scaling next generation security on awsaws-de-media.s3-eu-west-1.amazonaws.com/images/aws...344 kb...
TRANSCRIPT
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scaling Next Generation Security on AWS
Tobias Frigger, Systems EngineerPalo Alto Networks
May 18th, 2017
About Palo Alto Networks
2 | May 18th, 2017
• Safely enabling applications and preventing cyber threats
• Able to address all enterprise cybersecurity needs
• 37,000 customers; 4,800+ employees• Gartner Enterprise Firewall Magic
Quadrant Leader 5 years running
About Palo Alto Networks
AWS Security Competency approved through integration with
ELB/ALB and Auto Scaling
3 | May 18th, 2017
344 KBfile-sharingURL category
PowerPointfile type
“Confidential and Proprietary”
content
mjacobsenuser
prodmgmtgroup
canadadestination country
172.16.1.10source IP
64.81.2.23destination IP
TCP/443destination port
SSLprotocol
HTTPprotocol
slideshareapplication
slideshare-uploadingapplication function
344 KBunknownURL category
EXEfile type
shipment.exefile name
stomlinsonuser
financegroup
chinadestination country
172.16.1.10source IP
64.81.2.23destination IP
TCP/443destination port
SSLprotocol
HTTPprotocol
web-browsingapplication
Threat Intelligence in an Enterprise Security Platform
6 | May 18th, 2017
REMOTE USERS
HQ DC
BRANCH
THREAT INTELLIGENCE
CLOUD
Threat PreventionURL-Filtering
Threat PreventionURL-Filtering
Threat PreventionURL-Filtering
WildFire
GlobalProtect
Traps
Traps
Management in an Enterprise Security Platform
7 | May 18th, 2017
REMOTE USERS
HQ DC
BRANCH
THREAT INTELLIGENCE
CLOUD
Security on AWS
8 | May 18th, 2017
Public Cloud Security: A Shared Responsibility
9 | May 18th, 2017
Security: YOUR responsibility
Security: THEIR responsibility
Global Infrastructure
Compute | Storage | Database | Networking
Platform, Applications, Access Control
Operating System, Networking, Security
Customer content
Encryption Services
Anyone can be an Attacker
10 | May 18th, 2017
Scaling Security on AWS
11 | May 18th, 2017
Leveraging Native Services to Support ELB & Auto Scaling
• CloudFormation Template automates full use case deployment
• S3 Bucket stores firewall bootstrap image
• CloudWatch consumes workload metrics to drive scale in/out decisions
• Lambda pushes custom metrics to CloudWatch via our XML API
• Auto Scale Groups contain firewall for scales in/out
• PAN-OS Bootstrapping allows creation of fully configured firewall for “on-demand” use
• PAN-OS API enables delivery of custom metrics to CloudWatch
• Panorama is optional but highly recommended to centrally manage VM-Series firewalls
12 | May 18th, 2017
Region 1 AZ1
External ELB
AZ2
Internal ELB
Web ASG
1 CFT deploys base topology
ASG1
2 Initial firewalls are bootstrapped from
S3 Bucket
ASG2
Bootstrappingadds FWs toPanorama
13 | May 18th, 2017
Region 1 AZ1
External ELB
AZ2
Internal ELB
Web ASG
ASG1
3 Standard metricssent to
CloudWatch
4 Alarm triggers ASG scale out
ASG2
14 | May 18th, 2017
Region 1 AZ1
External ELB
AZ2
Internal ELB
Web ASG
ASG1
5 l function collectsPAN-OS metrics via API
Custom metrics sent to CloudWatch
6
7
Alarm triggers FW ASG scale
events
ASG2
Bootstrappingcontinues to add FWs to Panorama
l Functionremoves FWsfrom Panorama
15 | May 18th, 2017
Hybrid Use Case
16 | May 18th, 2017
Securing one VPC
IPSec VPN
DC-FW1
DC-FW2
AZ1bWeb1-01
Web1-02
17 | May 18th, 2017
AZ1c
Securing one VPC
AZ1b
IPSec VPN
DC-FW1
DC-FW2
Web1-01
Web1-02
Web2-01
Web2-02
IPSec VPNs
18 | May 18th, 2017
Securing lots of VPCs
DC-FW1
DC-FW2
Marketing App
HR App
QA Environment
Dev Environment
19 | May 18th, 2017
Problem 1: Security Fragmentation
20 | May 18th, 2017
Problem 2:Tunnel Management
Problem 3:Cost
DC-FW1
DC-FW2
Presenting: The Services VPC
21 | May 18th, 2017
DC-FW1
DC-FW2
Presenting: A hybrid Services VPC Deployment
22 | May 18th, 2017
Potential Problem:IPSec Overlay Subnet Collisions
23 | May 18th, 2017
DC-FW1
DC-FW2
Solution 2: Scale Services VPC (dozens of VPCs)
24 | May 18th, 2017
DC-FW1
DC-FW2
Solution 3: Co-Location (100s of VPCs)
Direct Connect Location
Service Provider Links
25 | May 18th, 2017
26 | May 18th, 2017
Q&A
Thank you!
Come speak to us at the booth!