extending security of your aws infrastructure with ... · of your aws infrastructure with...
TRANSCRIPT
![Page 1: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/1.jpg)
Extending Security of your AWS
Infrastructure with OpenSource Tools
Applicable to Azure and mostly other clouds.
![Page 2: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/2.jpg)
![Page 3: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/3.jpg)
Swiss Army Knife
![Page 4: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/4.jpg)
![Page 5: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/5.jpg)
About pfSense Appliance
●pfSense® - World's Most Trusted Open Source Firewall
●Available as Virtual Appliance in AWS & Azure.
●Get it from Marketplace.
![Page 6: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/6.jpg)
![Page 7: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/7.jpg)
![Page 8: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/8.jpg)
Single Entry Point for Administration with
SSH or Control over SSH
Access
![Page 9: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/9.jpg)
PfSense As JumpBox
●Another ready-made solution.●NAT + Firewall Capabilities●Support Inbound NAT with Port
Forward.
![Page 10: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/10.jpg)
Responsibilities●NAT Gateway+ Port NAT
Monthly Price Advantage : $25
Yearly Price Advantage: $300
●Bastion Host
![Page 11: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/11.jpg)
Typical Aws ELB Infra
![Page 12: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/12.jpg)
Limitations with ELB● No HTTP ACLs ● No HTTPS redirect from ELB ● No SSL Client Auth● No SSL SNI Support.
(Got introduced in ALB)
![Page 13: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/13.jpg)
Elastic LB or HA Proxy●ELB is a great product. still with limitations.
![Page 14: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/14.jpg)
ELB replaced with HAProxy
![Page 15: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/15.jpg)
IF we use HAProxy.●ACL with various regular expressions, Black listing.●More Frontend and Backend Options.●Better Monitoring Options.●Re-Configurability./Customisations.● HTTPS redirection from HAProxy itself.●SSL Termination with SNI.( Multiple SSLs and Multiple IPs)
● SSL Client Authentication.
![Page 16: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/16.jpg)
![Page 17: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/17.jpg)
Responsibilities●NAT GW + Port NAT + Network FW
+ Bastion Host + Load Balancer + Web Application Firewall
Price Advantage Monthly : $50/-Price Advantage Yearly : $600/-
![Page 18: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/18.jpg)
Remote Access VPN●In AWS, No Ready Solution.●Marketplace has many options
●PfSense works as the most Cost effective.
![Page 19: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/19.jpg)
WoW ! It is worth the money
Cisco Cloud Router $2233/year + AWS Instance Charges
Fortinet Firewall with VPN $1992/year + AWS Instance Charges
PaloAlto Firewall with VPN $4500/year + AWS Instance Charges.
Sophos UTM $788/year + AWS Instance Charges.
Netgate pfSense Firewall with VPN $600/year
You can run a t2.nano pfSense for $75/year
![Page 20: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/20.jpg)
Responsibilities●NAT GW + Network FW●Bastion Host●Load Balancer + Web Application
●Remote Access VPNPrice Advantage Monthly : $50 +$116 = $166Price Advantage Yearly : $600+ $1392 = $1992
![Page 21: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/21.jpg)
Site-Site VPN●Extends your Office network securely.
●No need to have endpoint client softwares.
![Page 22: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/22.jpg)
Options.●AWS Managed VPN Gateways.
●pfSense VPN Gateway for Site-Site Access.
![Page 23: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/23.jpg)
AWS VPN Gateway
![Page 24: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/24.jpg)
Replace with pfSense
![Page 25: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/25.jpg)
Advantages of pfSense over AWS Managed
Solution.●AWS is restricted with only ipSec option.
●PfSense has more options like ipSec, OpenVPN, Tinc, etc.
●No Added price for additional Tunnel.
![Page 26: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/26.jpg)
Responsibilities● NAT GW + Network FW●Bastion Host●Load Balancer + Web Application ●Remote Access VPN●Site-Site VPN ( OpenvVPN / ipSec)
Price Advantage Monthly: $166 +$73 = $239
Price Advantage Yearly: $1992 + $876= $2868
![Page 27: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/27.jpg)
IPS Solutions● No Ready Made Solutions.● Market place has options like
Alert Logic / McAfee
![Page 28: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/28.jpg)
PfSense Options.● Snort IDS / IPS● Suricata IDS/ IPS
Can use it as Host/Network IDS
Rule Sets are available for HTTP/SMTP/POP3S/IMAPS/ Apache etc.
![Page 29: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/29.jpg)
![Page 30: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/30.jpg)
Responsibilities●NAT Gateway●Bastion Host●Load Balancer + Web Application ●Remote Access VPN●IDS/ IPS Functionalities
Price Advantage Monthly: $239 +$198 = $437
Price Advantage Yearly: $2868 +$2376 = $5244
![Page 31: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/31.jpg)
Redundancy and Failover
Possible to Setup Failover of pfSense Instance With Carp.
Round-robin DNS Records
![Page 32: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/32.jpg)
Now your AWS Infra is more Secure and fit more to your Pocketwith Single Device.
[email protected] FCOOS
![Page 33: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/33.jpg)
Questions. ?
Thank You
![Page 34: Extending Security of your AWS Infrastructure with ... · of your AWS Infrastructure with OpenSource Tools ... PaloAlto Firewall with VPN $4500/year + AWS Instance Charges. ... Snort](https://reader034.vdocuments.mx/reader034/viewer/2022051407/5ad080d47f8b9a1d328e6181/html5/thumbnails/34.jpg)
Other OpenSource Tools
●Fail2ban:
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc
●Scout2:
Scout2 is an open source tool that helps assessing the security posture of AWS environments. Using the AWS API, the Scout2 Python scripts fetch CloudTrail, EC2, IAM, RDS, and S3, configuration data