Sichere Netzwerke in der Cloud

Similar documents
Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

Network Security & Access Control in AWS

Creating Your Virtual Data Center

AWS Networking Fundamentals

AWS Solutions Architect Associate (SAA-C01) Sample Exam Questions

Getting Started with AWS Security

MyIGW Main. Oregon. MyVPC /16. MySecurityGroup / us-west-2b. Type Port Source SSH /0 HTTP

lab Highly Available and Fault Tolerant Architecture for Web Applications inside a VPC V1.01 AWS Certified Solutions Architect Associate lab title

Introduction to Cloud Computing

Creating your Virtual Data Centre

25 Best Practice Tips for architecting Amazon VPC

Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Understanding Perimeter Security

How to Install Forcepoint NGFW in Amazon AWS TECHNICAL DOCUMENT

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

Training on Amazon AWS Cloud Computing. Course Content

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

Cloud Computing /AWS Course Content

Creating Your Virtual Data Center

Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

Amazon Web Services Hands- On VPC

Amazon Web Services Training. Training Topics:

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

A Reference Design. VPN user access and VPC networking. Version Copyright Aviatrix Systems, Inc. All rights reserved.

Crear un centro de datos virtual en AWS

25 Best Practice Tips for architecting Amazon VPC. 25 Best Practice Tips for architecting Amazon VPC. Harish Ganesan- CTO- 8KMiles

Amazon Virtual Private Cloud. User Guide API Version

AWS Solution Architect Associate


ActiveNET. #202, Manjeera Plaza, Opp: Aditya Park Inn, Ameerpetet HYD

Top 30 AWS VPC Interview Questions and Answers Pdf

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

Networking in AWS. Carl Simpson Technical Architect, Zen Internet Limited

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

Enroll Now to Take online Course Contact: Demo video By Chandra sir

Best Practices for Extending the WAN into AWS (IaaS) with SD-WAN

SAA-C01. AWS Solutions Architect Associate. Exam Summary Syllabus Questions

Securing Microservices Containerized Security in AWS

Configuring VPC Peering For AWS

Amazon Virtual Private Cloud. VPC Peering Guide

Amazon Virtual Private Cloud. Getting Started Guide

Amazon Web Services Course Outline

Amazon Web Services (AWS) Training Course Content

Amazon AWS-Solutions-Architect-Professional Exam

Amazon Virtual Private Cloud Deep Dive

Amazon Virtual Private Cloud. VPC Peering

LINUX, WINDOWS(MCSE),

Amazon Virtual Private Cloud Deep Dive

Cloud Security Strategy - Adapt to Changes with Security Automation -

AWS Landing Zone. AWS User Guide. November 2018

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

Pass4test Certification IT garanti, The Easy Way!

Virtual Private Cloud. User Guide. Issue 21 Date HUAWEI TECHNOLOGIES CO., LTD.

AWS Networking & Hybrid Cloud Connectivity

Security Aspekts on Services for Serverless Architectures. Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

High School Technology Services myhsts.org Certification Courses

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

Security & Compliance in the AWS Cloud. Amazon Web Services

Configuring AWS for Zerto Virtual Replication

Deploy the Firepower Management Center Virtual On the AWS Cloud

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Pexip Infinity and Amazon Web Services Deployment Guide

KillTest *KIJGT 3WCNKV[ $GVVGT 5GTXKEG Q&A NZZV ]]] QORRZKYZ IUS =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

AWS EC2 & VPC CRASH COURSE WHITNEY CHAMPION

Cloud security 2.0: Joko nyt pilveen voi luottaa?

VMware Cloud on AWS. A Closer Look. Frank Denneman Senior Staff Architect Cloud Platform BU

AWS Security. Stephen E. Schmidt, Directeur de la Sécurité

Advanced CSR Lab with High Availability and Transit VPC

Oracle WebLogic Server 12c on AWS. December 2018

Securely Access Services Over AWS PrivateLink. January 2019

We are ready to serve Latest IT Trends, Are you ready to learn? New Batches Info

Sangoma VM SBC AMI at AWS (Amazon Web Services)

AWS: Basic Architecture Session SUNEY SHARMA Solutions Architect: AWS

Configuring High Availability

Monitoring Serverless Architectures in AWS

Emulating Lambda to speed up development. Kevin Epstein CTO CorpInfo AWS Premier Partner

