jumpstart guide for cloud-based firewalls in aws
TRANSCRIPT
©2019 SANSTM Institute | www.sans.org Sponsored by:
JumpStart Guide for Cloud-Based Firewalls in AWSMonthly Webinar Series
in conjunction with Optiv
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Relevant Solutions Available in AWS Marketplace Each bring unique value and capabilities to AWS customers
Next-Generation Firewall
Complements native AWS security with
real-time threat and data theft
prevention
CloudGuard IaaS
Mitigate VPC attacks with auto-
provisioning, auto-scaling, and
automatic policy updates
Managed Rules for AWS WAF
Comprehensive ruleset package
with regular updates
BIG-IP Virtual Edition
Suite of cloud-based firewall
technology for a holistic approach
©2019 SANSTM Institute | www.sans.org Sponsored by:
Sponsored by
JumpStart Guide for Cloud-Based Firewalls in AWS
©2019 SANSTM Institute | www.sans.org Sponsored by:
Today’s Speakers• Brian Russell, Chair of the Cloud Security Alliance Internet
of Things Working Group and CTO at TrustThink
• Anthony Tanzi, Partner Architect, Optiv
• David Aiken, Solutions Architect Manager, AWS Marketplace
4
©2019 SANSTM Institute | www.sans.org Sponsored by:
Today’s Agenda
• Key terminology
• Implementation options
• Making the business case
• Capabilities – Cloud firewalls and threat prevention
• Evaluating cloud firewalls for AWS
• Making the choice
5
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Network Firewall: Uses policy rules to monitor ingress/ egress traffic and block unauthorized traffic. Rules typically specified via IP/port combinations.
• Web Application Firewall: HTTP firewall that protects an application’s back-end servers from attacks such as cross-site scripting and SQL injection.
• Next-Generation Firewall: May include threat prevention, application firewall, and TLS/SSL encrypted traffic inspection.
• Cloud-based Firewall: Operates based on flexible licensing terms and provides cloud-tailored features such as application control, dynamic addressing, micro-segmentation, DNS security. Optimized to scale to meet demand.
• Threat Prevention: Add-on firewall features such as DDoS protection, URL filtering and subscription-based threat intelligence services that automatically update policy databases with blacklisted IP addresses, URLs and other information.
Key Terminology
6
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Bring Your Own License (BYOL): Flexible deployment option for businesses already holding firewall licenses. License not tied to specific subscription.
• Firewall-as-a-Service: Fully managed cloud firewall service that can be integrated directly with your AWS implementation. Often a good approach for small organizations that lack the capability to staff firewall administrators.
• Virtual Firewalls: Virtualized firewall appliances that operate in the cloud. Available from AWS Marketplace.
• Trusted Advisors: AWS Security Competency Partners that can advise on selection and configuration of firewalls. Engage through Consulting Partner Private Offers (CPPO).
AWS Implementation Options
7
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Blurred Lines: Organizations need cloud firewalls to protect more than just the perimeter – must support cloud applications and third-party integrations that have blurred the perimeter and shifted focus to data security.
• Remote Users: Operate anywhere/anytime and require secure connectivity with multi-factor authentication
• Hybrid Ecosystems: Require secure connectivity across data centers and the cloud
• Cost Savings: New pricing models are driving a reduction in up-front expense in favor of flexible monthly and even hourly cost models.
Making the Business Case for Cloud Firewalls
8
©2019 SANSTM Institute | www.sans.org Sponsored by:
Technical Considerations for Cloud-Based Firewalls and Threat Prevention in the Cloud
• Application Layer Support: Enable monitoring for application-layer threats and support capabilities such as AppID to filter on approved applications or application types.
• HTTP(S) Inspection: Inspect inside of encrypted TLS traffic to identify hidden malware.
• Dynamic Addressing: Create policy that automatically adapts to changes – adds, moves, deletions of servers.
• Network Isolation and Micro-Segmentation: Filter traffic between trusted and untrusted environments and isolate networks and security across different environments (east/west).
• Automated Policy Management: APIs support automated management of firewall policies and enable coordination of firewall enforcement across multiple instances.
• Threat Prevention: Maintain a quality feed of threat intelligence and integrate directly to update firewalls rules based on new information on malicious content, sites and addresses.
Technical Considerations
9
©2019 SANSTM Institute | www.sans.org Sponsored by:
Technical Considerations for Cloud-Based Firewalls and Threat Prevention in the Cloud
• Granular Policy Definition and Enforcement: Support multiple policies at multiple layers of the ecosystem including applications, application types and functions, users, networks, ports/protocols. Enable nested policy enforcement.
• Situational Awareness: Share logging information in standardized format to enable SA across organization’s infrastructure. Includes optimized reporting and metrics.
