Network Security Design Bla Bla Bla Bla B
StasKanitskiy
36 views
47 slides
Jun 30, 2024
Slide 1 of 47
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
About This Presentation
Network Security Design
Slide Content
AWS Network Security Design
v4.0
v4.0
Agenda
•Denial of Service
•Defense in Depth
•Features of VPC network security
•Options for securing workloads
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•Denial of Service
•Defense in Depth
•Features of VPC network security
•Options for securing workloads
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Goals
•Understand how AWS protects the network
•Consider the threat and risk profile of potential cloud
workloads
•Choose network and workload security controls
•Gain awareness of the network security ecosystem
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•Understand how AWS protects the network
•Consider the threat and risk profile of potential cloud
workloads
•Choose network and workload security controls
•Gain awareness of the network security ecosystem
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
VPC defense in depth (review)
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
VPC CIDR: 10.0.0.0/16
Subnet 10.0.0.0/19
Security Group
Subnet 10.0.32.0/20
Security
Group
Security
Group
NACLNACL
Routing TableRouting Table
lockdown at instance level
Isolate network functions
lockdown at network level
route restrictively
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
VPC CIDR: 10.0.0.0/16
Subnet 10.0.0.0/19
Security Group
Subnet 10.0.32.0/20
Security
Group
Security
Group
NACLNACL
Routing TableRouting Table
lockdown at instance level
Isolate network functions
lockdown at network level
route restrictively
DENIAL OF SERVICE
Volumetric
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Volumetric
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
DDoS protections built into AWS
üProtection against most common
infrastructure attacks
üSYN/ACK Floods, UDP Floods,
Refection attacks, etc.
üNo additional cost
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
DDoS mitigation
systems
DDoS Attack
Users
üProtection against most common
infrastructure attacks
üSYN/ACK Floods, UDP Floods,
Refection attacks, etc.
üNo additional cost
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
DDoS mitigation
systems
DDoS Attack
Users
AWS Shield
Available to ALL AWS customers at No
Additional Cost
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Standard ProtectionAdvanced Protection
Paid service that provides additional
protections, features and benefits.
Available to ALL AWS customers at No
Additional Cost
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Standard ProtectionAdvanced Protection
Paid service that provides additional
protections, features and benefits.
AWS Shield Standard
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Layer 3/4 protection
üAutomatic detection & mitigation
üProtection from most common
attacks (SYN/UDP Floods,
Reflection Attacks, etc.)
üBuilt into AWS services
Layer 7 protection
üUse AWS WAF for Layer 7
DDoS attack mitigation
üSelf-service & pay-as-you-go
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Layer 3/4 protection
üAutomatic detection & mitigation
üProtection from most common
attacks (SYN/UDP Floods,
Reflection Attacks, etc.)
üBuilt into AWS services
Layer 7 protection
üUse AWS WAF for Layer 7
DDoS attack mitigation
üSelf-service & pay-as-you-go
Denial of Service →AWS Shield
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Availability Zone CAvailability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
BastionApp
App
Web
Web
10.0.0.0/19
Public subnet
AWS Shield in the VPC
•Allow only valid network traffic
•Deprioritize abnormal traffic (e.g. elevated SYN==1)
•Shape traffic based on instance size, port, and protocol
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Availability Zone CAvailability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
BastionApp
App
Web
Web
10.0.0.0/19
Public subnet
AWS Shield in the VPC
•Allow only valid network traffic
•Deprioritize abnormal traffic (e.g. elevated SYN==1)
•Shape traffic based on instance size, port, and protocol
Denial of Service →AWS Shield
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Availability Zone CAvailability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
BastionApp
App
Web
Web
Edge
locations
Route 53
CloudFront
AWS Shield at the edge
•Allow only traffic valid for the service
•SYN proxy/cookies when high levels of SYN==1 detected
•Suspicion-based traffic shaping
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Availability Zone CAvailability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
BastionApp
App
Web
Web
Edge
locations
Route 53
CloudFront
AWS Shield at the edge
•Allow only traffic valid for the service
•SYN proxy/cookies when high levels of SYN==1 detected
•Suspicion-based traffic shaping
Denial of Service →AWS WAF
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Availability Zone CAvailability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
BastionApp
App
Web
Web
AWS WAF
AWS WAF
•Web traffic filtering with custom rules
•Malicious request blocking
