Cloud Security Best Practices

Similar documents
Overlay Engine. VNS3 Plugins Guide 2018

VNS3 version 4. Free and Lite Edition Reset Overlay Subnet

VNS3 Configuration. IaaS Private Cloud Deployments

VNS3 Configuration. Quick Launch for first time VNS3 users in Azure

AWS VPC Cloud Environment Setup

Configuration of an IPSec VPN Server on RV130 and RV130W

CenturyLink Cloud Configuration. CenturyLink Setup for VNS3

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

Virtual Private Cloud. User Guide. Issue 03 Date

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Microsoft Azure Configuration. Azure Setup for VNS3

VNS3 Configuration. ElasticHosts

Virtual Tunnel Interface

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

Logging Container. VNS3 Plugins Guide 2018

Container System Overview

VNS3 IPsec Configuration. Connecting VNS3 Side by Side via IPsec

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Hillstone IPSec VPN Solution

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Table of Contents 1 IKE 1-1

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

VNS3 Configuration. Google Compute Engine

DataDog Container. VNS3 Plugins Guide 2018

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

VNS3 Plugin Guide. VSN3:turret NIDS Container

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

SAM 8.0 SP2 Deployment at AWS. Version 1.0

VNS3 3.5 Container System Add-Ons

VMware Cloud on AWS Networking and Security. 5 September 2018 VMware Cloud on AWS

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

VPN Auto Provisioning

Configuring a Hub & Spoke VPN in AOS

Virtual Private Network. Network User Guide. Issue 05 Date

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

Firepower Threat Defense Site-to-site VPNs

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

Securing VMware NSX-T J U N E 2018

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

VPN Ports and LAN-to-LAN Tunnels

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Virtual Private Networks

Cisco CSR1000V Overview. Cisco CSR 1000V Use Cases in Amazon AWS

CogniFit Technical Security Details

Google Cloud VPN Interop Guide

VMware Cloud on AWS Getting Started. 18 DEC 2017 VMware Cloud on AWS

Sample excerpt. Virtual Private Networks. Contents

VNS3 4.0 Configuration Guide

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Virtual Tunnel Interface

Top 30 AWS VPC Interview Questions and Answers Pdf

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Integration Guide. Oracle Bare Metal BOVPN

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0

Corente Cloud Services Exchange

BCRAN. Section 9. Cable and DSL Technologies

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

FAQ about Communication

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

vcloud Director User's Guide

VPN Overview. VPN Types

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Securing VMware NSX MAY 2014

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

LAN-to-LAN IPsec VPNs

Managing Site-to-Site VPNs: The Basics

Virtual Private Network

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Configuring LAN-to-LAN IPsec VPNs

Index. Numerics 3DES (triple data encryption standard), 21

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Hacom pfsense Deployment Guide

The EN-4000 in Virtual Private Networks

Cloud Services. Introduction

NCP Secure Enterprise macos Client Release Notes

Cisco Multicloud Portfolio: Cloud Connect

VNS3 3.5 Upgrade Instructions

Configuring VPNs in the EN-1000

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

AccessEnforcer Version 4.0 Features List

HOW TO CONFIGURE AN IPSEC VPN

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

VPN-Cubed 2.x vpcplus Free Edition

vcloud Director User's Guide

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Database Cloud ORACLE WHITE PAPER DECEMBER 2017

Hybrid Clouds: Integrating the Enterprise Data Center and the Public Cloud

Service Managed Gateway TM. Configuring IPSec VPN

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

VPN Configuration Guide. NETGEAR FVS318v3

Swift Migration of IKEv1 to IKEv2 L2L Tunnel Configuration on ASA 8.4 Code

Transcription:

Cloud Security Best Practices

Cohesive Networks - your applications secured Our family of security and connectivity solutions, VNS3, protects cloud-based applications from exploitation by hackers, criminal gangs, and foreign governments. Top 20 Most Promising Enterprise Security Company 2015 TECHNOLOGY PARTNER Partner Network Cloud Marketplace Provider 2000+ customers in 20+ countries across all industry verticals and sectors 2

New realities of cybersecurity Attacks have become professional: hackers, criminals or foreign governments. In the post-sony era, all servers on a wire are compromised or targets. Regulatory implementation and reporting demands are increasing. 3

Cohesive Networks VNS3 is the "Top of Cloud" network security solution Cloud Customer Layer 7 Layer 6 Layer 5 Layer 4 Application Policies You Control Layer 3 Layer 3 Limit of user access, control and visibility Cloud Service Provider Layer 2 Layer1 Cloud Layer 3 Network (minimal tenant features) Hypervisor You Don t Control Layer 0 Alcatel Hardware You Can t Get To 4

VNS3 provides connectivity and security + L4-L7 plug-in system L4-L7 Plugin System waf content caching nids proxy load balancing custom VNS3 Core Components router switch firewall vpn concentrator protocol distributor extensible nfv VNS3 is a software-only virtual appliance you deploy in your cloud/virtual infra to bring all the the connectivity and security controls normally available at the data center edge to your application edge. With the option Overlay Network, you can also encrypt all data-in-transit to, from and within your application deployment. 5

