jumpstart guide for cloud-based firewalls in aws

©2019 SANSTM Institute | www.sans.org Sponsored by:

JumpStart Guide for Cloud-Based Firewalls in AWSMonthly Webinar Series

in conjunction with Optiv

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Relevant Solutions Available in AWS Marketplace Each bring unique value and capabilities to AWS customers

Next-Generation Firewall

Complements native AWS security with

real-time threat and data theft

prevention

CloudGuard IaaS

Mitigate VPC attacks with auto-

provisioning, auto-scaling, and

automatic policy updates

Managed Rules for AWS WAF

Comprehensive ruleset package

with regular updates

BIG-IP Virtual Edition

Suite of cloud-based firewall

technology for a holistic approach

https://aws.amazon.com/marketplace/pp/B00PJ2V04O/?&trk=el_a131L0000057ZvtQAE&trkCampaign=AWSMP_MZ_SANS-DG_PANW&sc_channel=el&sc_campaign=AWSMP_MZ_SANS_Webinar_JULY_2019&sc_outcome=Marketplace

https://aws.amazon.com/marketplace/pp/B01CEYZ5S6/?&trk=el_a131L0000057ZvyQAE&trkCampaign=AWSMP_MZ_SANS-DG_Check_Point&sc_channel=el&sc_campaign=AWSMP_MZ_SANS_Webinar_JULY_2019&sc_outcome=Marketplace

https://aws.amazon.com/marketplace/pp/B0779D3JYV/?&trk=el_a131L000005v91fQAA&trkCampaign=AWSMP_MZ_SANS-DG_Fortinet&sc_channel=el&sc_campaign=AWSMP_MZ_Cybrary_Tutorial_2019_LP&sc_outcome=Marketplace

https://aws.amazon.com/marketplace/pp/B079C3WS75/?&trk=el_a131L000005uLfJQAU&trkCampaign=AWSMP_MZ_SANS-DG_F5&sc_channel=el&sc_campaign=AWSMP_MZ_SANS_Whitepaper_JAN_2019&sc_outcome=Marketplace


Sponsored by

JumpStart Guide for Cloud-Based Firewalls in AWS


Today’s Speakers• Brian Russell, Chair of the Cloud Security Alliance Internet

of Things Working Group and CTO at TrustThink

• Anthony Tanzi, Partner Architect, Optiv

• David Aiken, Solutions Architect Manager, AWS Marketplace

4


Today’s Agenda

• Key terminology

• Implementation options

• Making the business case

• Capabilities – Cloud firewalls and threat prevention

• Evaluating cloud firewalls for AWS

• Making the choice

5


• Network Firewall: Uses policy rules to monitor ingress/ egress traffic and block unauthorized traffic. Rules typically specified via IP/port combinations.

• Web Application Firewall: HTTP firewall that protects an application’s back-end servers from attacks such as cross-site scripting and SQL injection.

• Next-Generation Firewall: May include threat prevention, application firewall, and TLS/SSL encrypted traffic inspection.

• Cloud-based Firewall: Operates based on flexible licensing terms and provides cloud-tailored features such as application control, dynamic addressing, micro-segmentation, DNS security. Optimized to scale to meet demand.

• Threat Prevention: Add-on firewall features such as DDoS protection, URL filtering and subscription-based threat intelligence services that automatically update policy databases with blacklisted IP addresses, URLs and other information.

Key Terminology

6


• Bring Your Own License (BYOL): Flexible deployment option for businesses already holding firewall licenses. License not tied to specific subscription.

• Firewall-as-a-Service: Fully managed cloud firewall service that can be integrated directly with your AWS implementation. Often a good approach for small organizations that lack the capability to staff firewall administrators.

• Virtual Firewalls: Virtualized firewall appliances that operate in the cloud. Available from AWS Marketplace.

• Trusted Advisors: AWS Security Competency Partners that can advise on selection and configuration of firewalls. Engage through Consulting Partner Private Offers (CPPO).

