1

Confidential

February 24, 2015

Speaker: Avishai WoolAlgoSec CTO & Co-Founder

POLL

3

• Introduction to Amazon AWS

• The AWS Firewall

• Configuring AWS Firewall Security Groups

• Auditing and Best Practices for AWS

4

Agenda

Confidential

Introduction to Amazon AWS

• Rent servers• Compute boxes (EC2)

• Storage (S3)

• Networking

• Low cost

• Outsourced – No IT department

• Elastic (power-up/shut-down lots of servers fast)

• Web UI, and programmable web-service API

What Amazon Provides

6

Amazon Technology

7

• Amazon guarantees customer/customer separation

• But what about filtering policy (firewalls) for:

• Internet <-> Amazon-server,

• Amazon-server <-> Datacenter

• Amazon-server <-> Amazon-server

• Amazon’s solution: “AWS firewall”

• Free (price included in the server cost)

• Embedded in infrastructure

What About Security?

8

Amazon Technology

9

Connecting Amazon Network to Corporate

10

vGW: • Router +• VPN endpoint

Confidential

The AWS Firewall

• A key concept in AWS is “Security Group”

• A Security Group is a list of rules

• Comparable to a Check Point “Policy” or Cisco “Access List”

• Has a name

• A Security Group is associated with an instance:

• Like a “host-based firewall”

Security Groups – Basics

12

13

14

Zoom into Rules: Where is the Destination?

15

• Consists of 2 lists of rules: Inbound and Outbound

• One side of the rule is implicitly “me”

• Inbound rules: from <Somewhere> to “me” with service S

• Outbound rules: from “me” to <Somewhere> with service S

• “my” IP address is not listed in the rule

• Result: the security group can be associated with any instance without any modification

Security Groups – Details

16

17

Inbound Rules

18

Outbound Rules

• All rules are “PASS” rules

• Not an oversight but a deliberate feature

• Rules do not perform NAT

• The instance can have public and private IP addresses

• AWS infrastructure takes care of this

• The order of rules inside a Security Group does not matter

19

Security Groups – More Details

A Security Group can be associated with many instances

An instance can be associated with many Security Groups!

• This is a unique AWS innovation

Why this works:

• All rules are PASS rules

• The order of security groups on an instance does not matter

Security Groups and Instances: Many to Many

20

Confidential

Challenges and Tips

• Only a single subnet per rule• No named network objects• No network object groups

• Only a single service (protocol+port range) per rule• No named service objects• No service object groups

• No comments per rule• No per-rule hit counting or logging• No “next-generation firewall” capabilities

Current Policy Management Limitations

23

Things to think about

• Modularity

• Make it understandable

• Directionality

How to Organize the Policy?

24

• Create separate Security Groups for instances that have the same function:

• Web servers

• Database servers

• Etc…

• Create Security Groups for “default” or “infrastructure” services

• Separate per operating system (Linux/Windows/…)

Modular Policy Design

25

27

• SSH access to command line (Linux)• NTP to synchronize clocks• ICMP to allow network troubleshooting (ping)• Etc…

• Web Access etc…

Keep it understandable:

• Which policy protects a particular instance?

KISS principle: Keep It Simple…

Pitfall: Too many Security Groups per Instance

29

Security Groups per Instance

1-2 Simple

3 Borderline

4 or more Complicated

How to view the policy on an instance

31

• Understandable – as long as policy is simple• Not too many rules (without scrolling)• Not too many Security Groups (without many columns)

• By default a Security Group allows anything in the outbound direction:

• any service

• to any IP address

• Instance creation wizard does not suggest changing the default

Pitfall: Insecure Outbound Rules

33

“View Rules” popup does not show the outbound rules

Tip: Edit the Security Group Outbound tab and add rules:• NTP only to specific time server• DNS lookups only via specific name server• Etc…

Confidential

Other AWS Best Practices

• Keys to the kingdom: the AWS web interface

• Power instances on/off

• Change filtering policy and access controls

Tip: Protect the access with more than just a password!

Authentication

37

• Instead of a simple password

• Use a smartphone app (“Google Authenticator”)

• Provides a time-varying password

MFA: Multi-Factor Authentication

40

• CloudWatch: Health monitoring and log server

• CloudTrail: Audit log for API calls

• 3rd party change tracking: AlgoSec

System Logs and Audit Trail

41

• Send API call activity to CloudTrail• View log via S3

• Extends On-Premise Visibility to the Cloud

• Centrally manage on-premisefirewalls policies alongside Amazon security groups

• Monitor changes to Amazon Security Groups for unified auditing and troubleshooting

45

AlgoSec: Unified Policy Management

Infographic: Managing Security Policies Across Hybrid Cloud

Environments: Visibility is Obscured by Clouds

47

AttachmentsResearch: Examining Security Policy Management in Hybrid Cloud Environments

eBook: Security Policy Management in the Data Center for Dummies

Q&ALearn more algosec.comLearn even more blog.algosec.comSeeing is believing algosec.com/demoContact us/slides marketing@algosec.com

48

Confidential

Thank you