11/6/2018

AWS Network Security Deep Sponsored by

Dive: Providing Network
Protection for AWS Cloud
Resources

© 2018 Monterey Technology Group Inc.

 Made possible by

Thanks to
https://www.firemon.com

1
 11/6/2018

 Security groups — Act as a firewall for associated Amazon EC2

instances, controlling both inbound and outbound traffic at the
instance level
 Network access control lists (ACLs) — Act as a firewall for associated
subnets, controlling both inbound and outbound traffic at the subnet
level
 AWS WAF — Provides firewall protection for web applications (Web
Preview of Key Application Firewall)
Points  AWS Firewall Manager — Provides centralized management of AWS
WAF
 VPC Peering Connections — Enables networking connection between
two VPCs so that you can route traffic between them
 VPC Endpoints — Enables users to connect with AWS services that are
outside the VPC through a private link
 AWS VPN Connections — Allows you to connect your Amazon VPC to
remote networks via VPN
 AWS Direct Connect — Serves as a dedicated, private connection from
a remote network to your VPC

 Resources
 Virtual machines
 Virtual networks
 Non-VM cloud resources
 Storage
 Databases
Networking in  Event pipelines

the cloud 

Hosted applications
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-
azure-services#services-that-can-be-deployed-into-a-virtual-network

 Connectivity
 Between VMs
 Between VMs and other cloud resources
 Between on-prem network and cloud
 Publishing VMs and cloud resources to Internet
 Allowing VMs access to Internet
 Cloud portal

2
 11/6/2018

 Compromise of cloud VMs from

 Internet
 Other VMs in the cloud
 Compromised endpoints in on-prem network
Cloud network  Compromised business partners connected through on-prem network

risks  Compromised cloud portal account

 Compromise of cloud resources like storage and DBs
 From all of the above
 Compromise of on-prem network from
 VMs in the cloud
 Compromised cloud vendors

 Instances = virtual machines

 Virtual Private Cloud = overall IP network

10.42.2.0/24
Basic 10.42.2.4 10.42.2.5 Provided services:
elements - DNS
- Router to Internet
- DHCP

3
 11/6/2018

 Virtual Private Cloud

 Virtual network comprising subnets
 All subnets fit within the overall IP address space of the VPC
 2 kinds of subnets
 Public
Virtual Private  NOT public Internet addresses
 Just means there is a route to the Internet Gateway
Clouds  Private
 No route to the Internet
 VPN-only
 Route to VPN gateway

 Internet Gateway
 Similar to a standard router providing your network with Internet access
via NAT
 Route Tables
 Control what traffic, if any, is routed between subnets within VPC

Public IPs can

 Public IP address
change during
 Associated with a NIC on an Instance
certain VM state
 Security Group determines which ports transitions. Elastic
 Similar to reverse NAT rules on a normal router IP Addresses are
Connecting to static
AWS 40.124.6.97
resources
Allow 3389 from Internet
from outside
10.42.2.0/24
AWS 10.42.2.4 10.42.2.5

4
 11/6/2018

 Security Groups
Basic network  Like a policy for host firewall
security in  Can assign a given policy to multiple instance VMs
 Controls inbound and outbound traffic for assigned instance VMs
AWS  Actually NICs – not the instance itself

 Network Access Control Lists

 Like a classic (router) firewall configuration
 Can be assigned to multiple subjects

 Like a policy for host firewall

 Can assign a given policy to multiple instance VMs
 Controls inbound and outbound traffic for assigned instance VMs
 Actually NICs – not the instance itself
 Can assign up to 5 security groups to a NIC
 No deny rules, allow only
 Stateful
Security  No need to define mirror rules for response traffic
Groups  Rules
 Inbound
 Source
 Single IP address
 IP address block
 Security group
 Port or Port Range
 Outbound
 Destination
 Single IP address
 IP address block
 Security group
 Port or Port Range

5
 11/6/2018

 Like a classic (router) firewall configuration

 Can be assigned to multiple subnets
Network ACLs  Each subnet has one and only one NACL
 NACLs control traffic to and from entire subnet

Security Group Network ACL

Operates at the instance level
Supports allow rules only
Is stateful: Return traffic is automatically
Security allowed, regardless of any rules
Groups vs AWS evaluates all rules before deciding
whether to allow traffic
Network ACLs Applies to an instance only if someone
specifies the security group when
launching the instance, or associates the
security group with the instance later on
Operates at the subnet level
Supports allow rules and deny rules
Is stateless: Return traffic must be
explicitly allowed by rules
AWS processes rules in number order
when deciding whether to allow traffic
Automatically applies to all instances in
the subnets it's associated with
(therefore, you don't have to rely on
users to specify the security group)