AWS Implementation Options

7


• Blurred Lines: Organizations need cloud firewalls to protect more than just the perimeter – must support cloud applications and third-party integrations that have blurred the perimeter and shifted focus to data security.

• Remote Users: Operate anywhere/anytime and require secure connectivity with multi-factor authentication

• Hybrid Ecosystems: Require secure connectivity across data centers and the cloud

• Cost Savings: New pricing models are driving a reduction in up-front expense in favor of flexible monthly and even hourly cost models.

Making the Business Case for Cloud Firewalls

8


Technical Considerations for Cloud-Based Firewalls and Threat Prevention in the Cloud

• Application Layer Support: Enable monitoring for application-layer threats and support capabilities such as AppID to filter on approved applications or application types.

• HTTP(S) Inspection: Inspect inside of encrypted TLS traffic to identify hidden malware.

• Dynamic Addressing: Create policy that automatically adapts to changes – adds, moves, deletions of servers.

• Network Isolation and Micro-Segmentation: Filter traffic between trusted and untrusted environments and isolate networks and security across different environments (east/west).

• Automated Policy Management: APIs support automated management of firewall policies and enable coordination of firewall enforcement across multiple instances.

• Threat Prevention: Maintain a quality feed of threat intelligence and integrate directly to update firewalls rules based on new information on malicious content, sites and addresses.

Technical Considerations

9


Technical Considerations for Cloud-Based Firewalls and Threat Prevention in the Cloud

• Granular Policy Definition and Enforcement: Support multiple policies at multiple layers of the ecosystem including applications, application types and functions, users, networks, ports/protocols. Enable nested policy enforcement.

• Situational Awareness: Share logging information in standardized format to enable SA across organization’s infrastructure. Includes optimized reporting and metrics.

• Single View Visibility and Management: Manage all firewall instances from single management station, including updates and configuration changes.

• File Blocking and Analysis: Block known-malicious files and analyze suspicious files before allowing into network.

• DNS Monitoring: Monitor for outgoing communications to known-bad URLs. Configure policy to send traffic destined to these URLs to an administrator-owned site for analysis.

Technical Considerations (cont’d.)

10


Operational Considerations for Cloud-Based Firewalls and Threat Prevention in the Cloud

• Cost: Automated management, ease-of-deployment and managed updates reduce labor costs. Combining annual subscriptions with hourly costs allow economical scalability as needed.

• Incident Response: Incorporate log data from firewalls and threat data within incident response plans.

• Data Exfiltration Security: Flag and alert on data being sent to known-malicious sites.

• Intrusion Prevention: Prevent intrusions; evaluate traffic based on behavior and known signatures.

• Multi-Factor Authentication: Require MFA for VPN logins.• Proxy: Use firewalls as proxies between networks.

Operational Considerations

11


Use the following evaluation factors to determine the right product for use in your network.

AWS Considerations for Cloud-based Firewalls

12


Firewalls should integrate with AWS Services and support automated operations

• Does the firewall provide support for both VPC and EC2 instances?• Does the firewall integrate with AWS services such as EC2, AWS

Firewall Manager, AWS Security Hub, AWS Transit Gateway and AWS GuardDuty?

• Does the firewall support high availability across multiple AWS regions?

• Does the firewall offer Cloud Formation templates that can reduce time to deployment?

Level of AWS Integration

13


Cloud-based firewalls should enable granular and automated policy management features.

• Does the firewall support nested policies within security groups?

• Does the firewall enable automated configuration of security policies?

• Does the firewall support risk-based policy definitions?

Policy Management

14


Firewalls implement IPsec VPNs to securely network across multiple VPCs, enterprise sites and SaaS providers.

• Does the firewall support dynamic addressing that allows you to create policy that automatically adapts to changes – adds, moves, deletions of servers?

• Does the firewall support networking across multiple VPCs?

Hybrid Environment Support

15


Logs provide a vital resource for incident response and forensics. All firewalls should provide logging features.

