htv-prod-media.s3.amazonaws.com€¦ · · 2017-10-17htv-prod-media.s3.amazonaws.com
Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB...
Transcript of Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB...
![Page 1: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/1.jpg)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scaling Next Generation Security on AWS
Tobias Frigger, Systems EngineerPalo Alto Networks
May 18th, 2017
![Page 2: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/2.jpg)
About Palo Alto Networks
2 | May 18th, 2017
![Page 3: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/3.jpg)
• Safely enabling applications and preventing cyber threats
• Able to address all enterprise cybersecurity needs
• 37,000 customers; 4,800+ employees• Gartner Enterprise Firewall Magic
Quadrant Leader 5 years running
About Palo Alto Networks
AWS Security Competency approved through integration with
ELB/ALB and Auto Scaling
3 | May 18th, 2017
![Page 4: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/4.jpg)
344 KBfile-sharingURL category
PowerPointfile type
“Confidential and Proprietary”
content
mjacobsenuser
prodmgmtgroup
canadadestination country
172.16.1.10source IP
64.81.2.23destination IP
TCP/443destination port
SSLprotocol
HTTPprotocol
slideshareapplication
slideshare-uploadingapplication function
![Page 5: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/5.jpg)
344 KBunknownURL category
EXEfile type
shipment.exefile name
stomlinsonuser
financegroup
chinadestination country
172.16.1.10source IP
64.81.2.23destination IP
TCP/443destination port
SSLprotocol
HTTPprotocol
web-browsingapplication
![Page 6: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/6.jpg)
Threat Intelligence in an Enterprise Security Platform
6 | May 18th, 2017
REMOTE USERS
HQ DC
BRANCH
THREAT INTELLIGENCE
CLOUD
Threat PreventionURL-Filtering
Threat PreventionURL-Filtering
Threat PreventionURL-Filtering
WildFire
GlobalProtect
Traps
Traps
![Page 7: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/7.jpg)
Management in an Enterprise Security Platform
7 | May 18th, 2017
REMOTE USERS
HQ DC
BRANCH
THREAT INTELLIGENCE
CLOUD
![Page 8: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/8.jpg)
Security on AWS
8 | May 18th, 2017
![Page 9: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/9.jpg)
Public Cloud Security: A Shared Responsibility
9 | May 18th, 2017
Security: YOUR responsibility
Security: THEIR responsibility
Global Infrastructure
Compute | Storage | Database | Networking
Platform, Applications, Access Control
Operating System, Networking, Security
Customer content
Encryption Services
![Page 10: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/10.jpg)
Anyone can be an Attacker
10 | May 18th, 2017
![Page 11: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/11.jpg)
Scaling Security on AWS
11 | May 18th, 2017
![Page 12: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/12.jpg)
Leveraging Native Services to Support ELB & Auto Scaling
• CloudFormation Template automates full use case deployment
• S3 Bucket stores firewall bootstrap image
• CloudWatch consumes workload metrics to drive scale in/out decisions
• Lambda pushes custom metrics to CloudWatch via our XML API
• Auto Scale Groups contain firewall for scales in/out
• PAN-OS Bootstrapping allows creation of fully configured firewall for “on-demand” use
• PAN-OS API enables delivery of custom metrics to CloudWatch
• Panorama is optional but highly recommended to centrally manage VM-Series firewalls
12 | May 18th, 2017
![Page 13: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/13.jpg)
Region 1 AZ1
External ELB
AZ2
Internal ELB
Web ASG
1 CFT deploys base topology
ASG1
2 Initial firewalls are bootstrapped from
S3 Bucket
ASG2
Bootstrappingadds FWs toPanorama
13 | May 18th, 2017
![Page 14: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/14.jpg)
Region 1 AZ1
External ELB
AZ2
Internal ELB
Web ASG
ASG1
3 Standard metricssent to
CloudWatch
4 Alarm triggers ASG scale out
ASG2
14 | May 18th, 2017
![Page 15: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/15.jpg)
Region 1 AZ1
External ELB
AZ2
Internal ELB
Web ASG
ASG1
5 l function collectsPAN-OS metrics via API
Custom metrics sent to CloudWatch
6
7
Alarm triggers FW ASG scale
events
ASG2
Bootstrappingcontinues to add FWs to Panorama
l Functionremoves FWsfrom Panorama
15 | May 18th, 2017
![Page 16: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/16.jpg)
Hybrid Use Case
16 | May 18th, 2017
![Page 17: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/17.jpg)
Securing one VPC
IPSec VPN
DC-FW1
DC-FW2
AZ1bWeb1-01
Web1-02
17 | May 18th, 2017
![Page 18: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/18.jpg)
AZ1c
Securing one VPC
AZ1b
IPSec VPN
DC-FW1
DC-FW2
Web1-01
Web1-02
Web2-01
Web2-02
IPSec VPNs
18 | May 18th, 2017
![Page 19: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/19.jpg)
Securing lots of VPCs
DC-FW1
DC-FW2
Marketing App
HR App
QA Environment
Dev Environment
19 | May 18th, 2017
![Page 20: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/20.jpg)
Problem 1: Security Fragmentation
20 | May 18th, 2017
Problem 2:Tunnel Management
Problem 3:Cost
![Page 21: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/21.jpg)
DC-FW1
DC-FW2
Presenting: The Services VPC
21 | May 18th, 2017
![Page 22: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/22.jpg)
DC-FW1
DC-FW2
Presenting: A hybrid Services VPC Deployment
22 | May 18th, 2017
![Page 23: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/23.jpg)
Potential Problem:IPSec Overlay Subnet Collisions
23 | May 18th, 2017
![Page 24: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/24.jpg)
DC-FW1
DC-FW2
Solution 2: Scale Services VPC (dozens of VPCs)
24 | May 18th, 2017
![Page 25: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/25.jpg)
DC-FW1
DC-FW2
Solution 3: Co-Location (100s of VPCs)
Direct Connect Location
Service Provider Links
25 | May 18th, 2017
![Page 26: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/26.jpg)
26 | May 18th, 2017
![Page 27: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/27.jpg)
Q&A
![Page 28: Scaling Next Generation Security on AWSaws-de-media.s3-eu-west-1.amazonaws.com/images/AWS...344 KB file-sharing URL category PowerPoint file type “Confidential and Proprietary”](https://reader033.fdocuments.in/reader033/viewer/2022060212/5f050d3a7e708231d4110479/html5/thumbnails/28.jpg)
Thank you!
Come speak to us at the booth!