6
 11/6/2018

SubnetFrontEnd
10.42.1.* Internet
Gateway
Internet
NACL
Route Tables, WebSvrs

NACLs and
Security Route
Table
Groups SubnetSecTier
10.42.2.*

NACL
SecTier Virtual On Prem
SecGrp DBSvr
Private
Gateway Network
10.43.*.*
SecGrp AppSvr

VPC 10.42.*.*

VPC  Internet
connectivity  Your network
 Other VPCs
 Other AWS resources

7
 11/6/2018

 Internet
 Internet Gateway and Route Tables

VPC
connectivity

 Your network
 VPN Connections
 AWS managed VPN
 AWS VPN CloudHub
 Third party software VPN appliance
 AWS DirectConnect

VPC
connectivity

8
 11/6/2018

 Other VPCs
 Can be “peered” with each other
 Can’t have overlapping address ranges
 Including VPCs from another Amazon account and/or region

VPC
connectivity

 Other AWS resources

 Keeps traffic to/from that resource private
 Interface Endpoints
 Like treating an AWS resource (e.g. CloudWatch) like a server and connecting
its NIC to a subnet in your VPC
 Gateway endpoints
 Route table destination
VPC
connectivity
AWS Cloud
Resource

AWS S3 Storage

9
 11/6/2018

 Network Load Balancer

Load  Load balance TCP traffic
Balancers  Application Load Balancer
 Load balance HTTP/HTTPS traffic
 Comparison
 https://aws.amazon.com/elasticloadbalancing/features/#compare

 Web Application Firewall

 Secures web request traffic to
AWS WAF  API Gateway
 Amazon CloudFront
 Application Load Balancer

 https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-
waf-works.html

10
 11/6/2018

 DDOS protection
 AWS Shield Standard
 Automated
AWS Shield  “most common, frequently occurring network and transport layer DDoS
attacks”
 AWS Shield Advanced
 Higher bandwidth
 Dedicated team
 Comparison

 Use multiple AWS accounts and to host applications in any desired

AWS Firewall region
 While maintaining centralized control over their organization’s security
Manager settings and profile
 Built around named policies that contain WAF rule sets and optional
AWS Shield
 Doesn’t apply to security groups or NACLs

11
 11/6/2018

 AWS is just one cloud

 Google, Azure, etc. have similar options for networking and
firewall
 Firewalls don’t go away with the cloud
 More “types” of firewalls than ever
 Windows Firewall on VMs
Bottom line  Security Groups
 Network ACLs
 Route tables
 Web Application Firewalls
 Network Virtual Appliances

 How do you keep all this straight, understood, consistent and the
configuration accurately reflecting your security intent?
 Managing all your on-prem firewalls is challenging enough, let
alone the cloud.
 Firemon…
© 2018 Monterey Technology Group Inc.

REAL-TIME VISIBILITY FOR THE

HYBRID ENTERPRISE

Nov. 6th, 2018

Sanjay Raja
CMO - Lumeta
sraja@lumeta.com

12
 11/6/2018

Today’s Business Drivers Enable a Greater Attack Surface

Network complexity with Movement to cloud with

mobile and IoT
On average, over 40%
Risk from acquisitions,
suppliers & partners
less visibility
of dynamic networks,
endpoints, cloud
infrastructure are
unknown, unmanaged,
rogue and/or shadow it Integration and Secured
leading to significant Interoperability
infrastructure blind
spots and lacking
real-time awareness

25

Challenges for Security & Cloud Ops Teams

• Balancing security & compliance needs with the internal application owners
• Desire to migrate workloads to cloud faster and leverage native cloud platform
services/innovation
• Detecting and responding quickly to security or network anomalies – latency
matters
• Detect application bottlenecks
• Detect lateral movement of threats
• Detect data exfiltration
• Deploy a well-defined cloud security architecture
• Scalable, cloud optimized, flexible, supporting a broad set of virtual and physical tools

13
 11/6/2018

• Public cloud provider (think

AWS, Azure, Google, etc.) is Cloud & Containers Security Come
responsible for security “of” Squarely Into Frame
the cloud

• Enterprise (you) are

responsible for security “in”
the cloud
• And what is the impact of
this on the rest of your
enterprise?