• Does the firewall offer a solution (potentially add-on) that allows for aggregation of logs across multiple firewall instances?

• Does the firewall integrate with AWS logging services?

Logging

16


AWS security competencies for infrastructure security products provide a degree of confidence that the firewall meets minimum security standards for operation.

• Does the firewall have AWS security competency approval?

• Does the firewall meet other security standards and best practices?

AWS Security Competency Approval

17


Firewalls should allow administrators to set policy based on applications.

• Does the firewall support filtering based on AppID to permit only approved applications within the network?

• Does the firewall support dynamic application filters and application groups that restrict the types of applications authorized on the network?

• Does the firewall support dynamic profiling to learn the behavior of an application over time?

Application Control

18


Firewalls must be able to segregate traffic. This includes both NORTH-SOUTH and EAST-WEST traffic.

• Does the firewall filter across trusted and untrusted zones?

• Does the firewall support micro-segmentation and isolation of subnetworks?

Separation of Trusted and Untrusted Zones

19


Many firewall vendors provide software for seamless management of multiple firewall instances.

• Does the firewall include software that can manage all of the firewall instances in the cloud?

• Does the firewall management software allow you to push policies and perform updates to device configurations?

Management of Multiple Firewall Instances

20


Cloud-based firewalls should support elastic expansion allowing them to scale automatically to meet the demands of your users.

• Does the firewall scale automatically?

• Can you use the firewall to augment data center installations and support peak demand (such as cloudbursting)?

Scalability

21


Firewall vendors may offer enhanced management software to support analysis of firewall operations.

• Does the firewall provide reporting that allows for analysis of incoming requests?

• Does the firewall provide reporting that tracks trends in violations?

Dynamic Reporting

22


• Use the following evaluation factors to determine the right threat prevention service for use in your network.

• Threat prevention is often bundled as an add-on service to your firewall platform.

AWS Considerations for Threat Prevention

23


Threat prevention services should be based on quality threat intelligence associated with the latest threats, actors and capabilities.

• Is the threat intelligence data timely?

• Is the threat intelligence data relevant to your organization’s mission?

Threat Intelligence Source/Feed

24


Threat prevention services should keep customers up-to-date on the latest threats to their systems.

• Does the service provide a listing of known-bad addresses and sites?

• Does the service automatically update new malware signatures?

• Does the service automatically update firewall rules based on known malicious activity?

• Does the service support DNS sinkholing or DNS security?

Automated Updates and Malware Protection

25


Can the intrusion prevention function use behavior-based analysis to identify anomalies?

• Does the threat prevention service analyze logs, correlate events and block/alert on suspicious activity?

• Does the threat prevention service support behavioral analysis?

• Does the threat prevention service scan all traffic including applications, users and content, and encrypted traffic?

Intrusion Prevention

26


Threat prevention services should incorporate antivirus support to include maintaining an updated list of signatures.

• Does the threat prevention service incorporate network antivirus features?

• Does the threat prevention service provide a file-blocking and analysis capability?

Antivirus Support

27


Threat prevention services should provide features that keep data from leaving the network.

• Does the threat prevention service support DNS monitoring and re-direction to an administrator-specified site?

• Does the threat prevention service flag on traffic destined to known malicious domains?

Data Exfiltration

28


Two options:

1. In-depth analysis

2. Select an AWS Security Competency Partner

Making the Choice

29


Simple Analysis of Alternatives

1. Identify your organization’s unique requirements.2. Weigh the requirements by importance to your organization. For example,

weigh critical requirements as “high” and desired requirements as “low.” Cost should also be considered.

3. Review the capabilities of the native AWS firewall.4. Compile a list of vendor firewall/threat prevention offerings from AWS

Marketplace.5. Evaluate each firewall/threat prevention offering against selected requirements. 6. Score each of the products against each requirement.7. Calculate the sum score for each offering and select the product with the

highest score.