•Active monitoring and tuning
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Availability Zone CAvailability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
BastionApp
App
Web
Web
AWS WAF
AWS WAF
•Web traffic filtering with custom rules
•Malicious request blocking
•Active monitoring and tuning
Stopping bad actors
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Availability Zone CAvailability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
BastionApp
App
Web
Web
AWS WAF
CLOUDFRONT GEO-RESTRICTION
•Whitelist approved countries
•Blacklist banned countries
ROUTE 53 GEO-ROUTING
•Route based on origin location of DNS query
•Route to static or dynamic resources
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Availability Zone CAvailability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
BastionApp
App
Web
Web
AWS WAF
CLOUDFRONT GEO-RESTRICTION
•Whitelist approved countries
•Blacklist banned countries
ROUTE 53 GEO-ROUTING
•Route based on origin location of DNS query
•Route to static or dynamic resources
Stopping bad actors
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Availability Zone CAvailability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
BastionApp
App
Web
Web
AWS WAF
WAF RULES
•IP blacklisting
•SQL injection prevention
•Cross site scripting prevention
•User-agent blocking
•Bad bot blocking
•Content scraper blocking
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Availability Zone CAvailability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
BastionApp
App
Web
Web
AWS WAF
WAF RULES
•IP blacklisting
•SQL injection prevention
•Cross site scripting prevention
•User-agent blocking
•Bad bot blocking
•Content scraper blocking
Stopping bad actors
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Availability Zone CAvailability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
BastionApp
App
Web
Web
AWS WAF
SECURITY GROUPS
•Only listen on required ports
•Only listen on required protocols
NACL
•Port blocking
•IP blacklisting
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Availability Zone CAvailability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
BastionApp
App
Web
Web
AWS WAF
SECURITY GROUPS
•Only listen on required ports
•Only listen on required protocols
NACL
•Port blocking
•IP blacklisting
ADDITIONAL FEATURES
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Native AWS Network Security Features
•IP Spoofing: Traditional Layer 2 security attacks,
including MAC spoofing and ARP spoofing, are blocked.
•Packet sniffing by other tenants: It is not possible for a
virtual instance running in promiscuous mode to receive
or “sniff” traffic that is intended for a different virtual
instance.
•Man in the Middle (MITM) Attacks:All AWS APIs are
available via TLS-protected endpoints, which provides
server authentication.
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Examples from “Overview of Security Processes” whitepaper
•IP Spoofing: Traditional Layer 2 security attacks,
including MAC spoofing and ARP spoofing, are blocked.
•Packet sniffing by other tenants: It is not possible for a
virtual instance running in promiscuous mode to receive
or “sniff” traffic that is intended for a different virtual
instance.
•Man in the Middle (MITM) Attacks:All AWS APIs are
available via TLS-protected endpoints, which provides
server authentication.
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Examples from “Overview of Security Processes” whitepaper
VPC Flow Logs
•Visibility into effects of Security
Group rules
•Troubleshooting network
connectivity
•Ability to analyze traffic
•Logged per ENI
•Agentless
•Create CloudWatchmetrics from
log data
•Alarm on CloudWatchmetrics
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•Visibility into effects of Security
Group rules
•Troubleshooting network
connectivity
•Ability to analyze traffic
•Logged per ENI
•Agentless
•Create CloudWatchmetrics from
log data
•Alarm on CloudWatchmetrics
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Anatomy of a VPC Flow Log entry
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
AWS
account
Source IP
Destination
IP
Source port
Destination
port
Interface
Protocol
Packets
BytesStart time
Accept
or reject
End time
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
AWS
account
Source IP
Destination
IP
Source port
Destination
port
Interface
Protocol
Packets
BytesStart time
Accept
or reject
End time
NON-NATIVE NETWORK
SECURITY
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
SECURITY
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Successful enterprise solutions
All available on AWS Marketplace
•Network firewalls
•Protection solutions from SaaS/CDN providers
•Web application firewalls (WAF)
•Network IDS solutions
•Host-based IPS
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
All available on AWS Marketplace
•Network firewalls
•Protection solutions from SaaS/CDN providers
•Web application firewalls (WAF)
•Network IDS solutions
•Host-based IPS
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Firewall: Sophos Unified Threat Management (UTM)
•Virtual appliance(s) on EC2
•Features:
–Firewall
–VPN: network and client
–NAT/PAT
–Network IDS/IPS
