5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Networks

1 | © 2015,Palo Alto Networks. Confidential and Proprietary.
PALO ALTO NETWORKS
NEXT-GENERATIONSECURITY PLATFORM
5 Steps
To a Secure HybridArchitecture
- Bisham Kishnani

Bisham
Kishnani
Consulting Engineer – Data Center & Virtualization (APJC)
- Industry experience – 16+ years
- With Palo Alto Networks – 1+ year
- Previous Employer
- Juniper Networks – 9+ years
- US Telecoms – 2 years
- Apara Enterprises – 2years
- Wipro – 2 years

June
29,
2007
One
of
the
main
features
of
the
iPhone was
its

full-‐featured
browser.
The
thing
could
actually

visit
normal
webpages like
those
displayed
on

computers.

iPhone 1

Applications Have Changed, Security Hasn't
Network security policy is enforced at the
firewall
• Sees all traffic
• Defines boundary
• Enables access
Traditional firewalls don’t work any more

How Can You Build Security Using…..
• Two applications: browsing and email
• With predictable application behavior
• In a basic threat environment
Stateful inspection addresses:

Some Examples of How Applications Work
• Antivirus applications began using port 80 as their avenue for updates back in 1997. AV
is not a web application. The vendors did this to simplify access and better support their
customers
• AOL instant messenger (AIM) used to prompt you with “Find an open port?” if it could
not establish a connection
• BitTorrent, Skype both port hop and MS sharepoint uses a range of ports.
• Finally, MS-Lync – the messaging component for MS live 365 requires port 443, 3478
(stun), 5223 and a range of ports between 20,000-45,000 and 50,000-59,999

Where
Are
These
Applications
Residing
?

Private
Cloud

(NSX,
ACI,
Openstack)
DATA CENTEREVOLUTION
Public
Cloud
(IaaS,

PaaS)
Software
as
a
Service
(SaaS)
INTERNET
• Shift
to
dynamic,
scalable,
self-‐provisioned
DC

infrastructure
• Transition
to
Network
Virtualization
in
addition
to

compute
and
storage
virtualization
Virtualized Compute, Network &
Storage

This PutsMore Security Pressuresin the DataCenter…
Wired Wireless VPN VDI

Employees, Guests, Partners, Contractors, and Temporary Workers
•Modern threats –
targeted, multi-vector,
persistent
SAAS
Private
/
Public

Cloud

Cyber Crime Today
THE
EVOLUTION
OF
THE
ATTACKER
$1+
CYBERCRIME NOW
trillion industry
100+nations
CYBER WARFARE

What this looks like in the real world…

What this looks like in the real world….

Additional Cloud Security Challenges
Limited visibility Outdated, inconsistent
technology
Cumbersome
processes

Security: A Shared Responsibility
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Encryption Key
Management
Client & Server
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
are

responsible
for
their

security
IN the
Cloud
AWS
looks
after
the

security
OF
the

platform

• Native AWS security includes Security Groups and Web Application Firewall
• Security Groups and ACLs
• Port-based filtering only
• No visibility traffic at the application level
• Cannot control file movement
• Web Application Firewalls
• Customized for each application/environment
• Focused narrowly on public facing web applications on HTTP/HTTPs
• No visibility, control, or protection on other applications
What Extra Can You ADD to Native Security ?

The VM-Series Next-generation Security Platform for AWS
§ Gathers potential threats from network
and endpoints
§ Analyses and correlates threat
intelligence
§ Disseminates threat intelligence to
network and endpoints
Threat Intelligence Cloud
§ Identify and Inspect all traffic
§ Blocks known threats
§ Sends unknown to cloud
§ Extensible to mobile & virtual networks
Next-Generation Firewall
§ Inspects all processes and files
§ Prevents both known & unknown exploits
§ Integrates with cloud to prevent known &
unknown malware
Advanced Endpoint Protection