Filters AWS CLI syntax, 43 Get methods, 43 Where-Object command, 43

EdgeConnect for Amazon Web Services (AWS)

Confirmed VPN Privacy Audit and Open Watch Analysis Summary Report and Documentation

Remote Desktop Gateway on the AWS Cloud

Hosting DesktopNow in Amazon Web Services. Ivanti DesktopNow powered by AppSense

FortiMail AWS Deployment Guide

EXPRESSCLUSTER X 3.3. HA Cluster Configuration Guide for Amazon Web Services (Windows) 10/03/2016 2nd Edition

The Orion Papers. AWS Solutions Architect (Associate) Exam Course Manual. Enter

Amazon Web Services 101 April 17 th, 2014 Joel Williams Solutions Architect. Amazon.com, Inc. and its affiliates. All rights reserved.

Mapping traditional security technologies to AWS Dave Walker Specialised Solutions Architect Security and Compliance Amazon Web Services UK Ltd

AWS_SOA-C00 Exam. Volume: 758 Questions

Overlay Engine. VNS3 Plugins Guide 2018

EXPRESSCLUSTER X 4.0. HA Cluster Configuration Guide for Amazon Web Services (Linux) April 17, st Edition

AWS Agility + Splunk Visibility = Cloud Success. Splunk App for AWS Demo. Laura Ripans, AWS Alliance Manager

AWS Solution Architect (AWS SA)

Standardized Architecture for PCI DSS on the AWS Cloud

OptiSol FinTech Platforms

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

About Intellipaat. About the Course. Why Take This Course?

Building a Self-Defending Border. Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS

Extending Enterprise Security to Multicloud and Public Cloud

Transcription:

Sichere Netzwerke in der Cloud Best Practices Justin Bradley, Solutions Architect 30. Juni 2016 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

What to expect from the session What is Amazon VPC VPC Toolkit Building your VPC Public vs Private Connectivity to your Data center Protecting your VPC Resources Moving Beyond a Single VPC Configuring logging and monitoring

AWS Global Infrastructure 12 Regions 33 Availability Zones 54 Edge Locations Region Edge Location

What is Amazon VPC

What is Amazon VPC? A private, isolated section of the AWS cloud A virtual network topology you can deploy and customize You have complete control of your networking Proven and well-understood networking concepts

Most simply put, it is a virtual data center you can build out and control on AWS!

VPC Toolbox

VPC components Amazon VPC customer gateway endpoints flow logs Route table Elastic IP Internet gateway router VPC NAT gateway AWS Direct Connect Subnet Elastic network interface VPN connection VPN gateway VPC peering

Building your VPC

VPCs span an entire region VPC CIDR: 10.1.0.0 /16 Availability Zone A Availability Zone B

Subnets sit in a single Availability Zone VPC CIDR: 10.1.0.0 /16 Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Availability Zone A Availability Zone B

Plan your VPC IP space before creating it Consider future AWS region expansion Consider future connectivity to your internal networks Consider subnet design VPC can be /16 down to /28 CIDR cannot be modified after creation Overlapping IP spaces = future headache

Add an Internet Gateway VPC CIDR: 10.1.0.0 /16 Web (public) Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Availability Zone A Availability Zone B

Add an Internet Gateway VPC CIDR: 10.1.0.0 /16 Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0/0 Internet Gateway Web (public) Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Availability Zone A Availability Zone B

Add private subnets VPC CIDR: 10.1.0.0 /16 PUBLIC PUBLIC Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) PRIVATE PRIVATE Subnet (10.1.3.0/24) Subnet (10.1.4.0/24) Availability Zone A Availability Zone B

Add private subnets VPC CIDR: 10.1.0.0 /16 Subnet (10.1.1.0/24) Web (public) Subnet (10.1.2.0/24) Web (public) Subnet (10.1.3.0/24) Database (private) Subnet (10.1.4.0/24) Database (private) Availability Zone A Availability Zone B

Add private subnets VPC CIDR: 10.1.0.0 /16 Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0/0 Web Subnet (10.1.1.0/24) (public) Internet Gateway Subnet (10.1.2.0/24) Web (public) Destination Route Table Target 10.1.0.0/16 Local Database Subnet (10.1.3.0/24) (private) Subnet (10.1.4.0/24) Database (private) Availability Zone A Availability Zone B