–Web/URL filtering
–Application aware
•Can connect VPCs
•BYOL or hourly billing
From AWS Article Connecting Multiple VPCs with AstaroSecurity Gateway
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•Virtual appliance(s) on EC2
•Features:
–Firewall
–VPN: network and client
–NAT/PAT
–Network IDS/IPS
–Web/URL filtering
–Application aware
•Can connect VPCs
•BYOL or hourly billing
From AWS Article Connecting Multiple VPCs with AstaroSecurity Gateway
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
WAF: SaaS/CDN Providers
•Various offerings
–Intrusion prevention
–Vulnerability assessment
–Botnet detection/protection
–Content proxy/caching
–OWASP Top 10 protection
•Optional Managed Services
–Analysis & incident response
–Reporting
•Challenges
–May be limited to inbound traffic
–Scalability depends on vendor
–Visibility into your traffic varies by provider
–Adds latency, sometimes significant
Users
SaaS
WAF
DNS
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•Various offerings
–Intrusion prevention
–Vulnerability assessment
–Botnet detection/protection
–Content proxy/caching
–OWASP Top 10 protection
•Optional Managed Services
–Analysis & incident response
–Reporting
•Challenges
–May be limited to inbound traffic
–Scalability depends on vendor
–Visibility into your traffic varies by provider
–Adds latency, sometimes significant
Users
SaaS
WAF
DNS
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
WAF: Alert Logic Web Security Manager
•Web Application Firewall
–Layer in front of your ELBs
•Supports Auto Scaling
•Highly available
•Can help meet PCI DSS and HIPAA compliance
•AWS API Integration
–VPC environment
–Elastic Load Balancing
–CloudWatch
–S3 (configs/state), EBS (log data)
–CloudFormation
•SaaSmodel
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•Web Application Firewall
–Layer in front of your ELBs
•Supports Auto Scaling
•Highly available
•Can help meet PCI DSS and HIPAA compliance
•AWS API Integration
–VPC environment
–Elastic Load Balancing
–CloudWatch
–S3 (configs/state), EBS (log data)
–CloudFormation
•SaaSmodel
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
NIDS: Alert Logic Threat Manager
•Network IDS installed on hosts (EC2 instances)
–Uses virtual soft tap to collect traffic for analysis
•Events analyzed by expert system
•Incidents investigated by SOC analysts
•Can help meet PCI DSS, HIPAA/HITECH, GLBA, SOX
•Hourly billing
•Payload capture
•SaaSmodel
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•Network IDS installed on hosts (EC2 instances)
–Uses virtual soft tap to collect traffic for analysis
•Events analyzed by expert system
•Incidents investigated by SOC analysts
•Can help meet PCI DSS, HIPAA/HITECH, GLBA, SOX
•Hourly billing
•Payload capture
•SaaSmodel
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Host IDPS: Trend Micro Deep Security
•Long features list
–IDS, IPS
–Firewall
–Anti-malware
–Integrity monitoring
–Log inspection
–Web reputation
•Can help meet PCI DSS, HIPAA, NIST,
SAS 70
•Compatible with cloud deployment
tools OpsWorks, Chef, Puppet,
Rightscale
•Available as SaaSor software solution
Designed
for AWS
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•Long features list
–IDS, IPS
–Firewall
–Anti-malware
–Integrity monitoring
–Log inspection
–Web reputation
•Can help meet PCI DSS, HIPAA, NIST,
SAS 70
•Compatible with cloud deployment
tools OpsWorks, Chef, Puppet,
Rightscale
•Available as SaaSor software solution
Designed
for AWS
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Option: Use your current perimeter security stack
•“Lollipop”, “tromboning”, “router-on-a-stick”
•Benefits
–Leverage your existing investments
–Quick to implement
•Challenges
–Extra latency
–Bandwidth intensive
–Low/no elasticity support
–Amazon Linux Repos
–Same old approval process
Customer
Network
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•“Lollipop”, “tromboning”, “router-on-a-stick”
•Benefits
–Leverage your existing investments
–Quick to implement
•Challenges
–Extra latency
–Bandwidth intensive
–Low/no elasticity support
–Amazon Linux Repos
–Same old approval process
Customer
Network
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
WORKLOAD SECURITY
OPTIONS
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
OPTIONS
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
What is the Amazon Partner Network (APN)?
•APN Partner products complement the existing AWS services to
enable you to deploy a comprehensive security architecture and
a more seamless experience across your cloud and on-premises
environments.
•Collection of SaaS, AMI, Open-Source, and Marketplace product
offerings
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•APN Partner products complement the existing AWS services to
enable you to deploy a comprehensive security architecture and
a more seamless experience across your cloud and on-premises
environments.
•Collection of SaaS, AMI, Open-Source, and Marketplace product
offerings
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
What is the APN Security Competency Program?
•APN Security Competency Partners have demonstrated success in
building products and solutions on AWS to support customers.
