connect
(via VSS)
10G S FP +
7
!
USB
14
9
10
11
12
13
15
5
18
17
11
39
9
40
10
38
10G SFP+
37
8
35
6880-X
VSS
7
36
24
33
23
34
22
31
21
32
20
29
19
30
35
27
36
28
33
25
34
26
31
23
32
24
29
21
30
22
27
19
28
20
25
17
26
18
23
15
24
16
21
13
22
14
19
11
20
12
17
9
18
10
15
7
16
8
13
5
14
6
11
3
Netscaler
12
4
Netscaler
6
30
32
29
28
1
26
2
25
MGM T 2
MGM T 1
27
31
USB
Netscaler
CONSOLE
Netscaler
27
!
35
USB
C O NSO LE
HA
ALA R M
PO W E R
S TA T US
34
!
USB MGMT
33
HA
AL AR M
PO W E R
S T AT U S
FortiGate 1500D
39
U SB M GMT
Fo rtiG ate 15 00D
40
Campus Network
32
6880-X
VSS
30
Asburn DC4
Per VPC to vDOM
Direct Connect
Netscaler
Netscaler
Direct Connect
Direct Connect
Transit PoP 1
Transit PoP 2
Via 32 AoA (NYC)
Summary
• Cloud Firewall provides outbound traffic filtering
• Cloud Firewall provides network visibility for InfoSec via:
– Traffic Logs in Fortigate and FortiAnalyzer
– Ability to do Network Taps for offline analysis and response
• Failover and Disaster Recovery
16
Questions & Discussion
17