Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
1. Best Of The World In Security Conference
Best Of The World In Security
12-13 November 2020
Cloud Security
Limitations of Cloud Security Groups and Flow logs
Avishag Daniely
Guardicore
S. Director of Product Marketing
@avishugz
2. Best Of The World In Security Conference
Boulderer,
Painter,
Yogarer,
Dog lover
Fluent in 3
languages +
Learning
Chinese
Cyber Geek for
11+ years,
Passion for
Products,
Marketing and
Growth
About Me
3. Best Of The World In Security Conference
Agenda
• The shift away from perimeters
• Top Cloud Security Threats
• Azure Terminology
• NSGs and ASGs
• Cloud Security Groups
• Flow Logs
• Limitations - Scenario Deep Dives
• Single vNet
• Multi vNet
• Multi Cloud
• AWS Security Groups and ACLs
4. Best Of The World In Security Conference
We now live in a world with no defined
perimeters
5. Best Of The World In Security Conference
We are in the era of hybrid-cloud
You own it: bare metals, routers,
access switches
1993
Internet is more popular than ever,
Facebook and Google emerge, SSL is
the thing
2005
The cloud is born. You no longer
own all the infrastructure
2006–2010
Containers are introduced to the
world
2013
Data centers are hybrid. Virtual,
Cloud, Bare Metal, serverless, VDI,
laptops, DaaS - people work from
Anywhere and everywhere
2021
6. Best Of The World In Security Conference
90% OF BUSINESS ARE IN THE
CLOUD
45% OF INFECTION VECTORS ARE
BASED ON CLOUD APPLICATIONS
Based on 451 Based on X-Force
7. Best Of The World In Security Conference
Access
Management
Network
Misconfigurations
Data Breaches
and Data Leaks
Insecure APIs Data Loss
Top Cloud Security Threats
8. Best Of The World In Security Conference
Some Concepts
9. Best Of The World In Security Conference
VNET vs VPC
VNET – AZURE VPC – AWS
More info here
10. Best Of The World In Security Conference
Cloud Security Groups
11. Best Of The World In Security Conference
Source: arcitura
12. Best Of The World In Security Conference
Azure Security Groups
13. Best Of The World In Security Conference
Azure Security Groups
The
difference
NSG is the Azure Resource that you will use to enforce and
control the network traffic with
ASG is an object reference within a Network Security Group.
ASG & NSG
NSG’s (Network Security Group) & ASG’s (Application Security
Group) are used to administrate and control network traffic
within a virtual network (vNET).
14. Best Of The World In Security Conference
NSGs
NSG’s control access by permitting or
denying network traffic
Between different workloads on a vNET
From on-site environment into Azure
Directly from the internet
Theoretically: NSGs are a group of ACL rules that either allow or deny network
traffic to a specific destination located on your vNET.
All traffic entering or leaving your Azure network can be processed via the NSG
They can be applied either on a virtual machine or subnet (one NSG can be
applied to multiple subnets or virtual machines)
15. Best Of The World In Security Conference
ASGs
Used within an NSG to apply a
network security rule to a specific
workload or group of VMs
Typically used for
scalability
Creating the virtual
machine and assigning
it to an ASG will provide
it with all the NSG rules
in place for that specific
ASG
16. Best Of The World In Security Conference
Limitations in a single vNet
17. Best Of The World In Security Conference
Simulation
Time –
Application
Migration
to Azure
Our Goal:
Migrate App SWIFT to Azure
Azure setup:
Single vNet – subnet 10.0.2.0/24
vNet region – Brazil
NSG assigned to our vNet
ASGs assigned per Server roles
18. Best Of The World In Security Conference
• The NSG
• The ASGs
19. Best Of The World In Security Conference
What this looks like
Brazil Customer vNet –
NSG assigned
swift-all
swift-apps
swift-DBS
swift-LBS
20. Best Of The World In Security Conference
Following NSG rules were set:
• Load Balancers to Web Servers, over specific ports, allow
• Web Servers to Databases, over specific ports, allow
• Deny all else between SWIFT servers.
21. Best Of The World In Security Conference
What this looks like
Brazil Customer vNet –
NSG assigned
swift-all
swift-apps
swift-DBS
swift-LBS
22. Best Of The World In Security Conference
The problem
A critical backup operation fails What can be the cause?
A configuration issue within the application, not
policy related at all.
The ASGs are misconfigured while NSGs are
configured correctly.
The ASGs are configured correctly but the NSGs
are misconfigured.
23. Best Of The World In Security Conference
Flow Logs
24. Best Of The World In Security Conference
Flow log
limitations
• Dynamic IPs make it nearly impossible to
track changes
• Needle in a haystack – with no context of
time or which server is the culprit
• No Security Groups affect on traffic, only
blocked indication, but by which rule?
• No application or user context – only Ips
and ports
25. Best Of The World In Security Conference
Simulation
Time –
Let’s block
threats
Our Goal:
Block Telnet & Insecure FTP
Block a malware propegation
Azure setup (same):
Single vNet – subnet 10.0.2.0/24
vNet region – Brazil
NSG assigned to our vNet
ASGs assigned per Server roles
26. Best Of The World In Security Conference
Security Group
limitations
• Block Telnet – Block over port 23
• Block FTP – HOW?