•They provide deep technical and consulting expertise helping
enterprises adopt, develop, and deploy complex Security projects.
•Infrastructure must support:
–ELB above and below
–Multi-AZ support
–Bootstrapping
–Auto-scaling support
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Security Competency
•APN Security Competency Partners have demonstrated success in
building products and solutions on AWS to support customers.
•They provide deep technical and consulting expertise helping
enterprises adopt, develop, and deploy complex Security projects.
•Infrastructure must support:
–ELB above and below
–Multi-AZ support
–Bootstrapping
–Auto-scaling support
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Security Competency
What are the Intrusion Detection solutions?
•Host-based Solutions
Trend Micro Deep Security
Alert Logic Threat Manager
McAfee Public Cloud Server Security Suite
•Chokepoint/Inline solutions
Check Point
Sophos
Palo Alto
Cisco vFTD(formerly SourceFire)
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
See the Appendix for more solutions
•Host-based Solutions
Trend Micro Deep Security
Alert Logic Threat Manager
McAfee Public Cloud Server Security Suite
•Chokepoint/Inline solutions
Check Point
Sophos
Palo Alto
Cisco vFTD(formerly SourceFire)
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
See the Appendix for more solutions
What are the Firewall & VPN solutions?
•Amazon VPC Security Groups
•APN Security Competency Partners
–(Multi-AZ, Auto Scaling, Elastic Load Balancing)
Sophos
Check Point
Palo Alto
Fortinet FortiGate-VM (Host)
Imperva
Netgate
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•Amazon VPC Security Groups
•APN Security Competency Partners
–(Multi-AZ, Auto Scaling, Elastic Load Balancing)
Sophos
Check Point
Palo Alto
Fortinet FortiGate-VM (Host)
Imperva
Netgate
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
AWS Marketplace Security Partners
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Infrastructure
Security
Logging &
Monitoring
Identity &
Access Control
Configuration &
Vulnerability
Analysis
Data
Protection
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Infrastructure
Security
Logging &
Monitoring
Identity &
Access Control
Configuration &
Vulnerability
Analysis
Data
Protection
More security options in Appendix A:
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Web Application Firewalls
Security Incident Event Management (SIEM)
Security Group Management
Security Configuration Management
Anti-virusWeb ProxiesScanning & Vulnerability Assessment
Data Loss Prevention
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Web Application Firewalls
Security Incident Event Management (SIEM)
Security Group Management
Security Configuration Management
Anti-virusWeb ProxiesScanning & Vulnerability Assessment
Data Loss Prevention
Factors for Choosing Security Solutions
•Consider threat & risks to individual workloads
•APN Security Competency will shorten your list
•Any existing relationship or operational experience may affect
preference
•Remember that a bake-off can be very rapid using AWS
Marketplace
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•Consider threat & risks to individual workloads
•APN Security Competency will shorten your list
•Any existing relationship or operational experience may affect
preference
•Remember that a bake-off can be very rapid using AWS
Marketplace
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Criteria for Choosing Security Solutions
•Use cloud-aware or host-based solutions when possible
–Security infrastructure should be cloud-aware
–Host-based solutions are preferred for scalable applications
–Test the solution for application stack issues, consider any
performance impact, and determine operations & support
•If using in-line vendor solutions, determine where & why
–Work with vendor to determine performance and high availability
impact
–May need to use solution in an isolated part of the network (e.g.
separate VPC)
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•Use cloud-aware or host-based solutions when possible
–Security infrastructure should be cloud-aware
–Host-based solutions are preferred for scalable applications
–Test the solution for application stack issues, consider any
performance impact, and determine operations & support
•If using in-line vendor solutions, determine where & why
–Work with vendor to determine performance and high availability
impact
–May need to use solution in an isolated part of the network (e.g.
