AWS Cloud Firewall ReviewArchitecture Decision Group

October 6, 2015 – HUIT-Holyoke-CR 561

AWS Cloud Firewall Review

• What is current state?

• What are the problems with current state?

• What is Cloud Firewall and how does it solve the problems of current state?

• Discussion/Questions

2

What is current state?

3

AWS Networking Current State

What are the problems with current state?

5

What if?

Current State Problems/Limitations

• All access controls operate at only the IP and Port Layers

• No ability to have network taps

– Limits visibility to active issues

– Limits response to incidents

• Limited High Availability due to AWS Network design

– No Multicast or Broadcast network traffic works in AWS

• No ability to enforce compliance requiring a proxy (for Level 3 & 4 Data)

– Currently it is based on the honor system and self-managed by the teams

7

What is Cloud Firewall?

8

Cloud Firewall Design Goals

• Highly Available Design Extending Beyond the Harvard Campus

• Ability to Inspect both Ingress and Egress traffic via normal means such as SPAN aggregators like Anue/Gigamon’s

• Web Proxy Filtering without server-level configuration

• Firewall Capabilities for Ingress and Egress from Layer 4 through Layer 7 to security needs present and future

• Ability to provide faster change management and/or updates to external firewall rules through the use of API programmatic updates

Architecture Vetting Process

• AWS Subject Matter Experts and Account Teams have reviewed the proposal and approved the approach as valid and non-unique

• A Red Team review was done with several members of Network Engineering, Network Operations, and Network Systems Operations

• A review was completed with Scott Bradner

• A review was completed with Enterprise Architecture Leadership

10

11

Cloud Firewall is

• A multiple geographic deployment of Direct Connect, Fortigate Next Generation Firewalls, and DNS Global Site Load Balancing

• A highly available ingress and egress NAT solution for Cloud deployments focusing on solving the problems with AWS but designed to work with multiple Cloud vendors in the future

• A inline implicit web proxy (with SSL Inspection as required) for use inside AWS

• A Layer 4 and Layer 7 firewall (layer implementation dependent on Data Level or opt-in) for both ingress and egress into the VPC

– Not a intra-VPC ACL enforcement mechanism

• A compliance, control, and visibility endpoint

– Direct Connect enforces usage and physical nature provides Network Tap visibility (with supporting hardware from InfoSec)

Cloud Firewall Design Issues

1. AWS requires a single ingress/egress point of access

2. Firewalls will provide NAT translation from Public IP to Private IP in AWS

3. Global Site Selection via DNS will provide the outside access active IP

4. Layer 7 Unified Threat Management including Intrusion Protection, Web Filtering, Data Leak Protection, and Client Reputation requires SSL inspection for full visibility on Egress

– Inbound traffic will have certificate inspection

– Egress traffic will have certificate inspection with the option for Man in the Middle SSL Deep Packet Inspection

AWS Routing Design

• Ashburn Deployment will advertise default route into AWS

• Harvard Deployment will advertise default route into AWS artificially appearing one network hop further

• All traffic will go to the BGP best path selected point which is by default Ashburn

– Harvard traffic will transit a set of private network links between Ashburn and Harvard

• AWS prefers the BGP learned route over any static routes entered by the user

14

Summary

• Cloud Firewall provides outbound traffic filtering

• Cloud Firewall provides network visibility for InfoSec via:

– Traffic Logs in Fortigate and FortiAnalyzer

– Ability to do Network Taps for offline analysis and response

• Failover and Disaster Recovery

16

Questions & Discussion

17