NextGen Firewall AWS Use Cases Barracuda NextGen Firewall F Implementation Guide Architectures and Deployments Based on four use cases Edge Firewall Secure Remote Access Office to Cloud / Hybrid Cloud Segmentation Firewall Implementation Guide Different Deployments depend on following criteria: High Availability Recovery time Outbound Gateway for instances in the VPC Scalability / Auto Scaling Connecting multiple VPCs in different regions Each use case includes Description of the problem solved Solution using one or multiple reference architectures 1
High Availability Depending on the AWS API, recovery takes between seconds to minutes High Availability Clusters must be sized for the expected peak load Auto Scaling Cluster Scales automatically matching to your workload An unhealthy instance will be terminated and replaced with a new one For outbound traffic you cannot use the firewall as outbound gateway Cold Standby Cluster Automatic replacement in case the firewall instance becomes unresponsive cost effective solution for securing the cloud resources. 2
Edge Firewall Secure access to the AWS cloud resources from the Internet Network security enforcement with firewall and IPS. Outbound gateway for cloud resources in the same VPC Edge Firewall NextGen Firewall High Availability Cluster with Route Shifting NextGen Firewall Auto Scaling Cluster NextGen Firewall Cold Standby Cluster Secure Remote Access Remote access for predictable or highly dynamic workloads. 3
Secure Remote Access NextGen Firewall Auto Scaling Cluster NextGen Firewall Cold Standby Cluster Office to Cloud / Hybrid Cloud Site to site VPN Default (outbound) gateway for cloud resources. Secure traffic on the Direct Connect MPLS line. The Importance of TINA VPN 4
The Importance of TINA VPN Office to Cloud / Hybrid Cloud NextGen Firewall Auto Scaling Cluster For TINA VPN tunnels no incoming load balancing is required NextGen Firewall Cold Standby Cluster must be sized to meet peek demand because it does not scale dynamically Segmentation Firewall for Single AZ VPCs Easy migrate on premises segementation firewalls to the cloud One network interface per subnet 5
Segmentation Firewall Limitations Cannot be deployed as a High Availability Cluster Only an single Availability Zone is supported The number of private subnets is limited by the number of network interfaces supported by the instance type. A route must be added to the client instances in the private subnets Segmentation Transit VPC Each application is hosted in a dedicated VPC VPCs are located in different regions Segmentation Transit VPC NextGen Firewall High Availability Cluster with Route Shifting NextGen Firewall Auto Scaling Cluster NextGen Firewall Cold Standby Cluster 6
Barracuda NextGen Firewall F NextGen Firewall AWS NextGen Firewall in AWS Basics Benefits of Cloud Computing Global footprint Go global in minutes Easy to use Scalability Stop guessing capacity Increase speed and agility Cost effectiveness Stop spending money on running and maintaining data centers Security of the Cloud AWS is responsible for the globally secure infrastructure. 7
Security in the Cloud Customers must protect their own content, platform, applications, systems, and networks. Basic Defense AWS architectures include services to improve application security Regions and Availability Zones Load balancing Security groups and Network Access Control lists AWS Security Concept 8
AWS Console Web based user interface to access, manage, and monitor AWS resources NextGen Firewall AWS Architecture Default gateway for instances in the VPC High Availability Auto Scaling NextGen Firewall HA AWS Architecture 9
NextGen Firewall HA AWS Architecture Traffic from the Internet via the ELB to the Firewall NextGen Firewall HA AWS Architecture Traffic from the client in the private subnet to the Internet NextGen Firewall ASG AWS Architecture 10
NextGen Firewall ASG AWS Architecture Traffic from the Internet via the ELB to the Firewall NextGen Firewall ASG AWS Architecture Traffic from the Firewall via the NAT GW to the Internet Deployment Methods AWS Console CloudFormation templates AWS CLI 11
CloudFormation Templates Key advantages Automated, repeated, and predictable deployment Runs several versions in parallel Easily traceable changes Complex setups easily deployed Create / Manage / Update JSON or YAML format Language independent, human readable Firewall Deployment with CloudFormation Create an IAM role for the firewall instance Accept the software terms for the NextGen Firewall You must agree to the Terms of Service in the AWS Marketplace once per account Deploying templates and updating stacks CREATE_COMPLETE indicates successful deployment AWS Command Line Interface A CLI tool for interacting with AWS services Available for Windows, Linux, and macos operating systems CLI prompts for: AWS access key ID AWS secret access key Use IAM access keys instead of AWS root user access keys 12
Firewall Log in via NextGen Admin Connect using the FQDN or EIP HA: Elastic IP of the primary firewall (xxx NGF1) ASG: The management ELB needs a listener on TCP 807 The default password is the instance ID of the first instance First time login forces a password change Images and License Types Images in the AWS Marketplace limited only by number of CPU cores BYOL Bring Your Own License PAYG Pay As You Go License Included in the public cloud license: Barracuda Energize Updates Barracuda Advanced Remote Access Images and License Types DNS resolution and access to Barracuda licensing servers are required during provisioning Licenses are bound to a unique ID A new license is required to launch a new instance No license change when starting and stopping an instance Some reference architectures require PAYG images 13