• Single View Visibility and Management: Manage all firewall instances from single management station, including updates and configuration changes.
• File Blocking and Analysis: Block known-malicious files and analyze suspicious files before allowing into network.
• DNS Monitoring: Monitor for outgoing communications to known-bad URLs. Configure policy to send traffic destined to these URLs to an administrator-owned site for analysis.
Technical Considerations (cont’d.)
10
©2019 SANSTM Institute | www.sans.org Sponsored by:
Operational Considerations for Cloud-Based Firewalls and Threat Prevention in the Cloud
• Cost: Automated management, ease-of-deployment and managed updates reduce labor costs. Combining annual subscriptions with hourly costs allow economical scalability as needed.
• Incident Response: Incorporate log data from firewalls and threat data within incident response plans.
• Data Exfiltration Security: Flag and alert on data being sent to known-malicious sites.
• Intrusion Prevention: Prevent intrusions; evaluate traffic based on behavior and known signatures.
• Multi-Factor Authentication: Require MFA for VPN logins.• Proxy: Use firewalls as proxies between networks.
Operational Considerations
11
©2019 SANSTM Institute | www.sans.org Sponsored by:
Use the following evaluation factors to determine the right product for use in your network.
AWS Considerations for Cloud-based Firewalls
12
©2019 SANSTM Institute | www.sans.org Sponsored by:
Firewalls should integrate with AWS Services and support automated operations
• Does the firewall provide support for both VPC and EC2 instances?• Does the firewall integrate with AWS services such as EC2, AWS
Firewall Manager, AWS Security Hub, AWS Transit Gateway and AWS GuardDuty?
• Does the firewall support high availability across multiple AWS regions?
• Does the firewall offer Cloud Formation templates that can reduce time to deployment?
Level of AWS Integration
13
©2019 SANSTM Institute | www.sans.org Sponsored by:
Cloud-based firewalls should enable granular and automated policy management features.
• Does the firewall support nested policies within security groups?
• Does the firewall enable automated configuration of security policies?
• Does the firewall support risk-based policy definitions?
Policy Management
14
©2019 SANSTM Institute | www.sans.org Sponsored by:
Firewalls implement IPsec VPNs to securely network across multiple VPCs, enterprise sites and SaaS providers.
• Does the firewall support dynamic addressing that allows you to create policy that automatically adapts to changes – adds, moves, deletions of servers?
• Does the firewall support networking across multiple VPCs?
Hybrid Environment Support
15
©2019 SANSTM Institute | www.sans.org Sponsored by:
Logs provide a vital resource for incident response and forensics. All firewalls should provide logging features.
• Does the firewall offer a solution (potentially add-on) that allows for aggregation of logs across multiple firewall instances?
• Does the firewall integrate with AWS logging services?
Logging
16
©2019 SANSTM Institute | www.sans.org Sponsored by:
AWS security competencies for infrastructure security products provide a degree of confidence that the firewall meets minimum security standards for operation.
• Does the firewall have AWS security competency approval?
• Does the firewall meet other security standards and best practices?
AWS Security Competency Approval
17
©2019 SANSTM Institute | www.sans.org Sponsored by:
Firewalls should allow administrators to set policy based on applications.
• Does the firewall support filtering based on AppID to permit only approved applications within the network?
• Does the firewall support dynamic application filters and application groups that restrict the types of applications authorized on the network?
• Does the firewall support dynamic profiling to learn the behavior of an application over time?
Application Control
18
©2019 SANSTM Institute | www.sans.org Sponsored by:
Firewalls must be able to segregate traffic. This includes both NORTH-SOUTH and EAST-WEST traffic.
• Does the firewall filter across trusted and untrusted zones?
• Does the firewall support micro-segmentation and isolation of subnetworks?
Separation of Trusted and Untrusted Zones
19
©2019 SANSTM Institute | www.sans.org Sponsored by:
Many firewall vendors provide software for seamless management of multiple firewall instances.
• Does the firewall include software that can manage all of the firewall instances in the cloud?
• Does the firewall management software allow you to push policies and perform updates to device configurations?
Management of Multiple Firewall Instances
20
©2019 SANSTM Institute | www.sans.org Sponsored by:
Cloud-based firewalls should support elastic expansion allowing them to scale automatically to meet the demands of your users.
• Does the firewall scale automatically?
• Can you use the firewall to augment data center installations and support peak demand (such as cloudbursting)?
Scalability
21
©2019 SANSTM Institute | www.sans.org Sponsored by:
Firewall vendors may offer enhanced management software to support analysis of firewall operations.
• Does the firewall provide reporting that allows for analysis of incoming requests?
