MIGRATING APPLICATION CONNECTIVITY AND NETWORK SECURITY TO AWS: WHAT YOU NEED TO KNOWProf. Avishai Wool, CTO and Co-Founder
AGENDA
• Introduction to Amazon AWS Firewall and Security Groups
• AWS Network ACLs• Challenges, pitfalls, and tips for a manageable AWS
firewall policy• Visibility in the AWS firewall• Hybrid environments: AWS firewall alongside traditional
firewalls
2
POLL
INTRODUCTION TO AMAZON AWS
WHAT AMAZON PROVIDES• Rent servers• Compute boxes (EC2)• Storage (S3)• Networking
• Low cost• Outsourced – No IT department• Elastic (power-up/shut-down lots of servers fast)• Web UI, and programmable web-service API
5
WHAT ABOUT SECURITY?• Amazon guarantees tenant/tenant separation• But what about filtering policy (firewalls) for: • Internet <-> Amazon-server, • Amazon-server <-> Datacenter• Amazon-server <-> Amazon-server
• Amazon’s solution: “AWS firewall”• Free (price included in the server cost)• Embedded in infrastructure
6
AWS FIREWALL: SECURITY GROUPS
7
SECURITY GROUPS – BASICS• A key concept in AWS is “Security Group”• A Security Group is a list of rules• Comparable to a Check Point “Policy” or Cisco “Access List”• Has a name
• A Security Group is associated with an instance: • Like a “host-based firewall”
8
9
10
ZOOM INTO RULES: WHERE IS THE DESTINATION?
11
SECURITY GROUPS – DETAILS
• Consists of 2 lists of rules: Inbound and Outbound• One side of the rule is implicitly “me” • Inbound rules: from <Somewhere> to “me” with service S• Outbound rules: from “me” to <Somewhere> with service S
• “my” IP address is not listed in the rule
Result: the security group can be associated with any instance without any modification
12
INBOUND RULES
13
OUTBOUND RULES
14
SECURITY GROUPS – MORE DETAILS• All rules are “PASS” rules • Not an oversight but a deliberate feature
• Rules do not perform NAT • The instance can have public and private IP
addresses• AWS infrastructure takes care of this
• The order of rules inside a Security Group does not matter
15
SECURITY GROUPS AND INSTANCES: MANY TO MANYA Security Group can be associated with many instances
An instance can be associated with many Security Groups!
• This is a unique AWS innovation
Why this works:• All rules are PASS rules• The order of security groups on an instance does not matter
16
17
AWS FIREWALL: NETWORK ACCESS LISTS (NACL)
18
NACL– BASICS
19
• A Network Access List (NACL) is also a list of rules, with a name• Has separate Inbound and Outbound rules• One side of the rule is implicitly “me”• Similar to Security Groups
• A NACL is associated with the Subnet: • Applies to traffic into and out of all instances in the Subnet• “me” in NACL rules is really “all instances in the Subnet”
• A Subnet can have a single NACL• An instance belongs to a single Subnet• … so at most one NACL applies to each instance
NACL– EVALUATION ORDER• A NACL can have both Allow and Deny rules
• So rule order matters inside a NACLs
• Traffic incoming into an instance is evaluated against:1. The one NACL associated with the Subnet2. Then all the security groups associated with the instance (in some order)
• Traffic outgoing from an instance is evaluated against:1. All the security groups associated with the instance (in some order)2. Then the one NACL associated with the Subnet
• Traffic must be allowed by both the NACL and some Security group
20
Control rule order inside a NACL
Deny rules
21
CHALLENGES AND TIPS
HOW TO ORGANIZE THE POLICY?
Things to think about:• Modularity • Making it understandable
Suggestions: • General manageability Security Group (e.g., per OS)• Specific functionality Security Group (e.g. by
application)
23
24
25
• SSH access to command line (Linux)• NTP to synchronize clocks• ICMP to allow network troubleshooting
(ping)• Etc…
26
• Web Access etc…
NACL OR SECURITY GROUP? • NACL are broader: applied to a whole Subnet• NACL can have Deny rules
Possibilities:• Put black-list IP ranges in NACL• If all Subnet should use a small list of services:• Allow (only) those services in NACL, drop the rest• In Security Groups only do IP-address-based filtering (Service=Any)
• Or the other way around: • IP-based filtering in NACL• Only service-based filtering in Security Groups (Source=Any)
27
Broadly allowed services (from anywhere)
Black-List
28
PITFALL: TOO MANY SECURITY GROUPS PER INSTANCE Keep it understandable:• Which policy protects a particular instance?• Don’t forget the NACLs too
KISS principle: Keep It Simple…
29
Security Groups per Instance
1-2 Simple3 Borderline
4 or more Complicated
How to view the policy on an instance
30
31
32
• May be understandable – as long as policy is really simple…• Not too many rules (without scrolling)• Not too many Security Groups (without
many columns)• What about NACLs?• No search…
PITFALL: FINE-PRINT LIMITATIONSAWS limitations:• At most 20 rules per NACL (in each direction)• At most 50 rules per Security Group (in each direction)• At most 5 Security Groups per instance
Grand total of 5 x 50 + 20 = 270 rules per instance
• These are not large numbers!• Plan your policy carefully so you don’t run out
33
AWS FIREWALL: VISIBILITY WITH ALGOSEC
• All rules applied to an instance:• NACL • Plus all associated Security Groups
35
• Searchable• Across all vendors in
security estate
36
Risk reporting all rules (NACL + security groups) into account
37
Change reporting takes all rules (NACL + security groups) into account
37
38
CHANGE MANAGEMENT IN A HYBRID CLOUD
THE BIGGER PICTURE: AWS IS PART OF THE ESTATEBusiness applications have:• Resources in the AWS cloud • Resources in the traditional data center• … and connectivity requirements between them
Network security policy change process should support all devices
41
Requestor does not know or care which security policies need to be updated
42
AWS instance identified – together with traditional firewalls
43
How does the system know?
44
45
Work Orders for AWS security groups + Traditional device policies
46
SUMMARY• Amazon AWS Firewall: Security Groups and Network
ACLs• Challenges, pitfalls, and tips for a manageable AWS
firewall policy• Achieving visibility in the AWS firewall with AlgoSec• Managing hybrid cloud+traditional environments with
AlgoSec• Make sure to stop by our booth at AWS re:invent in Las
Vegas, Booth 207
47
MORE RESOURCES
48