In-Depth Analysis

30


• Reach to a trusted third-party Consulting Partner to customize a firewall and threat prevention approach for security within the cloud.

• AWS Security Competency Partners are listed here: https://aws.amazon.com/security/partner-solutions/

AWS Security Competency Partner

31

https://aws.amazon.com/security/partner-solutions/


• Cloud-based firewalls are tailored to the speed of the cloud.

• Critical to the security of the perimiterless organization

• Many options to choose from in AWS Marketplace

• Threat prevention services are often an add-on feature.

• Take note of the evaluation factors discussed here when making a choice.

• Use the services of a trusted partner to help choose and configure your cloud-based firewalls.

Summary

32

CLOUD-BASED FIREWALL KEY CONSIDERATIONSTony Tanzi, Partner Architect

KEY CONSIDERATIONS

Security functions Operation Performance

The security functions

correspond to the efficacy of the

security controls and your team’s

ability to manage the risk

associated with the applications

traversing your network, without

slowing down the business

Application policy should be

accessible and simple to

manage, applying automation to

reduce manual effort so security

teams can focus on high-value

activities

Performance criteria are simple:

the firewall must do what it’s

supposed to do at the required

throughput for your business

needs

Selection criteria typically falls into three areas:

EVALUATION

35

Can the firewall automate routine tasks by integrating in workflow automation,

policy automation and security automation, as well as integrate with native

AWS services

Does the solution enhance your network security by allowing safe

enablement of applications, preventing both known and unknown threats,

while doing so at an appropriate performance level

RECOMMENDATIONS

Start by identifying Gain a clear understanding Test effectiveness

Consider total cost Determine success Consider

required throughput

requirements

of firewall solution’s features,

capabilities and additional

integrations

to ensure you choose the

firewall best suited to your

unique business needs

of ownership (efficiency,

ease of use, integration and

hidden costs)

criteria in advance the bigger picture

36

1. 2. 3.

4. 5. 6.

37

• Identify applications regardless of port,

protocol, evasive tactics, or encryption

• Identify users regardless of device or IP

address

• Decrypt encrypted traffic

• Protect in real time against known and

unknown threats embedded in applications

• Deliver predictable, multi-gigabit, in-line

throughput

• Automate routine tasks via API integration

• Integrate with AWS services such as Amazon

EC2, AWS Firewall Manager, AWS Security

Hub, AWS Transit Gateway and Amazon

GuardDuty

• Does the firewall seamlessly support high

availability across multiple AWS regions?

CLOUD-BASED

FIREWALL

REQUIREMENTS

BIG PICTURE FEATURE CONSIDERATIONS

38

Prevent theft and abuse

of corporate credentials

Safely enable all Apps and

control functions

Verizon 2017 DBIR

81%of breaches due

to compromised

passwords

Stop attacks that use DNS

as a channel to slowly

deliver malware

Maintain consistent policy

across clouds, on-premises,

remote or mobile networks

BIG PICTURE TECHNOLOGY CONSIDERATIONS

Does the firewall provider have

repositories available with templates to

speed deployment in various scenarios

such as transit gateway deployment,

integration with Ansible and Terraform,

AWS-ELB-Autoscaling, reference

architectures, etc.

Does the firewall provider have

tools available to evaluate your

feature usage and configuration?

39

CASE STUDY

40

Technology CompanyCaller Authentication and Fraud Solution Provider

41

CHALLENGES

Looking to host an aggregation point in the cloud

(AWS) that their remote users can log into once

(with VPN/MFA) and access several disparate data

centers (prem and cloud). They also want to use

the aggregation point to provide access for their

white-listed partner APIs.