NAT Gateway VPC NAT gateway VPC CIDR: 10.1.0.0 /16 Subnet (10.1.1.0/24) Web (public) Subnet (10.1.2.0/24) Web (public) Subnet (10.1.3.0/24) Database (private) Subnet (10.1.4.0/24) Database (private) Availability Zone A Availability Zone B

NAT Gateway VPC CIDR: 10.1.0.0 /16 Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0/0 Web Internet Gateway Subnet (10.1.1.0/24) (public) Subnet (10.1.2.0/24) Web (public) Route Table Destination Target 10.1.0.0/16 Local Database Subnet (10.1.3.0/24) 0.0.0.0/0 NAT Gateway (private) (ENI) Availability Zone A Subnet (10.1.4.0/24) Database (private) Availability Zone B

Connect to your data center Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) 192.168.0.0/16 Subnet (10.1.3.0/24) Availability Zone A Subnet (10.1.4.0/24) Availability Zone B 10.1.0.0/16

Connect to your data center Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) 192.168.0.0/16 Subnet (10.1.3.0/24) Availability Zone A Subnet (10.1.4.0/24) Availability Zone B 10.1.0.0/16 or

Connect to your data center Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Internal Server 192.168.0.0/16 Subnet (10.1.3.0/24) Availability Zone A Subnet (10.1.4.0/24) Availability Zone B 10.1.0.0/16 or

Connect to your data center Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Internal Server 192.168.0.0/16 Subnet (10.1.3.0/24) Availability Zone A Subnet (10.1.4.0/24) Availability Zone B 10.1.0.0/16 or

Connect to your data center Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0/16 IGW Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Internal Server 192.168.0.0/16 Route Table Destination Target 10.1.0.0/16 Local 192.168.0.0/16 VPG Subnet (10.1.3.0/24) 0.0.0.0/0 NAT Gateway Availability Zone A or Subnet (10.1.4.0/24) Availability Zone B 10.1.0.0/16

Protecting your VPC resources

Protecting your VPC resources Network Linking Auditing VPN connection AWS Direct Connect VPC peering Endpoint Routing flow logs CloudTrail route table Public / Elastic IP Internet gateway endpoints

Protecting your VPC resources Network Linking Security Group Ingress/Egress Rules VPN connection AWS Direct Connect VPC peering Fleet 1 SG Fleet 2 SG Subnet (10.1.1.0/24) Endpoint Routing Network Access Control Lists App 1 SG App 2 SG route table Public / Elastic IP Internet gateway Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)

Virtual Private Cloud Security Layers Availability Zone A Availability Zone B Lockdown at instance level Security Group Security Group Security Group Isolate network functions Subnet 10.0.0.0/24 Subnet 10.0.1.0/24 Lockdown at network level Network ACL Router Network ACL Route restrictively Routing Table Routing Table Virtual Private Gateway Internet Gateway

VPC Security Groups VPC (BuildABeer-VPC-1) HTTP GET Beer TCP(6) Port(80) NTP Buffer Overrun UDP(17) Port(123) security group (BuildABeer-SG-1)

Network ACL VPC (BuildABeer-VPC-1) HTTP GET Beer TCP(6) Port(80) HTTP GET Beer TCP(6) Port(80) srcip=216.246.16.228 security group (BuildABeer-SG-1)

Obfuscate - CloudFront VPC (BuildABeer-VPC-1) CloudFront Users Amazon Route 53

Hide n go seek ~>nslookup www.buildabeer.com Server: 10.43.23.72 Address: 10.43.23.72#53 Non-authoritative answer: www.buildabeer.us canonical name = d3u9qbug2y23to.cloudfront.net. Name: d3u9qbug2y23to.cloudfront.net Address: 52.84.20.173 <snip> Name: d3u9qbug2y23to.cloudfront.net Address: 52.84.20.85

Moving Beyond a Single VPC

Why have more than one? Application isolation Scope of audit containment (separate AWS Accounts) Risk level separation Separate production from non-production Multi-tenant isolation Business unit alignment