• Does the firewall provide reporting that tracks trends in violations?
Dynamic Reporting
22
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Use the following evaluation factors to determine the right threat prevention service for use in your network.
• Threat prevention is often bundled as an add-on service to your firewall platform.
AWS Considerations for Threat Prevention
23
©2019 SANSTM Institute | www.sans.org Sponsored by:
Threat prevention services should be based on quality threat intelligence associated with the latest threats, actors and capabilities.
• Is the threat intelligence data timely?
• Is the threat intelligence data relevant to your organization’s mission?
Threat Intelligence Source/Feed
24
©2019 SANSTM Institute | www.sans.org Sponsored by:
Threat prevention services should keep customers up-to-date on the latest threats to their systems.
• Does the service provide a listing of known-bad addresses and sites?
• Does the service automatically update new malware signatures?
• Does the service automatically update firewall rules based on known malicious activity?
• Does the service support DNS sinkholing or DNS security?
Automated Updates and Malware Protection
25
©2019 SANSTM Institute | www.sans.org Sponsored by:
Can the intrusion prevention function use behavior-based analysis to identify anomalies?
• Does the threat prevention service analyze logs, correlate events and block/alert on suspicious activity?
• Does the threat prevention service support behavioral analysis?
• Does the threat prevention service scan all traffic including applications, users and content, and encrypted traffic?
Intrusion Prevention
26
©2019 SANSTM Institute | www.sans.org Sponsored by:
Threat prevention services should incorporate antivirus support to include maintaining an updated list of signatures.
• Does the threat prevention service incorporate network antivirus features?
• Does the threat prevention service provide a file-blocking and analysis capability?
Antivirus Support
27
©2019 SANSTM Institute | www.sans.org Sponsored by:
Threat prevention services should provide features that keep data from leaving the network.
• Does the threat prevention service support DNS monitoring and re-direction to an administrator-specified site?
• Does the threat prevention service flag on traffic destined to known malicious domains?
Data Exfiltration
28
©2019 SANSTM Institute | www.sans.org Sponsored by:
Two options:
1. In-depth analysis
2. Select an AWS Security Competency Partner
Making the Choice
29
©2019 SANSTM Institute | www.sans.org Sponsored by:
Simple Analysis of Alternatives
1. Identify your organization’s unique requirements.2. Weigh the requirements by importance to your organization. For example,
weigh critical requirements as “high” and desired requirements as “low.” Cost should also be considered.
3. Review the capabilities of the native AWS firewall.4. Compile a list of vendor firewall/threat prevention offerings from AWS
Marketplace.5. Evaluate each firewall/threat prevention offering against selected requirements. 6. Score each of the products against each requirement.7. Calculate the sum score for each offering and select the product with the
highest score.
In-Depth Analysis
30
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Reach to a trusted third-party Consulting Partner to customize a firewall and threat prevention approach for security within the cloud.
• AWS Security Competency Partners are listed here: https://aws.amazon.com/security/partner-solutions/
AWS Security Competency Partner
31
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Cloud-based firewalls are tailored to the speed of the cloud.
• Critical to the security of the perimiterless organization
• Many options to choose from in AWS Marketplace
• Threat prevention services are often an add-on feature.
• Take note of the evaluation factors discussed here when making a choice.
• Use the services of a trusted partner to help choose and configure your cloud-based firewalls.
Summary
32
CLOUD-BASED FIREWALL KEY CONSIDERATIONSTony Tanzi, Partner Architect
KEY CONSIDERATIONS
Security functions Operation Performance
The security functions
correspond to the efficacy of the
security controls and your team’s
ability to manage the risk
associated with the applications
traversing your network, without
slowing down the business
Application policy should be
accessible and simple to
manage, applying automation to
reduce manual effort so security
teams can focus on high-value
activities
Performance criteria are simple:
the firewall must do what it’s
supposed to do at the required
throughput for your business
needs
Selection criteria typically falls into three areas:
EVALUATION
35
Can the firewall automate routine tasks by integrating in workflow automation,
policy automation and security automation, as well as integrate with native
AWS services
Does the solution enhance your network security by allowing safe
enablement of applications, preventing both known and unknown threats,
while doing so at an appropriate performance level
RECOMMENDATIONS
Start by identifying Gain a clear understanding Test effectiveness
Consider total cost Determine success Consider
required throughput
requirements
of firewall solution’s features,
capabilities and additional
integrations
to ensure you choose the
firewall best suited to your
unique business needs
of ownership (efficiency,
ease of use, integration and
hidden costs)
criteria in advance the bigger picture
36
1. 2. 3.
4. 5. 6.
