five steps to creating a secure hybrid cloud architecture

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

David Guretz, System Engineer, Palo Alto Networks

April 19, 2016

Five Steps to a Secure Hybrid

Architecture in AWS

2015 Data Loss Incidents

Source: http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf

781 Data breaches reported in 2015

169MRecords compromised

The Common Thread in Data Loss Incidents

SPEAR

PHISHING

EMAIL

EXPLOIT KIT

or

INFECT

USER

MOVE ACROSS

THE NETWORK

INFECT THE

DATA CENTER

ADVERSARY

COMMANDS

STEAL

DATA

Same lifecycle is followed across both physical or virtualized network

Additional Cloud Security Challenges

Limited visibility Outdated, inconsistent threat

prevention technology

Cumbersome

processes

Security: A Shared Responsibility

AWS Foundation Services

Compute Storage Database Networking

AWS Global

Infrastructure Regions

Availability ZonesEdge Locations

Encryption Key

Management

Client & Server

Encryption

Network Traffic

Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

Customers are responsible for their security IN the Cloud

AWS looks after the security OF the platform

Security Groups, WAF or Next-gen Firewall?

• Native AWS security includes Security Groups and Web Application Firewall

• Security Groups and ACLs

• Port-based filtering only

• No visibility traffic at the application level

• Unable to prevent threats

• Cannot control file movement

• Web Application Firewalls

• Customized for each application/environment

• Focused narrowly on public facing web applications on HTTP/HTTPs

• No visibility, control, or protection for non-HTTP/HTTPs applications

CVE-2014-4061vulnerability

rootuser

Application Server

SQL Server

172.16.1.10source IP

172.16.2.10destination IP

TCP/1433destination port

MSSQL-DBprotocol

Context – Moving Beyond Layer 4

11344 KB

DoS Vuln

CVE-2014-4061vulnerability

Remote Exec

web-browsingapplication

.exefile type

rootuser

shipment.exefile name

unknownURL category

North Koreadestination country

172.16.1.10source IP

64.81.2.23destination IP

TCP/443destination port

SSLprotocol

HTTPprotocol

Context – Outbound from AWS

344 KB

Application Server

Protecting Your AWS

Deployment

Palo Alto Networks VM-Series for AWS

Gathers potential threats from network

and endpoints

Analyses and correlates threat

intelligence

Disseminates threat intelligence to

network and endpoints

Threat Intelligence Cloud

Identify and Inspect all traffic

Blocks known threats

Sends unknown to cloud

Extensible to mobile & virtual networks

Next-Generation Firewall

Inspects all processes and files

Prevents both known & unknown exploits

Integrates with cloud to prevent known &

unknown malware

Advanced Endpoint Protection

VM-Series for AWS

• Visibility into, and control over applications, not ports

• Segment applications to prevent malware propagation

• Prevent known and unknown threats

• Centrally manage system configuration, streamline policy updates

AZ1b

Application Visibility

Segmentation for Data Center Applications

• Applications and data isolated by policy (whitelisting)

• Users granted access based on need

• Traffic is protected from malware

Credit Card

Zone

Customer Support

Zone

Customer

service

Finance

Subnet1 Subnet2

Subnet3

Segmentation in AWS

• VMs and data (VPCs) protected by

whitelist policy

• VPC-to-VPC traffic is protected from

malware

• Subnet to subnet traffic is also

controlled and protected

• Users granted access based on

need/credentials

AZ2c

DB VPC

DB1

DB2

AZ1b

Web VPC

Web

1

Web2

Subnet1

Subnet2

Subnet1

Subnet2

Attack Lifecycle Prevention

AZ1bWeb

1

DB1

Subnet1

Subnet2

Leverage Exploit

Next-Generation

Firewall

Threat Prevention

(Block Known Threats)

Execute Malware

WildFire

(Block Unknown Threats)

Threat Prevention

(Anti-Malware)

Threat Prevention

(Prevent C&C)

Control Channel

Threat Prevention

(Block Lateral Movement)

Threat Prevention

(Prevent C&C)

