© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Scaling Next Generation Security on AWS

Tobias Frigger, Systems EngineerPalo Alto Networks

May 18th, 2017

About Palo Alto Networks

2 | May 18th, 2017

• Safely enabling applications and preventing cyber threats

• Able to address all enterprise cybersecurity needs

• 37,000 customers; 4,800+ employees• Gartner Enterprise Firewall Magic

Quadrant Leader 5 years running

About Palo Alto Networks

AWS Security Competency approved through integration with

ELB/ALB and Auto Scaling

3 | May 18th, 2017

344 KBfile-sharingURL category

PowerPointfile type

“Confidential and Proprietary”

content

mjacobsenuser

prodmgmtgroup

canadadestination country

172.16.1.10source IP

64.81.2.23destination IP

TCP/443destination port

SSLprotocol

HTTPprotocol

slideshareapplication

slideshare-uploadingapplication function

344 KBunknownURL category

EXEfile type

shipment.exefile name

stomlinsonuser

financegroup

chinadestination country

172.16.1.10source IP

64.81.2.23destination IP

TCP/443destination port

SSLprotocol

HTTPprotocol

web-browsingapplication

Threat Intelligence in an Enterprise Security Platform

6 | May 18th, 2017

REMOTE USERS

HQ DC

BRANCH

THREAT INTELLIGENCE

CLOUD

Threat PreventionURL-Filtering

Threat PreventionURL-Filtering

Threat PreventionURL-Filtering

WildFire

GlobalProtect

Traps

Traps

Management in an Enterprise Security Platform

7 | May 18th, 2017

REMOTE USERS

HQ DC

BRANCH

THREAT INTELLIGENCE

CLOUD

Security on AWS

8 | May 18th, 2017

Public Cloud Security: A Shared Responsibility

9 | May 18th, 2017

Security: YOUR responsibility

Security: THEIR responsibility

Global Infrastructure

Compute | Storage | Database | Networking

Platform, Applications, Access Control

Operating System, Networking, Security

Customer content

Encryption Services

Anyone can be an Attacker

10 | May 18th, 2017

Scaling Security on AWS

11 | May 18th, 2017

Leveraging Native Services to Support ELB & Auto Scaling

• CloudFormation Template automates full use case deployment

• S3 Bucket stores firewall bootstrap image

• CloudWatch consumes workload metrics to drive scale in/out decisions

• Lambda pushes custom metrics to CloudWatch via our XML API

• Auto Scale Groups contain firewall for scales in/out

• PAN-OS Bootstrapping allows creation of fully configured firewall for “on-demand” use

• PAN-OS API enables delivery of custom metrics to CloudWatch

• Panorama is optional but highly recommended to centrally manage VM-Series firewalls

12 | May 18th, 2017

Region 1 AZ1

External ELB

AZ2

Internal ELB

Web ASG

1 CFT deploys base topology

ASG1

2 Initial firewalls are bootstrapped from

S3 Bucket

ASG2

Bootstrappingadds FWs toPanorama

13 | May 18th, 2017

Region 1 AZ1

External ELB

AZ2

Internal ELB

Web ASG

ASG1

3 Standard metricssent to

CloudWatch

4 Alarm triggers ASG scale out

ASG2

14 | May 18th, 2017

Region 1 AZ1

External ELB

AZ2

Internal ELB

Web ASG

ASG1

5 l function collectsPAN-OS metrics via API

Custom metrics sent to CloudWatch

6

7

Alarm triggers FW ASG scale

events

ASG2

Bootstrappingcontinues to add FWs to Panorama

l Functionremoves FWsfrom Panorama

15 | May 18th, 2017

Hybrid Use Case

16 | May 18th, 2017

Securing one VPC

IPSec VPN

DC-FW1

DC-FW2

AZ1bWeb1-01

Web1-02

17 | May 18th, 2017

AZ1c

Securing one VPC

AZ1b

IPSec VPN

DC-FW1

DC-FW2

Web1-01

Web1-02

Web2-01

Web2-02

IPSec VPNs

18 | May 18th, 2017

Securing lots of VPCs

DC-FW1

DC-FW2

Marketing App

HR App

QA Environment

Dev Environment

19 | May 18th, 2017

Problem 1: Security Fragmentation

20 | May 18th, 2017

Problem 2:Tunnel Management

Problem 3:Cost

DC-FW1

DC-FW2

Presenting: The Services VPC

21 | May 18th, 2017

DC-FW1

DC-FW2

Presenting: A hybrid Services VPC Deployment

22 | May 18th, 2017

Potential Problem:IPSec Overlay Subnet Collisions

23 | May 18th, 2017

DC-FW1

DC-FW2

Solution 2: Scale Services VPC (dozens of VPCs)

24 | May 18th, 2017

DC-FW1

DC-FW2

Solution 3: Co-Location (100s of VPCs)

Direct Connect Location

Service Provider Links

25 | May 18th, 2017

26 | May 18th, 2017

Q&A

Thank you!

Come speak to us at the booth!