Growing your VPCs VPC A Web App VPC A Internal App VPC B Internal App VPC C Internal App VPC D Internal App VPC (N) Internal App HA Pair of VPN Endpoints

Connecting your VPCs (VPC Peering) Now, with VPC Peering, you can connect VPCs together within a Region without having to maintain all the VPN overhead. Peering creates a private network connection between any two VPCs in a region Including cross-account VPC Peering

Common Design Shared Services VPC Move shared services such as Active Directory, Logging and Monitoring to a shared services VPC VPC B 10.2.0.0/16 VPC C 10.3.0.0/16 VPC D 10.4.0.0/16 None of the other VPCs can send traffic directly to each other through VPC A (= app isolation) pcx-aaaabbbb pcx-aaaacccc VPC A 10.1.0.0/16 pcx-aaaadddd Only VPC A has direct network access to your data center via a VPN Security Groups and NACLs still apply 10.0.0.0/16

Common Design Shared Services VPC Route Table Route Tables Destination Target VPC A's route table 10.1.0.0/16 Local 10.2.0.0/16 pcx-aaaabbbb VPC B 10.2.0.0/16 VPC C 10.3.0.0/16 VPC D 10.4.0.0/16 10.3.0.0/16 pcx-aaaacccc 10.4.0.0/16 pcx-aaaadddd pcx-aaaacccc 10.0.0.0/16 VPG1 VPC B's route table 10.2.0.0/16 Local 10.1.0.0/16 pcx-aaaabbbb VPC C's route table 10.3.0.0/16 Local pcx-aaaabbbb VPC A 10.1.0.0/16 pcx-aaaadddd 10.1.0.0/16 pcx-aaaacccc VPC D's route table 10.4.0.0/16 Local 10.1.0.0/16 pcx-aaaadddd 10.0.0.0/16

Simplify with AWS Direct Connect VPC B 10.2.0.0/16 VPC C 10.3.0.0/16 VPC D 10.4.0.0/16 VPC B 10.6.0.0/16 VPC C 10.7.0.0/16 VPC D 10.8.0.0/16 VPC B 10.10.0.0/16 VPC C 10.11.0.0/16 VPC D 10.12.0.0/16 pcx-aaaacccc pcx-aaaacccc pcx-aaaacccc pcx-aaaabbbb VPC A 10.1.0.0/16 pcx-aaaadddd pcx-aaaabbbb VPC A 10.5.0.0/16 pcx-aaaadddd pcx-aaaabbbb VPC A 10.9.0.0/16 pcx-aaaadddd AWS Direct Connect location Customer data center

Configuring logging and monitoring

Services AWS CloudTrail VPC Flow Logs

AWS CloudTrail

Introduction to AWS CloudTrail Amazon S3 bucket Store/ archive Amazon Elastic Block Store (Amazon EBS) Troubleshoot You are making API calls... On a growing set of AWS services around the world.. CloudTrail is continuously recording API calls Monitor and alarm

Use cases enabled by CloudTrail IT and security administrators can perform security analysis IT administrators and DevOps engineers can attribute changes on AWS resources to the identity, time and other critical details of who made the change DevOps engineers can troubleshoot operational issues IT auditors can use log files as a compliance aid See: Security at Scale: Logging in AWS White Paper

VPC Flow Logs

Dumping out the heavy hitter IP addresses #!/usr/bin/python3 import boto3 # Get the service resource logs = boto3.client( logs ) # Get the log groups groups = logs.describe_log_groups() for loggroup in groups[ loggroups ] : # Get the LogStream for each loggroup logstreamsdesc = logs.describe_log_streams(loggroupname=loggroup[ loggroupname ]) for logstream in logstreamsdesc[ logstreams ]: events_resp = logs.get_log_events(loggroupname=loggroup[ loggroupname ], logstreamname=logstream[ logstreamname ]) # Store each log entry by the src IP address ip_dict = {} for event in events_resp[ events ] : ip = event[cd message ].split()[4] if ip in ip_dict: ip_dict[ip] = ip_dict[ip] + 1 else : ip_dict[ip] = 1 for w in sorted(ip_dict, key=ip_dict.get, reverse=true): print ( {0:15} {1:8d}.format(w, ip_dict[w])) #Early exit exit()

Partners

Justin Bradley

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback