AWS Cloud Firewalls
advertisement
AWS Cloud Firewall Review Architecture Decision Group October 6, 2015 – HUIT-Holyoke-CR 561 AWS Cloud Firewall Review • What is current state? • What are the problems with current state? • What is Cloud Firewall and how does it solve the problems of current state? • Discussion/Questions 2 What is current state? 3 AWS Networking Current State Internet 1 Summer AWS Internet Gateways AWS Virtual Routers Direct Connect Is a Harvard Network? 300 Bent NAT Instances Availability Zone Availability Zone virtual private cloud Availability Zone Availability Zone virtual private cloud Availability Zone Availability Zone virtual private cloud VPC Peering Connections Availability Zone Availability Zone virtual private cloud What are the problems with current state? 5 What if? Internet 1 Summer AWS Internet Gateways AWS Virtual Routers X Direct Connect Is a Harvard Network? X X X 300 Bent NAT Instances Availability Zone Availability Zone virtual private cloud Availability Zone Availability Zone virtual private cloud Availability Zone Availability Zone virtual private cloud VPC Peering Connections Availability Zone Availability Zone virtual private cloud Current State Problems/Limitations • All access controls operate at only the IP and Port Layers • No ability to have network taps – Limits visibility to active issues – Limits response to incidents • Limited High Availability due to AWS Network design – No Multicast or Broadcast network traffic works in AWS • No ability to enforce compliance requiring a proxy (for Level 3 & 4 Data) – Currently it is based on the honor system and self-managed by the teams 7 What is Cloud Firewall? 8 Cloud Firewall Design Goals • Highly Available Design Extending Beyond the Harvard Campus • Ability to Inspect both Ingress and Egress traffic via normal means such as SPAN aggregators like Anue/Gigamon’s • Web Proxy Filtering without server-level configuration • Firewall Capabilities for Ingress and Egress from Layer 4 through Layer 7 to security needs present and future • Ability to provide faster change management and/or updates to external firewall rules through the use of API programmatic updates Architecture Vetting Process • AWS Subject Matter Experts and Account Teams have reviewed the proposal and approved the approach as valid and non-unique • A Red Team review was done with several members of Network Engineering, Network Operations, and Network Systems Operations • A review was completed with Scott Bradner • A review was completed with Enterprise Architecture Leadership 10 11 Cloud Firewall is • A multiple geographic deployment of Direct Connect, Fortigate Next Generation Firewalls, and DNS Global Site Load Balancing • A highly available ingress and egress NAT solution for Cloud deployments focusing on solving the problems with AWS but designed to work with multiple Cloud vendors in the future • A inline implicit web proxy (with SSL Inspection as required) for use inside AWS • A Layer 4 and Layer 7 firewall (layer implementation dependent on Data Level or opt-in) for both ingress and egress into the VPC – Not a intra-VPC ACL enforcement mechanism • A compliance, control, and visibility endpoint – Direct Connect enforces usage and physical nature provides Network Tap visibility (with supporting hardware from InfoSec) Cloud Firewall Design Issues 1. AWS requires a single ingress/egress point of access 2. Firewalls will provide NAT translation from Public IP to Private IP in AWS 3. Global Site Selection via DNS will provide the outside access active IP 4. Layer 7 Unified Threat Management including Intrusion Protection, Web Filtering, Data Leak Protection, and Client Reputation requires SSL inspection for full visibility on Egress – Inbound traffic will have certificate inspection – Egress traffic will have certificate inspection with the option for Man in the Middle SSL Deep Packet Inspection AWS Routing Design • Ashburn Deployment will advertise default route into AWS • Harvard Deployment will advertise default route into AWS artificially appearing one network hop further • All traffic will go to the BGP best path selected point which is by default Ashburn – Harvard traffic will transit a set of private network links between Ashburn and Harvard • AWS prefers the BGP learned route over any static routes entered by the user 14 Internet BGP Blend Internet Provider Private Links (2x) 300 Bent/60 Ox 1 Summer Campus Network 39 38 37 1 0G S FP + 36 35 34 33 40 38 10G SFP+ 37 31 1 4 3 6 5 8 7 10 9 29 2 36 MGM T 2 M G MT 1 28 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 4 2 M GMT 1 MGM T 2 1 3 16 C O NS O LE HA AL AR M ST AT U S PO W E R U SB MGM T Fo rtiGa te 15 00D 6 4 8 5 3 2 1 MGMT 2 MGMT 1 USB CONSOLE ! HA ALA R M PO W E R 39 S TA TU S 40 USB MGMT 37 FortiGate 1500D 38 Per VPC to vDOM Direct Connect (via VSS) 10G S FP + 7 ! USB 14 9 10 11 12 13 15 5 18 17 11 39 9 40 10 38 10G SFP+ 37 8 35 6880-X VSS 7 36 24 33 23 34 22 31 21 32 20 29 19 30 35 27 36 28 33 25 34 26 31 23 32 24 29 21 30 22 27 19 28 20 25 17 26 18 23 15 24 16 21 13 22 14 19 11 20 12 17 9 18 10 15 7 16 8 13 5 14 6 11 3 Netscaler 12 4 Netscaler 6 30 32 29 28 1 26 2 25 MGM T 2 MGM T 1 27 31 USB Netscaler CONSOLE Netscaler 27 ! 35 USB C O NSO LE HA ALA R M PO W E R S TA T US 34 ! USB MGMT 33 HA AL AR M PO W E R S T AT U S FortiGate 1500D 39 U SB M GMT Fo rtiG ate 15 00D 40 Campus Network 32 6880-X VSS 30 Asburn DC4 Per VPC to vDOM Direct Connect Netscaler Netscaler Direct Connect Direct Connect Transit PoP 1 Transit PoP 2 Via 32 AoA (NYC) Summary • Cloud Firewall provides outbound traffic filtering • Cloud Firewall provides network visibility for InfoSec via: – Traffic Logs in Fortigate and FortiAnalyzer – Ability to do Network Taps for offline analysis and response • Failover and Disaster Recovery 16 Questions & Discussion 17