1. Visibility into, and control over
applications, Not Ports
2. Segment applications to prevent
malware propagation
3. Prevent known and unknown threats
4. Centrally manage system
configuration, streamline policy
updates
VM-Series for AWS
AZ1b

• Applications and data isolated by
policy (whitelisting)
• Users granted access based on
need
• Traffic is protected from malware
2. Segmentation For Data Center Applications
Credit Card
Zone
Customer Support
Zone
Customer
service
Finance
Subnet1 Subnet2
Subnet3

NGFW as an AWS Gateway
§ VMs and data (VPCs) protected by
whitelist policy
§ VPC-to-VPC traffic is protected from
malware
§ Subnet to subnet traffic is also
controlled and protected
§ Users granted access based on
need/credentials
2. Segmentation In AWS Environment
AZ2c
DB VPC
DB1
DB2
AZ1b
Web VPC
Web1
Web2
Subnet1
Subnet2
Subnet1
Subnet2

3. Prevention at all Phases of the Attack Life Cycle
AZ1b
Web1
DB1
Subnet1
Subnet2
Leverage Exploit
Next-Generation
Firewall
Threat Prevention
(Block Known Threats)
Execute Malware
WildFire
(Block Unknown Threats)
Threat Prevention
(Anti-Malware)
Threat Prevention
(Prevent C&C)
Control Channel
Threat Prevention
(Block Lateral Movement)
Threat Prevention
(Prevent C&C)
Steal Data
File Blocking & Data
Filtering

• Centrally manage configuration and policy across
enterprise and cloud
• Aggregate traffic logs for visibility, forensics and reporting
• Streamline policy updates with API’s and dynamic
monitoring of AWS VPC
4. Streamline Management and Policy Updates
APIs
Application
Network
Security
AZ1b
Web1
DB1
Subnet1
Subnet2

VM-Series For AWS
Hybrid Cloud Security

• Combines best of both worlds
• Private data center for static, older workloads
• Public cloud for newer apps, agility, scalability
30 | ©2014,Palo Alto Networks. Confidential and Proprietary.
Hybrid Cloud Topology
IPSec VPNDC-FW1
DC-FW2
AZ1cAZ1b
Web1-01
Web1-02
Web2-01
Web2-02

• Subnet and route tables should be
established in AWS first
• Each subnet gets a unique route table
• External subnet routes to the IGW
• Internal subnet and route table should
exclude IGW
• Eliminates internal subnet to Internet
routing – even if firewall is
misconfigured
Step 1: Getting the Subnets Right

• Two licensing options enabled via AWS Marketplace
• Bring your own license (BYOL): Pick and choose licenses,
subscriptions and support to best suite our needs
• Consumption-based licensing in AWS marketplace: Fixed
bundles purchased for annual or hourly time periods
• Instances: Small c3 to c4.4xlarge. Confirm latest list in
AWS Marketplace
• Elastic Network Interfaces (ENI): Up to 8 ENIs with the first
ENI always dedicated to management
• Interface Modes: L3 only due to the AWS infrastructure requirements. TAP, L2, and virtual wire
interface modes are not supported
• CPU, Memory and Storage: All Instance types support 2, 4, or 8 vCPUs, and they all require at
least 4 GB of dedicated memory and 40 GB of EBS-optimized volume storage
Step 2: Deploy the VM-Series for AWS

• VM-Series for AWS acts as a VPN
termination point
• Fully supports IPSec VPN standards
Step 3: Establishing the IPSec VPN Connection

Challenge
• With two or more subnets, firewall can
intentionally or accidentally be bypassed
Step 4: Ensuring All Traffic Flows Through the Firewall
AZ1b
DB1
Web1

Solution
• Force all traffic to the firewall by adding a
self referencing security group
Step 4: Ensuring All Traffic Flows Through the Firewall
AZ1b
DB1
Web1
Challenge
• With two or more subnets, firewall can
intentionally or accidentally be bypassed
AZ1b
DB1
Web1