separate VPC)
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
APPENDIX A
Additional Security Solutions
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Additional Security Solutions
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Additional Firewall & VPN solutions
APN Partners
Riverbed SteelConnect
(formerly Ocedo)
Cisco ASA
Cisco CSR
Juniper vMX
Juniper vSRX
Open Source
•Iptables
•OpenVPN
•StrongSwan
•LibreSwan
•VyOS
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
APN Partners
Riverbed SteelConnect
(formerly Ocedo)
Cisco ASA
Cisco CSR
Juniper vMX
Juniper vSRX
Open Source
•Iptables
•OpenVPN
•StrongSwan
•LibreSwan
•VyOS
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Additional Intrusion Detection solutions
File and Instance Integrity
•File Integrity Monitoring
–CloudPassageHalo
–OSSec
–TripWire
•AWS Instances
–Symantec Cloud Workload
Protection
Network Monitoring
•Network traffic monitoring
(similar to SPAN)
–Gigamonagent (ERSPAN)
•Open Source
–Pfsense
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
File and Instance Integrity
•File Integrity Monitoring
–CloudPassageHalo
–OSSec
–TripWire
•AWS Instances
–Symantec Cloud Workload
Protection
Network Monitoring
•Network traffic monitoring
(similar to SPAN)
–Gigamonagent (ERSPAN)
•Open Source
–Pfsense
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Additional Web Application Firewall
solutions
AWS Native & APN Security Competency
•AWS Web Application Firewall
•APN Security Competency
Partners
AlertLogicThreat Manager
ImpervaSecureSphere
Sophos
Barracuda
Open Source
•ModSecurity
•NAXSI
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
solutions
AWS Native & APN Security Competency
•AWS Web Application Firewall
•APN Security Competency
Partners
AlertLogicThreat Manager
ImpervaSecureSphere
Sophos
Barracuda
Open Source
•ModSecurity
•NAXSI
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Security Group Management solutions
•APN Security Competency Partners
Dome9 SecOps–AlgoSec–Tufin–Flowmon
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•APN Security Competency Partners
Dome9 SecOps–AlgoSec–Tufin–Flowmon
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Security Incident Event Management
(SIEM) solutions
•APN Security Competency Partners
Splunk
Sumo Logic
•LogRhythm
•AlienVault
•ArcSight
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
(SIEM) solutions
•APN Security Competency Partners
Splunk
Sumo Logic
•LogRhythm
•AlienVault
•ArcSight
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Configuration Management Solutions
Evident.io
CloudCheckr
Alert Logic Cloud Insight
Tenable Network Security -Nessus
•ThreatStack
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Evident.io
CloudCheckr
Alert Logic Cloud Insight
Tenable Network Security -Nessus
•ThreatStack
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Additional Web Proxy solutions
APN Partners
Barracuda
Sophos
Fortinet
Palo Alto
Check Point
Open Source
•Squid
•HA Proxy
•nginx
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
APN Partners
Barracuda
Sophos
Fortinet
Palo Alto
Check Point
Open Source
•Squid
•HA Proxy
•nginx
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Anti-Virus Solutions
APN Partner Solutions
McAfee Public Cloud
Server Security Suite
(PCS)
Trend Micro Deep
Security
Existing Solutions
•Your current anti-virus
solutions should continue to
work with EC2 instances
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
APN Partner Solutions
McAfee Public Cloud
Server Security Suite
(PCS)
Trend Micro Deep
Security
Existing Solutions
•Your current anti-virus
solutions should continue to
work with EC2 instances
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Alternative Scanning & Vulnerability Assessment Solutions
•Amazon Inspector
•APN Security Competency Partners
–Qualys
–Nessus for Enterprise Cloud (pre-authorized)
•Rapid7
•Alien Vault
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•Amazon Inspector
•APN Security Competency Partners
–Qualys
–Nessus for Enterprise Cloud (pre-authorized)
•Rapid7
•Alien Vault
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Data Loss Prevention (DLP) solutions
•Symantec DLP
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
•Symantec DLP
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Data Protection Solutions
VormetricTransparent Encryption
Gemalto’sSafeNetProtectV
SafeNet
ProtectVand SafeNetVirtual KeySecure
HyTrustDataControlfor AWS 25VM
Alliance Key Manager for Amazon Web Services
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
VormetricTransparent Encryption
Gemalto’sSafeNetProtectV
SafeNet
ProtectVand SafeNetVirtual KeySecure
HyTrustDataControlfor AWS 25VM
Alliance Key Manager for Amazon Web Services
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Design Network Security on AWS Workshop v4.0
Tags
Categories
DesignDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 36
- Slides 47
- Age 519 days
Related Slideshows
1
MGV Residential Design projects for different clients, including a New Mexico Adobe project-1-.pdf
mannyvesa
26 views
16
EUNITED_Advocacy and Public Engagement through Visual Media
GeorgeDiamandis11
30 views
31
DESIGN THINKINGGG PPT 2 TOPIC IDEATION.pptx
HibaZaidi2
24 views
36
DESIGN THINKING CHAPTER 1 PPTT PPT 1.pptx
HibaZaidi2
27 views
112
Hinduism and Its History - PowerPoint Slides.pptx
ConorMcCormack10
23 views
20
Service Attributes of Manufactured Parts.pptx
MustafaEnesKrmac
24 views