37
• Identify applications regardless of port,
protocol, evasive tactics, or encryption
• Identify users regardless of device or IP
address
• Decrypt encrypted traffic
• Protect in real time against known and
unknown threats embedded in applications
• Deliver predictable, multi-gigabit, in-line
throughput
• Automate routine tasks via API integration
• Integrate with AWS services such as Amazon
EC2, AWS Firewall Manager, AWS Security
Hub, AWS Transit Gateway and Amazon
GuardDuty
• Does the firewall seamlessly support high
availability across multiple AWS regions?
CLOUD-BASED
FIREWALL
REQUIREMENTS
BIG PICTURE FEATURE CONSIDERATIONS
38
Prevent theft and abuse
of corporate credentials
Safely enable all Apps and
control functions
Verizon 2017 DBIR
81%of breaches due
to compromised
passwords
Stop attacks that use DNS
as a channel to slowly
deliver malware
Maintain consistent policy
across clouds, on-premises,
remote or mobile networks
BIG PICTURE TECHNOLOGY CONSIDERATIONS
Does the firewall provider have
repositories available with templates to
speed deployment in various scenarios
such as transit gateway deployment,
integration with Ansible and Terraform,
AWS-ELB-Autoscaling, reference
architectures, etc.
Does the firewall provider have
tools available to evaluate your
feature usage and configuration?
39
CASE STUDY
40
Technology CompanyCaller Authentication and Fraud Solution Provider
41
CHALLENGES
Looking to host an aggregation point in the cloud
(AWS) that their remote users can log into once
(with VPN/MFA) and access several disparate data
centers (prem and cloud). They also want to use
the aggregation point to provide access for their
white-listed partner APIs.
AWS environment to contain multiple VPC’s
Wanted to protect all communication with next
generation firewall features in the cloud
42
RECOMMENDATIONS
Look at a transit VPC solution to protect inter-VPC
communication
Leverage a secure remote access solution that can
support MFA
Test leading solutions to find the best fit
43
SOLUTION
Client engaged Optiv to put together a
recommended design for the AWS Transit VPC
solution utilizing a cloud-based firewall that would
also support secure remote access with MFA
Design that included inter-VPC traffic flow and
remote access in detail delivered to the customer
Detailed documentation of the protections provided
by the cloud-based firewall solution delivered to
the customer
44
RESULTS
Client had a viable solution for secure remote
access into their AWS environment
Client is able to protect their inter-VPC
communication
Reduced platform management overhead
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How customers are using cloud-
based firewalls available in AWS
Marketplace
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What cloud-based firewalls solutions are available in
AWS Marketplace?
Next-Generation Firewall
Complements native AWS security with
real-time threat and data theft
prevention
CloudGuard IaaS
Mitigate VPC attacks with auto-
provisioning, auto-scaling, and
automatic policy updates
Managed Rules for AWS WAF
Comprehensive ruleset package
with regular updates
BIG-IP Virtual Edition
Suite of cloud-based firewall
technology for a holistic approach
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
F5 security enables retail modernizationWith BIG-IP platform technology
Benefits:
• Handles up to 80,000
web transactions in two
days with no downtime
• Manage 10 times more
application transactionsup to
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Palo Alto prevents compliance threatsUsing Next-Generation security platform protection
Benefits:
• Revealed threats from
foreign states never before
recognized
• Decreased traffic 29%
• Reduced unnecessary
connected sessions by 30%
• Reduced platform failover
from up to 60 seconds to
less than one second
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why AWS Marketplace?
“If it had not been for AWS Marketplace, it would have taken a couple weeks before I even had the software installed on
my side, because I would have to find a vendor, ensure their credibility, obtain quotations, and the proof of concept
license.”
Chandrasekaran Hari
Cloud Solutions Architect, MatchMove
Flexible consumption
and contract models
Quick and
easy deployment
Helpful humans
to support you
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How can you get started?
Complete the survey to learn more
on the solutions mentioned
Check out a variety of free offers:
BIG-IP Virtual Edition - Best
30-day free trial
VM-Series Next-Generation
Firewall Bundle 2
15-day free trial
Managed Rules for AWS WAF
Complete OWASP Top 10
Video tutorial
CloudGuard IaaS Next Gen
Firewall & Threat Prevention
30-day free trial
©2019 SANSTM Institute | www.sans.org Sponsored by:
Please use GoToWebinar’sQuestions tool to submit questions to our panel.
Send to “Organizers” and tell us if it’s for a specific panelist.
Q&A
51
©2019 SANSTM Institute | www.sans.org Sponsored by:
And to our attendees, thank you for joining us today!
Acknowledgments
Thanks to our sponsor:
To our special guest:
52
David Aiken and Anthony Tanzi