AWS Configuration to Force Traffic Through Firewall
Self referencing security groups

Validating the Configuration
Web to DB connection via the
VR and firewall succeeds
ubuntu@web1:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.4.3.101 0.0.0.0 UG 0 0 0 eth0
10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
ubuntu@web1:~$ ping -c 3 db1
PING db1 (10.4.5.201) 56(84) bytes of data.
64 bytes from db1 (10.4.5.201): icmp_seq=1 ttl=63 time=0.891 ms
--- db1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.891/0.951/1.047/0.072 ms

Validating the Configuration
Attempted bypass by altering
default route is dropped
ubuntu@web1:~$ sudo route add default gw 10.4.3.1
ubuntu@web1:~$ sudo route del default gw 10.4.3.101
0.0.0.0 10.4.3.1 0.0.0.0 UG 0 0 0 eth0
10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

Web to DB connection via the
VR and firewall succeeds
0.0.0.0 10.4.3.101 0.0.0.0 UG 0 0 0 eth0
10.4.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
rtt min/avg/max/mdev = 0.891/0.951/1.047/0.072 ms

• ECMP weighted round robin in private data center
• Distributes the load across multiple VM-Series instances
Step 4: Scaling the AWS Deployment Using ECMP
AZ1cAZ1b
Web1-01
Web1-02
Web2-01
Web2-02
DC-FW1
DC-FW2
Web0-01
Web0-01

• Traffic load is shared across both private and
public cloud
• Static routes on firewall across multiple VPN
tunnels adds redundancy
• Single load balancer configuration minimizes
management effort
Scaling the AWS Deployment Using On-Prem Load Balancer
AZ1c
DC-FW1
AZ1b
Web1-01
Web1-02
Web2-01
Web2-02
DC-FW2
Web0-01

• AWS Elastic Load Balancer supported
natively
• Citrix NetScaler – documented in tech pubs
Scaling the AWS Deployment Using AWS Load Balancing
AZ1cAZ1b
Web2-01
Web2-02
Web1-01
Web1-02
Web1-03
Web2-03
DC-FW1
DC-FW2
Web0-01
Web0-01

• Cloud Formation Templates (CFT)
• Scripted to deploy AWS resources
• Ranges from basic install of the VM-Series to a fully configured environment
• Check out the Hybrid Deployment Guidelines Whitepaper for a two tiered CFT
example
Step 5: Security Automation to Keep Pace with the Business
Automating resource deployment
z
AZ1b
Web1
DB1

Automating Firewall Deployments
PAN-‐OS
configuration
Security
policies
BYOL
licenses
Software
updates
Dynamic
content
Attach
to
Panorama

Device
Group
vm-series-bootstrap-aws-s3-
bucket=<bucketname>
S3
bucket

• Using AWS Tags and Dynamic Address Groups to drive policy updates
Security Automation to Keep Pace with the Business
Automating policy updates

• Gateway, Internet facing security
• Visibility: Classify all AWS traffic based on application identity
• Control: Enable those applications you want, deny those you don’t
• Authorize: Grant access based on user identity
• Inter-VPC, Subnet Protection Use Case
• Protect traffic within the VPC and traversing each subnet
• Control which applications can communicate with each other
• Prevent threats from moving laterally
• GlobalProtect Remote Access
• Leverage scale & availability of AWS to reach global employees
• Extend corporate security policies to remote users
Additional VM-Series for AWS Use Cases

White Papers, Documents, Trails etc…

VM-Series For AWS Hybrid Cloud Deployment Guidelines Document
48

AWS Free Trial: Available now
Try one of the bundles for 15 days
• Just like an Eval
• PoC to production
• Free usage cannot be extended
• Automatically converts to hourly
purchase after 15 days if VM-
Series instance is running

5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Networks

5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Networks

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (8)

Similaire à 5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Networks

Similaire à 5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Networks (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

Dernier

Dernier (20)

5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Networks