AWS environment to contain multiple VPC’s

Wanted to protect all communication with next

generation firewall features in the cloud

42

RECOMMENDATIONS

Look at a transit VPC solution to protect inter-VPC

communication

Leverage a secure remote access solution that can

support MFA

Test leading solutions to find the best fit

43

SOLUTION

Client engaged Optiv to put together a

recommended design for the AWS Transit VPC

solution utilizing a cloud-based firewall that would

also support secure remote access with MFA

Design that included inter-VPC traffic flow and

remote access in detail delivered to the customer

Detailed documentation of the protections provided

by the cloud-based firewall solution delivered to

the customer

44

RESULTS

Client had a viable solution for secure remote

access into their AWS environment

Client is able to protect their inter-VPC

communication

Reduced platform management overhead


How customers are using cloud-

based firewalls available in AWS

Marketplace


What cloud-based firewalls solutions are available in

AWS Marketplace?

Next-Generation Firewall

Complements native AWS security with

real-time threat and data theft

prevention

CloudGuard IaaS

Mitigate VPC attacks with auto-

provisioning, auto-scaling, and

automatic policy updates


Comprehensive ruleset package

with regular updates

BIG-IP Virtual Edition

Suite of cloud-based firewall

technology for a holistic approach

https://aws.amazon.com/marketplace/pp/B00PJ2V04O/?&trk=el_a131L0000057ZvtQAE&trkCampaign=AWSMP_MZ_SANS-DG_PANW&sc_channel=el&sc_campaign=AWSMP_MZ_SANS_Webinar_JULY_2019&sc_outcome=Marketplace

https://aws.amazon.com/marketplace/pp/B01CEYZ5S6/?&trk=el_a131L0000057ZvyQAE&trkCampaign=AWSMP_MZ_SANS-DG_Check_Point&sc_channel=el&sc_campaign=AWSMP_MZ_SANS_Webinar_JULY_2019&sc_outcome=Marketplace

https://aws.amazon.com/marketplace/pp/B0779D3JYV/?&trk=el_a131L000005v91fQAA&trkCampaign=AWSMP_MZ_SANS-DG_Fortinet&sc_channel=el&sc_campaign=AWSMP_MZ_Cybrary_Tutorial_2019_LP&sc_outcome=Marketplace

https://aws.amazon.com/marketplace/pp/B079C3WS75/?&trk=el_a131L000005uLfJQAU&trkCampaign=AWSMP_MZ_SANS-DG_F5&sc_channel=el&sc_campaign=AWSMP_MZ_SANS_Whitepaper_JAN_2019&sc_outcome=Marketplace


F5 security enables retail modernizationWith BIG-IP platform technology

Benefits:

• Handles up to 80,000

web transactions in two

days with no downtime

• Manage 10 times more

application transactionsup to


Palo Alto prevents compliance threatsUsing Next-Generation security platform protection

Benefits:

• Revealed threats from

foreign states never before

recognized

• Decreased traffic 29%

• Reduced unnecessary

connected sessions by 30%

• Reduced platform failover

from up to 60 seconds to

less than one second


Why AWS Marketplace?

“If it had not been for AWS Marketplace, it would have taken a couple weeks before I even had the software installed on

my side, because I would have to find a vendor, ensure their credibility, obtain quotations, and the proof of concept

license.”

Chandrasekaran Hari

Cloud Solutions Architect, MatchMove

Flexible consumption

and contract models

Quick and

easy deployment

Helpful humans

to support you


How can you get started?

Complete the survey to learn more

on the solutions mentioned

Check out a variety of free offers:

BIG-IP Virtual Edition - Best

30-day free trial

VM-Series Next-Generation

Firewall Bundle 2

15-day free trial


Complete OWASP Top 10

Video tutorial

CloudGuard IaaS Next Gen

Firewall & Threat Prevention

30-day free trial


Please use GoToWebinar’sQuestions tool to submit questions to our panel.

Send to “Organizers” and tell us if it’s for a specific panelist.

Q&A

51


And to our attendees, thank you for joining us today!

Acknowledgments

Thanks to our sponsor:

To our special guest:

52

David Aiken and Anthony Tanzi

jumpstart guide for cloud-based firewalls in aws

Documents