Post on 15-Jul-2015
1
Confidential
February 24, 2015
Speaker: Avishai WoolAlgoSec CTO & Co-Founder
POLL
3
• Introduction to Amazon AWS
• The AWS Firewall
• Configuring AWS Firewall Security Groups
• Auditing and Best Practices for AWS
4
Agenda
Confidential
Introduction to Amazon AWS
• Rent servers• Compute boxes (EC2)
• Storage (S3)
• Networking
• Low cost
• Outsourced – No IT department
• Elastic (power-up/shut-down lots of servers fast)
• Web UI, and programmable web-service API
What Amazon Provides
6
Amazon Technology
7
• Amazon guarantees customer/customer separation
• But what about filtering policy (firewalls) for:
• Internet <-> Amazon-server,
• Amazon-server <-> Datacenter
• Amazon-server <-> Amazon-server
• Amazon’s solution: “AWS firewall”
• Free (price included in the server cost)
• Embedded in infrastructure
What About Security?
8
Amazon Technology
9
Connecting Amazon Network to Corporate
10
vGW: • Router +• VPN endpoint
Confidential
The AWS Firewall
• A key concept in AWS is “Security Group”
• A Security Group is a list of rules
• Comparable to a Check Point “Policy” or Cisco “Access List”
• Has a name
• A Security Group is associated with an instance:
• Like a “host-based firewall”
Security Groups – Basics
12
13
14
Zoom into Rules: Where is the Destination?
15
• Consists of 2 lists of rules: Inbound and Outbound
• One side of the rule is implicitly “me”
• Inbound rules: from <Somewhere> to “me” with service S
• Outbound rules: from “me” to <Somewhere> with service S
• “my” IP address is not listed in the rule
• Result: the security group can be associated with any instance without any modification
Security Groups – Details
16
17
Inbound Rules
18
Outbound Rules
• All rules are “PASS” rules
• Not an oversight but a deliberate feature
• Rules do not perform NAT
• The instance can have public and private IP addresses
• AWS infrastructure takes care of this
• The order of rules inside a Security Group does not matter
19
Security Groups – More Details
A Security Group can be associated with many instances
An instance can be associated with many Security Groups!
• This is a unique AWS innovation
Why this works:
• All rules are PASS rules
• The order of security groups on an instance does not matter
Security Groups and Instances: Many to Many
20
Confidential
Challenges and Tips
• Only a single subnet per rule• No named network objects• No network object groups
• Only a single service (protocol+port range) per rule• No named service objects• No service object groups
• No comments per rule• No per-rule hit counting or logging• No “next-generation firewall” capabilities
Current Policy Management Limitations
23
Things to think about
• Modularity
• Make it understandable
• Directionality
How to Organize the Policy?
24
• Create separate Security Groups for instances that have the same function:
• Web servers
• Database servers
• Etc…
• Create Security Groups for “default” or “infrastructure” services
• Separate per operating system (Linux/Windows/…)
Modular Policy Design
25
27
• SSH access to command line (Linux)• NTP to synchronize clocks• ICMP to allow network troubleshooting (ping)• Etc…
• Web Access etc…
Keep it understandable:
• Which policy protects a particular instance?
KISS principle: Keep It Simple…
Pitfall: Too many Security Groups per Instance
29
Security Groups per Instance
1-2 Simple
3 Borderline
4 or more Complicated
How to view the policy on an instance
31
• Understandable – as long as policy is simple• Not too many rules (without scrolling)• Not too many Security Groups (without many columns)
• By default a Security Group allows anything in the outbound direction:
• any service
• to any IP address
• Instance creation wizard does not suggest changing the default
Pitfall: Insecure Outbound Rules
33
“View Rules” popup does not show the outbound rules
Tip: Edit the Security Group Outbound tab and add rules:• NTP only to specific time server• DNS lookups only via specific name server• Etc…
Confidential
Other AWS Best Practices
• Keys to the kingdom: the AWS web interface
• Power instances on/off
• Change filtering policy and access controls
Tip: Protect the access with more than just a password!
Authentication
37
• Instead of a simple password
• Use a smartphone app (“Google Authenticator”)
• Provides a time-varying password
MFA: Multi-Factor Authentication
40
• CloudWatch: Health monitoring and log server
• CloudTrail: Audit log for API calls
• 3rd party change tracking: AlgoSec
System Logs and Audit Trail
41
• Send API call activity to CloudTrail• View log via S3
• Extends On-Premise Visibility to the Cloud
• Centrally manage on-premisefirewalls policies alongside Amazon security groups
• Monitor changes to Amazon Security Groups for unified auditing and troubleshooting
45
AlgoSec: Unified Policy Management
Infographic: Managing Security Policies Across Hybrid Cloud
Environments: Visibility is Obscured by Clouds
47
AttachmentsResearch: Examining Security Policy Management in Hybrid Cloud Environments
eBook: Security Policy Management in the Data Center for Dummies
Q&ALearn more algosec.comLearn even more blog.algosec.comSeeing is believing algosec.com/demoContact us/slides marketing@algosec.com
48
Confidential
Thank you