• Enterprise considerations of
public cloud security should
focus on:
• Shadow-IT
• Misconfiguration
• Vulnerabilities

27

Spots
Huge Gaps Exist in Hybrid Enterprise Visibility
Lumeta Actual Customer Gov’t Healthcare Hi-Tech Finance

150,0 60,00 8,00

Presumed Endpoints 600,000
00 0 0
170,0 89,86 14,0 1,200,0 Is your endpoint (EDR), NGAV and VA
Discovered Endpoints software protecting all of these? Are
00 0 00 00 these all patched?

Endpoint Visibility Gap 12% 33% 43% 50%

Does NAC, Flow collection, or PCAP-

Unmanaged Networks 3,278 24 5 771 based DPI know all of these?

Unauthorized or Unsecured Forwarding Do ANY of your Security or Network

Devices
Known but Unreachable Networks
Leak-paths to Internet Identified on
Deployment
DPI – Deep Packet Inspection
EDR – Endpoint Detection and
Response Flow – NetFlow, Sflow, IPFIX
520 0 2026 420 Monitoring/Modeling solutions identify
these?
33,25 16,8 If Lumeta can’t reach these, can VA,
4 45 IPAM, DPI, patch or other cyber tools?
6 28
9,40 Other existing security tools have
3,000 120 220 limitations in the cloud
0
NAC – Network Admission Control NGAV – Next Generation Anti-Virus
PCAP – Packet CAPture IPAM – IP Address Management
VA – Vulnerability Assessment

28

14
 11/6/2018

Lumeta Spectre Closes the Visibility Gap

1 2 3 4
Eliminate 100% See 100% of Identify and Detect
of your your Dynamic Lock down Suspicious
Infrastructure Network 100% of your Network
Blind Spots Changes Leaks Behaviors
Find, on average, Monitor for Every Within minutes Detect unauthorized
40% more IPs and Network and uncover flows, encryption,
even whole Endpoint Add/Drop unauthorized Zombies, C2 activity
networks beyond or Path Change movement, and other attack
other visibility or especially at the segmentation vectors common to
security solution Edge/Perimeter violations and leak advanced attacks
paths

29

Singular Visibility Across Hybrid Enterprise Cloud

Amazon Web Services

Lumeta Spectre Scout Legend VMWARE
(AWS) or Azure Cloud
1.OSPF LSA Indexing Physical Network vCloud Air Network
2.BGP Peer Indexing
3.AWS Active + Passive Broadcast Indexing 3
4.DMZ Active Indexing through site-site VPN
5.Active + Passive Broadcast Indexing

OSPF Backbone
3 4

VPN
CE
Private Cloud
PE
NetFlow
2
Threat Intel

MPLS Spectre Command Center

with HDFS

15
 11/6/2018

• IAAS cloud providers typically

attached to enterprise network Real-time Monitoring For Unknown, Shadow-IT
via VPN or equivalent secure site-
site connection

Unknown??
• Lumeta probes hybrid-cloud VPNs Shadow IT VPC
from enterprise side – e.g. look
through the VPNs
VMware Cloud
Google Cloud
• Lumeta identifies in real-time: IBM Cloud
Etc.
• Virtual private cloud (VPC)
instances
• Virtual hosts within those Azure Lumeta Host Discovery
instances Lumeta Network Discovery

• L3 forwarders (routers) in a VM Amazon

Web
host Services

• Real-time cloud visibility

available in SOC

31

• Policy may dictate none, or Leak-path Vulnerability Detection

controlled, access to the
Internet from within an
enterprise attached cloud Lumeta Research Across Verticals Gov’t Healthcare Hi-Tech Finance

• Due to security group Unauthorized or Unsecured 520 83 2026 420

misconfiguration, or Forwarding Devices

malicious intent an Leak-paths to Internet Identified 3,000 12 9,400 220

on Deployment 0
unexpected leak-path to the
internet can occur
• Lumeta will monitor in real-
time the possibility any Azure
traffic is forwarded from VPC
instances to an internet- Amazon
Web
hosted Lumeta Scout (sensor) Services
or vice -versa
• The leak-path is reported Lumeta Leak Path Discovery
directly to the enterprise SOC

16
 11/6/2018

Case Study: State Dept of Health and Human Services Moving to Cloud

Industry: State Managed “We had strong concerns in moving more and more resources
Health Care and Facilities
into the cloud without having the same visibility and control as
Employees including care
centers: 9,000 “
on-premise. With Lumeta, we were able to get a full picture of
Custome Facilities: 30 including public our infrastructure reaching into the cloud, but also identified
hospitals, community centers some shadow IT that was being used. ” Director of Cloud Security
r Stats and mental health, etc. Architecture