Cloud Integration Allows the firewall to interact with AWS APIs Log streaming to CloudWatch Custom metrics Route table rewrite Display Cloud Information Element IAM roles are recommended to authenticate against AWS APIs Log Streaming and Metrics Send log files via syslog streaming to AWS CloudWatch Custom metrics are collected Cloud Information Active firewall Cloud integration Instance type Public IP VPC Subnet IDs 14
Route Table Rewrite Rewriting the VPC route tables is necessary for High Availability The active firewall rewrites the AWS route table DNS server is required AWS Route Table Rewriting Primary firewall active AWS Route Table Rewriting Secondary firewall active 15
Barracuda NextGen Control Center Control Center Available only as a BYOL image Not available in a High Availability cluster All platform firewalls are centrally managed On premises hardware and virtual firewalls Public cloud firewalls The VIP network must be routed to the Control Center Modify AWS route table on the firewall subnet Control Center Deployment Deploy the Control Center in a private subnet 16
Direct Connect only Direct Connect with Traffic Intelligence Barracuda NextGen Firewall F NextGen Firewall AWS Reference Architectures 17
Deployment Classification Outbound Gateway High Availability Failover / Recovery time Scalability / Auto Scaling Multi NIC Route Shifting High Availability Cluster Feature High Availability Failover Outbound Gateway Auto Scaling Multi NIC Use Cases Limitations / Requirements Route Shifting High Availability Cluster Yes Secs to min Yes No No Site-to-Site VPN Edge Firewall Secure Remote Access Route Shifting High Availability Cluster 18
Route Shifting High Availability Cluster Firewalls require public IP addresses during provisioning process Management IPs must be configured as static IP address Configure Cloud Integration for AWS route table rewriting Configure Services to Listen on the Loopback Interface Use Application Redirect access rules to redirect incoming traffic to the services Firewall as Outbound Gateway Forwarding traffic from the Internet to backend services Auto Scaling Cluster Feature High Availability Failover Outbound Gateway Auto Scaling Multi NIC Use Cases Limitations / Requirements Auto Scaling Cluster Yes Instant No - Source NAT is required for inbound traffic Yes No Edge Firewall Secure Remote Access PAYG image must be used No Control Center 19
Auto Scaling Cluster ELB Sandwich with Auto Scaling Cluster Transit VPC with VPC Peering 20
Auto Scaling Cluster Behavior Automatically start or terminate instances to reach the desired auto scale group size Automatically replace unhealthy instances Three scaling methods Manual scaling Scheduled scaling Dynamic scaling Scheduled Scaling Cluster scales to a predefined number of instances according to the time of day or date One time event or reoccurring schedule Scheduled action executes within seconds Action may be delayed for up to two minutes from the scheduled start time Dynamic Scaling Amazon CloudWatch alarm actions automatically start or terminate instances Watch the value custom metric over a defined time period Perform scaling actions when thresholds are reached Custom Metrics Client to site and site to site VPN tunnels, SSL VPN clients Packets total, connections dropped, IPS hits Load, used memory, protected IPs And many more 21
NextGen Firewall Caveats Creating access rules Every packet source IP must be rewritten to the DHCP interface Backup and Restore PAYG license must be exported separately for later reuse Installing Hotfixes New instances in the cluster automatically install the same hotfixes Firmware update via CloudFormation stack update Replace the AMI in the parameter file of your template Cold Standby Cluster Feature High Availability Failover Outbound Gateway Auto Scaling Multi NIC Use Cases Limitations / Requirements Cold Standby Cluster No Multiple minutes Yes No No Site-to-Site VPN Edge Firewall Secure Remote Access Only Elastic IP Cold Standby Cluster 22
Cold Standby Cluster Deployment Similar to Auto Scaling Cluster Auto Scaling group of one Single Elastic IP automatically attached via UserData script to active instance Failover occurs on termination of instance Manually, or because EC2 health checks fail New instance launched automatically Configuration pulled from S3 bucket EIP and routes are rewritten to use new instance Transit VPC Feature High Availability Failover Outbound Gateway Auto Scaling Multi NIC Use Cases Limitations / Requirements Transit VPC Depending on reference architecture Secs to min Yes No No Site-to-Site VPN Edge Firewall Secure Remote Access Transit VPC 23
Transit VPC Deployment After deploying the template: Configure Elastic IP addresses to fail over with the virtual server Configure site to site VPN tunnels and BGP routing for each VPN gateway Segmentation Firewall for Single AZ VPCs Feature High Availability Failover Outbound Gateway Auto Scaling Multi NIC Use Cases Limitations / Requirements Segmentation Firewall for Single AZ VPCs No No Yes No Yes Edge Firewall Secure Remote Access One single Availability Zone Segmentation Firewall for Single AZ VPCs Multi NIC Segmentation Firewall Default outbound gateway for cloud resources in the same VPC 24
Segmentation Limitations Number of private subnets limited by number of firewall network interfaces A route must be added to the client instances in the private subnets Summary NextGen Firewall High Availability Cluster with Route Shifting Max. performance must be calculated NextGen Firewall Cold Standby Cluster Only one instance is up and running NextGen Firewall Auto Scaling Cluster Optimize your resources and costs Transit VPC using NextGen Firewall Acentral firewall hub for all your cloud resources in multiple locations Additional Resources https://campus.barracuda.com Product documentation Quick Start guides Additional product training (classroom, webinar, or distance learning) Certifications Visit us on https://www.facebook.com/barracudacampus https://twitter.com/barracudacampus 25
Thank You 26