Steal Data

File Blocking & Data

Filtering

• Centrally manage configuration and policy across enterprise and cloud

• Aggregate traffic logs for visibility, forensics and reporting

• Streamline policy updates with APIs and dynamic monitoring of Amazon VPC

Streamline Management and Policy Updates

APIsApplication

Network

Security

AZ1bWeb

1

DB1

Subnet1

Subnet2

AWS Hybrid Cloud Security

with the VM-Series

Combines best of both worlds

• Private data center for static, older workloads

• Public cloud for newer apps, agility, scalability

Hybrid Cloud Topology

IPSec VPNDC-FW1

DC-FW2

AZ1

cA

Z1

bWeb1-01

Web1-02

Web2-01

Web2-02

• Subnet and route tables should be

established in AWS first

• Each subnet gets a unique route

table

• External subnet routes to the IGW

• Internal subnet and route table

should exclude IGW

• Eliminates internal subnet to

Internet routing – even if firewall

is misconfigured

Step 1: Getting the Subnets Right

Step 2: Deploy the VM-Series for AWS

• Two licensing options enabled via AWS Marketplace

• Consumption-based licensing in AWS marketplace: Fixed

bundles purchased for annual or hourly time periods

• Bring Your Own License (BYOL): Pick and choose licenses,

subscriptions and support to best suite our needs

• Instances: Small c3 to c4.4xlarge. Confirm latest list in

AWS Marketplace

• Elastic Network Interfaces (ENI): Up to 8 ENIs with

the first ENI always dedicated to management

• Interface Modes: L3 only due to the AWS infrastructure requirements. TAP, L2, and

virtual wire interface modes are not supported

• CPU, Memory and Storage: All Instance types support 2, 4, or 8 vCPUs, and they all

require at least 4 GB of dedicated memory and 40 GB of EBS-optimized volume

storage

• VM-Series for AWS acts as a VPN

termination point

• Fully supports IPSec VPN standards

Step 3: Establishing the IPSec VPN Connection

Challenge

With two or more subnets, firewall

can intentionally or accidentally

be bypassed

Step 4: Ensuring Traffic Flows Through the Firewall

AZ1b

DB1

Web1

Challenge

With two or more subnets, firewall

can intentionally or accidentally

be bypassed

Step 4: Ensuring Traffic Flows Through the Firewall

Solution

Force all traffic to the firewall by

adding a self referencing security

group

AZ1b

DB1

Web1

AZ1b

DB1

Web1

AWS Configuration to Force Traffic Through Firewall

Self referencing security groups

Validating the Configuration

Web to DB connection via the

VR and firewall succeeds

ubuntu@web1:~$ netstat -rn

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

0.0.0.0 10.4.3.101 0.0.0.0 UG 0 0 0 eth0

10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

ubuntu@web1:~$ ping -c 3 db1

PING db1 (10.4.5.201) 56(84) bytes of data.

64 bytes from db1 (10.4.5.201): icmp_seq=1 ttl=63 time=0.891 ms



--- db1 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2002ms

rtt min/avg/max/mdev = 0.891/0.951/1.047/0.072 ms

Validating the Configuration

Attempted bypass by altering

default route is dropped

ubuntu@web1:~$ sudo route add default gw 10.4.3.1

ubuntu@web1:~$ sudo route del default gw 10.4.3.101




0.0.0.0 10.4.3.1 0.0.0.0 UG 0 0 0 eth0

10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0





Web to DB connection via the

VR and firewall succeeds




0.0.0.0 10.4.3.101 0.0.0.0 UG 0 0 0 eth0

10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0








rtt min/avg/max/mdev = 0.891/0.951/1.047/0.072 ms

Step 4: Scaling with ECMP

• ECMP weighted round robin in private data center

• Distributes the load across multiple VM-Series instances

AZ1

cA

Z1

bWeb1-01

Web1-02

Web2-01

Web2-02

DC-FW1

DC-FW2

Web0-01

Web0-01

Scaling with On-Premises Load Balancer

• Traffic load is shared across both private and

public cloud

• Static routes on firewall across multiple VPN

tunnels adds redundancy

• Single load balancer configuration minimizes

management effort

29 | © 2015, Palo Alto

AZ1

c

DC-FW1

AZ1

bWeb1-01

Web1-02

Web2-01

Web2-02

DC-FW2

Web0-01

Scaling with Elastic Load Balancing

• Elastic Load Balancing supported natively

for security scaling

• Citrix NetScaler – documented in tech

pubs

• NGINX also proven to work

30 | © 2015, Palo Alto

AZ1

cA

Z1

b

Web2-01

Web2-02

Web1-01

Web1-02

Web1-03

Web2-03

DC-FW1

DC-FW2

Web0-01

Web0-01

Step 5: Security Automation

AWS CloudFormation Templates (CFT)

• Scripted to deploy AWS resources

• Ranges from basic install of the VM-Series to a fully configured

environment

• Check out the Hybrid Deployment Guidelines Whitepaper for a

two tiered CFT example

z

AZ1b

Web1

DB1

Automating Firewall Deployments

PAN-OS configuration

Security policies

BYOL licenses

Software updates

Dynamic content

Attach to Panorama

Device Group

vm-series-bootstrap-aws-s3-

bucket=<bucketname>

Amazon

S3 bucket

Automate Security Policy Updates

Hybrid: extend your data center into AWS

Segmentation: Separate applications and data for security

and compliance

Additional Deployments Scenarios

Gateway: Protection from Internet borne threats

GlobalProtect: Policy

consistency for the

cloud, the network, and

your devices

five steps to creating a secure hybrid cloud architecture

Technology