Challenges Why Lumeta Impact

• Lumeta Spectre delivered Full end-to- • Provided a real-time detailed
• Disjointed and incomplete view end infrastructure visibility across HQ,
network across HQ, facilities and mapping of entire network including
facilities and for cloud hosted services all connected IP assets
cloud hosted environments
• Real-time network monitoring for new • Detected over 22 existing leak
• Inability to detect and unapproved (unapproved) connections to/from the
or malicious connections being used paths across both on-premise and
cloud without using agents cloud infrastructure to the internet
or created from the cloud
• Spectre provided early warning into a
• No more agents! Especially in Cloud • Early detection of malware activity
set of malware infected host by
• Concerns that some devops is included detail network and asset
detecting newly created TOR
setting up shadow IT environments information allowed for fast
connections and remote server call
in the cloud remediation preventing a breach
back attempts to the internet

CONTINUIOUS SECURITY FOR THE

HYBRID ENTERPRISE

Nov. 6th, 2018

Tim Woods
VP Technology Alliances
tim.woods@firemon.com

17
 11/6/2018

The world has changed…

Cloud Computing Virtualization Internet of Things

Business

18
 11/6/2018

The Complexity

Devices, Rules and Staff

Gap continues to
1,500,000 Rules
expand with no 1000s Devices
end in sight –
increasing both
expense and risk 75,000
Complexity
Rules
Gap
15,000
1,000 Rules
400 Rules
Rules

199 200 200 200 2017

5 1 5 9

Multiple Cloud Types

Hybrid
Multi

Public Private

19
 11/6/2018

Multiple Cloud Types

Providers

Google IBM
CLOU
D

Security Must Meet the

New Enterprise Reality

20
 11/6/2018

The hybrid
enterprise
requires the
integration of
three critical • Sub-second Audit
Reporting

areas, all
• Prioritize Patches • Real-Time
• Attack Path Compliance Check
Simulation • Internal and
• Reduce Attack Regulatory

working in Surface Controls

unison, to stay •

•
Device Rule
Normalization
Automate Change

secure. •
Management
Context-aware
Traffic Analysis

VULNERABILITY
Reduce the Attack
Surface

Combine policy with • Sub-second Audit

Reporting
vulnerabilities to •
•
Prioritize Patches
Attack Path
• Real-Time
Compliance Check

simulate attacks, score

security risks and
•
Simulation
Reduce Attack
Surface 1 • Internal and
Regulatory
Controls

prioritize action. • Device Rule

Normalization
• Automate Change
Management
• Context-aware
Traffic Analysis

21
 11/6/2018

COMPLIANCE
Always Be Audit-
Ready

Out-of-the-box reporting • Sub-second Audit

Reporting
and a library of 350+ •
•
Prioritize Patches
Attack Path
• Real-Time
Compliance Check

custom controls gives you

ongoing compliance with
•
Simulation
Reduce Attack
Surface 2 • Internal and
Regulatory
Controls

absolute precision. • Device Rule

Normalization
• Automate Change
Management
• Context-aware
Traffic Analysis

ORCHESTRATION
One Console, Global
Security

Command security across • Sub-second Audit

Reporting
the hybrid enterprise and •
•
Prioritize Patches
Attack Path
• Real-Time
Compliance Check

automate policy change

at warp speed.
•
Simulation
Reduce Attack
Surface 3 • Internal and
Regulatory
Controls

• Device Rule
Normalization
• Automate Change
Management
• Context-aware
Traffic Analysis

22
 11/6/2018

Continuous
Security
Platform • Sub-second Audit
Reporting
• Prioritize Patches • Real-Time
• Attack Path Compliance Check
Simulation • Internal and
• Reduce Attack Regulatory
Surface Controls

• Device Rule
Normalization
•

•
Automate Change
Management
Context-aware
Traffic Analysis
Real-time
Visibility

GLOBAL POLICY CONTROLLER SECURITY SOLUTION

(Security Intent Orchestration) PLATFORM

POLICY PLANNER RISK ANALYZER

SECURITY MANAGER
(Security and Compliance Mgmt) POLICY OPTIMIZER RESTful API

ENFORCEMENT
FABRIC
(Technology Partner ECO)
Protecting

ENTERPRISE APPLICATIONS, ASSETS, WORKLOADS, RESOURCES

23
 11/6/2018

DevOps
Application
Open API Global Policy Integration
Controller
Full open API
that promotes Security Manager Customer
Application Data
interoperability Exchange
Policy FireMon
across security Planner Open
solutions and
Risk API Technology
applications is Partner ECO
Analyzer
paramount Integrations
Policy
Optimizer
MSSP
Customer
Portal Data

Thank You
For additional information, contact info@firemon.com

24