Professional Documents
Culture Documents
Made possible by
Thanks to
https://www.firemon.com
1
11/6/2018
Resources
Virtual machines
Virtual networks
Non-VM cloud resources
Storage
Databases
Networking in Event pipelines
the cloud
Hosted applications
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-
azure-services#services-that-can-be-deployed-into-a-virtual-network
Connectivity
Between VMs
Between VMs and other cloud resources
Between on-prem network and cloud
Publishing VMs and cloud resources to Internet
Allowing VMs access to Internet
Cloud portal
2
11/6/2018
10.42.2.0/24
Basic 10.42.2.4 10.42.2.5 Provided services:
elements - DNS
- Router to Internet
- DHCP
3
11/6/2018
Internet Gateway
Similar to a standard router providing your network with Internet access
via NAT
Route Tables
Control what traffic, if any, is routed between subnets within VPC
4
11/6/2018
Security Groups
Basic network Like a policy for host firewall
security in Can assign a given policy to multiple instance VMs
Controls inbound and outbound traffic for assigned instance VMs
AWS Actually NICs – not the instance itself
5
11/6/2018
6
11/6/2018
SubnetFrontEnd
10.42.1.* Internet
Gateway
Internet
NACL
Route Tables, WebSvrs
NACLs and
Security Route
Table
Groups SubnetSecTier
10.42.2.*
NACL
SecTier Virtual On Prem
SecGrp DBSvr
Private
Gateway Network
10.43.*.*
SecGrp AppSvr
VPC 10.42.*.*
VPC Internet
connectivity Your network
Other VPCs
Other AWS resources
7
11/6/2018
Internet
Internet Gateway and Route Tables
VPC
connectivity
Your network
VPN Connections
AWS managed VPN
AWS VPN CloudHub
Third party software VPN appliance
AWS DirectConnect
VPC
connectivity
8
11/6/2018
Other VPCs
Can be “peered” with each other
Can’t have overlapping address ranges
Including VPCs from another Amazon account and/or region
VPC
connectivity
AWS S3 Storage
9
11/6/2018
https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-
waf-works.html
10
11/6/2018
DDOS protection
AWS Shield Standard
Automated
AWS Shield “most common, frequently occurring network and transport layer DDoS
attacks”
AWS Shield Advanced
Higher bandwidth
Dedicated team
Comparison
11
11/6/2018
How do you keep all this straight, understood, consistent and the
configuration accurately reflecting your security intent?
Managing all your on-prem firewalls is challenging enough, let
alone the cloud.
Firemon…
© 2018 Monterey Technology Group Inc.
Sanjay Raja
CMO - Lumeta
sraja@lumeta.com
12
11/6/2018
25
• Balancing security & compliance needs with the internal application owners
• Desire to migrate workloads to cloud faster and leverage native cloud platform
services/innovation
• Detecting and responding quickly to security or network anomalies – latency
matters
• Detect application bottlenecks
• Detect lateral movement of threats
• Detect data exfiltration
• Deploy a well-defined cloud security architecture
• Scalable, cloud optimized, flexible, supporting a broad set of virtual and physical tools
13
11/6/2018
• Enterprise considerations of
public cloud security should
focus on:
• Shadow-IT
• Misconfiguration
• Vulnerabilities
27
Spots
Huge Gaps Exist in Hybrid Enterprise Visibility
Lumeta Actual Customer Gov’t Healthcare Hi-Tech Finance
28
14
11/6/2018
1 2 3 4
Eliminate 100% See 100% of Identify and Detect
of your your Dynamic Lock down Suspicious
Infrastructure Network 100% of your Network
Blind Spots Changes Leaks Behaviors
Find, on average, Monitor for Every Within minutes Detect unauthorized
40% more IPs and Network and uncover flows, encryption,
even whole Endpoint Add/Drop unauthorized Zombies, C2 activity
networks beyond or Path Change movement, and other attack
other visibility or especially at the segmentation vectors common to
security solution Edge/Perimeter violations and leak advanced attacks
paths
29
OSPF Backbone
3 4
VPN
CE
Private Cloud
PE
NetFlow
2
Threat Intel
15
11/6/2018
Unknown??
• Lumeta probes hybrid-cloud VPNs Shadow IT VPC
from enterprise side – e.g. look
through the VPNs
VMware Cloud
Google Cloud
• Lumeta identifies in real-time: IBM Cloud
Etc.
• Virtual private cloud (VPC)
instances
• Virtual hosts within those Azure Lumeta Host Discovery
instances Lumeta Network Discovery
31
16
11/6/2018
Case Study: State Dept of Health and Human Services Moving to Cloud
Industry: State Managed “We had strong concerns in moving more and more resources
Health Care and Facilities
into the cloud without having the same visibility and control as
Employees including care
centers: 9,000 “
on-premise. With Lumeta, we were able to get a full picture of
Custome Facilities: 30 including public our infrastructure reaching into the cloud, but also identified
hospitals, community centers some shadow IT that was being used. ” Director of Cloud Security
r Stats and mental health, etc. Architecture
Tim Woods
VP Technology Alliances
tim.woods@firemon.com
17
11/6/2018
Business
18
11/6/2018
The Complexity
Hybrid
Multi
Public Private
19
11/6/2018
Google IBM
CLOU
D
20
11/6/2018
The hybrid
enterprise
requires the
integration of
three critical • Sub-second Audit
Reporting
areas, all
• Prioritize Patches • Real-Time
• Attack Path Compliance Check
Simulation • Internal and
• Reduce Attack Regulatory
unison, to stay •
•
Device Rule
Normalization
Automate Change
secure. •
Management
Context-aware
Traffic Analysis
VULNERABILITY
Reduce the Attack
Surface
21
11/6/2018
COMPLIANCE
Always Be Audit-
Ready
ORCHESTRATION
One Console, Global
Security
• Device Rule
Normalization
• Automate Change
Management
• Context-aware
Traffic Analysis
22
11/6/2018
Continuous
Security
Platform • Sub-second Audit
Reporting
• Prioritize Patches • Real-Time
• Attack Path Compliance Check
Simulation • Internal and
• Reduce Attack Regulatory
Surface Controls
• Device Rule
Normalization
•
•
Automate Change
Management
Context-aware
Traffic Analysis
Real-time
Visibility
ENFORCEMENT
FABRIC
(Technology Partner ECO)
Protecting
23
11/6/2018
DevOps
Application
Open API Global Policy Integration
Controller
Full open API
that promotes Security Manager Customer
Application Data
interoperability Exchange
Policy FireMon
across security Planner Open
solutions and
Risk API Technology
applications is Partner ECO
Analyzer
paramount Integrations
Policy
Optimizer
MSSP
Customer
Portal Data
Thank You
For additional information, contact info@firemon.com
24