• 21 not enough
• What about dynamic high ports?
• Block malware propagation – HOW?
• Ports? Not good enough
• No application aware policies!
• No process level policies!
27. Best Of The World In Security Conference
Limitation in multiple vNets
28. Best Of The World In Security Conference
Simulation
Time –
Policies
between
applications,
between
VNets
Our Goal:
Security Policies between CMS to Billing
and SWIFT
Azure setup:
2 vNets
vNet1 region – Brazil
vNet2 region - West Europe
NSG assigned to each vNet
ASG assigned per app
29. Best Of The World In Security Conference
• The NSG
• The ASGs
30. Best Of The World In Security Conference
Brazil Customer vNet
App_Swift
Billing_all
West Europe Customer vNet
CMS_ALL_Servers
31. Best Of The World In Security Conference
What’s our goal?
Allow CMS over port 80 to SWIFT
and Billing
Block all other port 80
32. Best Of The World In Security Conference
The problem
Would it be possible to create a rule with an
ASG for the CMS App servers to the SWIFT &
Billing applications even though they are in
separate vNets?
34. Best Of The World In Security Conference
According to Azure documentation
Each subscription in Azure is assigned to a specific, single, region.
Multiple subscriptions cannot share the same vNet.
NSGs can only be applied within a vNet.
35. Best Of The World In Security Conference
documentation
“If you specify an application security group as the source and
destination in a security rule, the network interfaces in both application
security groups must exist in the same virtual network. For example, if
AsgLogic contained network interfaces from VNet1, and
AsgDbcontained network interfaces from VNet2, you could not assign
AsgLogic as the source and AsgDb as the destination in a rule. All
network interfaces for both the source and destination application
security groups need to exist in the same virtual network.”
36. Best Of The World In Security Conference
It is not possible to create policies for
applications spanning vNets or Regions!
37. Best Of The World In Security Conference
Limitation in multi-cloud
38. Best Of The World In Security Conference
Simulation
Time –
Application
Migration
from Azure
to AWS
Our Goal:
Migrate App CMS from Azure to AWS
Azure setup:
2 vNets, Brazil & West Europe
AWS setup:
Single VPC
39. Best Of The World In Security Conference
• The NSG
• The ASGs
40. Best Of The World In Security Conference
• The rules
41. Best Of The World In Security Conference
Migrating The policy Rules from Azure to
AWS
Deny rules in Azure Security Groups must be translated into
either:
• Allow rules for all other traffic in AWS security groups
• Network layer deny rules in AWS access control lists (ACLs).
42. Best Of The World In Security Conference
AWS ACLs & Sec Groups
Sec Groups
Security groups are applied at the EC2 level and are tied to an asset,
not an IP. They only enable whitelisting traffic and are stateful. This is
the first layer of defense; thus traffic must be allowed by Security
Groups to then be analyzed by an ACL.
ACLs
Access control lists are applied at the VPC level, thus are directly tied
to IPs. They support both allow and deny rules, but as they are tied to
specific IPs, they do not support blocking by application context. They
are not stateful and thus are not valid for compliance requirements.
43. Best Of The World In Security Conference
AWS security
groups vs ACLs
Security groups
• do not support blacklisting functionalities and
only enable whitelisting
ACLs
• support both deny and allow rules but are
tied to an IP address within a VPC, enabling
blocking only static IPs or a whole subnet
44. Best Of The World In Security Conference
Simulation
Time –
Policies
cross cloud
Our Goal:
Accounting App in AWS must access ONLY
the Billing App in Azure (and no other app in
azure)
Azure setup:
2 vNets, Brazil & West Europe
AWS setup:
Single VPC, London
45. Best Of The World In Security Conference
The
problem
Cloud providers’ native tools do not offer full
support for other providers’ clouds, which can
limit their usability in multicloud environments
46. Best Of The World In Security Conference
Security
Groups
Limitations Azure and AWS Security Groups or ACLs
enable controlling cross-cloud traffic based
only on the public IPs of the cloud
providers
47. Best Of The World In Security Conference
Sum Up -
Limitations
Azure Security Groups & Flow logs
• Limited visibility
• No policy simulation or indication of impact on traffic
• NSGs can only be applied within a Vnet
• Multiple subscriptions cannot share the same VNet
• To allow connections between clouds, one must permit
the whole cloud range to communicate
• Default NSGs are set in a permissive mode from day 1
• ASGs are assigned to assets by IPs. What if the ip is
dynamic? needs to change?
48. Best Of The World In Security Conference
Sum Up -
Limitations
AWS Security Groups & ACLs
• Limited visibility
• No policy simulation or indication of impact on
traffic
• Security groups only enable Allow, no deny
• AWS ACLs support both deny and allow
rules, but are tied to an IP address within a
VPC in AWS, enabling blocking only static
IPs or a whole subnet
49. Best Of The World In Security Conference
Thank You!
@avishugz
avishag-daniely