VNS3 enables production cloud use-cases Partner/Customer Networks Cloud VPN Security & Compliance Rapid Dev/Test! App Segmentation Private Cloud Cloud DR 6

VNS3 allows topology control us-west-2 central us eu-west-1 vpc 1 vlan 2 vpc 3 VNS3 Overlay Network - 172.31.1.0/24 Cloud Server A Overlay IP: 172.31.1.1 Cloud Server B Overlay IP: 172.31.1.2 Cloud Server C Overlay IP: 172.31.1.3 Primary DB Overlay IP: 172.31.1.4 Backup DB Overlay IP: 172.31.1.5 Peered Peered VNS3:ha 1 VNS3 Controller 1 VNS3 Controller 2 VNS3 Controller 3 Active IPsec Tunnel Failover IPsec Tunnel Data Center 1 Seattle, WA Data Center 2 London 7

VNS3 is available everywhere Cohesive is the critical security and connectivity component SaaS Private Cloud Virtual Infrastructure Public Cloud 8

Cohesive Networks Our customers can use any product made by any traditional network vendor - and choose us. Security and connectivity at the top of the public and private cloud is a key B2B growth area. The cloud is growing all of our businesses. Let s grow together and securely. Your Applications Connected and Secure 9

VNS3 Best Practices 10

Cloud security best practices Defense in Depth Shared Responsibility NIDS and WAF Virtual Firewall Overlay Network Overlay Network Encrypted TLS tunneled Overlay Network Lock Down overlay communication to only UDP 1194 in/ out Check out Clientpacks Use Clientpack Name Tag Disable unused clientpacks Run multiple VNS3 controller instances to provide Overlay HA via VNS3 Peering NAT traffic through the VNS3 controller to the public Internet IPsec Site-to-Site Explicitly match all IPsec parameters Policy based IPsec VPN Algorithms, hashing, DH, PFS, PSK, and lifetimes Run multiple VNS3 controller instances to provide IPsec HA Secure Administration Separate UI and API passwords Use Static IPs (DNS name resolution where available) Use multifactor/multiparty authentication for Remote Support Image Size Use VNS3 Snapshots Use VNS3:ms for management and monitoring 11

Understand the security shared responsibility model Cloud Customer Layer 7 Layer 6 Layer 5 Layer 4 App 1 App 1 Application Policies You Control Cloud Service Provider Layer 3 Layer 3 Layer 2 Layer1 Cloud Layer 3 Network (minimal tenant features) Limit of user access, control and visibility Hypervisor You Don t Control Layer 0 Hardware You Can t Get To 12

Build layers of control and access Cloud networks combine with user & provider firewalls and isolation features to create a security lattice with layers of security Key security elements must be controlled by the customer, but separate from the provider. Provider Owned/Provider Controlled Provider Owned/User Controlled VNS3 - User Owned/User Controlled User Owned/User Controlled Cloud Edge Protection Cloud Isolation Cloud VLAN Cloud Network Firewall Cloud Network Service VNS3 Virtual Firewall VNS3 Encrypted Overlay Network VNS3 NIDS, WAF, etc. Instance OS Port Filtering Encrypted Disk 13

Use VPC Taking advantage of the additional isolation and network controls of VPC VLAN is a critical piece of the overall security strategy for deploying cloud applications. It is also recommended to enable DNS resolution and DNS hostnames. This used in combination with Elastic IPs (see page 17) allows shorter DR failover time objectives, increased performance and reduced network transfer costs. 14

Use the encrypted TLS tunneled Overlay Network VNS3 Overlay Network - 172.31.1.0/24 Cloud Server A Overlay IP: 172.31.1.1 Cloud Server B Overlay IP: 172.31.1.2 Cloud Server C Overlay IP: 172.31.1.3 Primary DB Overlay IP: 172.31.1.4 Backup DB Overlay IP: 172.31.1.5 Peered Peered VNS3 Controller 1 VNS3 Controller 3 Public IP: 52.1.108.23 Public IP: 54.15.88.193 VNS3 Controller 2 Public IP: 52.22.100.95 Cloud servers use a unique X.509 credential that is associated with an Overlay IP address plus a tunneling agent (e.g. OpenVPN) to create a secure TLS VPN tunnel to a VNS3 Controller instance. The VNS3 Controller instance acts as a switch, router, firewall, and protocol redistributor. All data in motion is encrypted end-to-end. 15

Lock down the cloud environment Overlay Network cloud servers communicate to each other and to the remote encrypted domains available via IPsec tunnels through the encrypted switch and router functions of the VNS3 controllers. The secure connection between a Overlay Network cloud server and VNS3 controller is negotiated via TLS VPN. Locking down the intra-cloud communications to only UDP 1194 in/out ensures only the encrypted and tunneled Overlay Network traffic is allowed. 16

Use an appropriate Instance Size The instance size required for a use-case is dependent on the total throughput an application deployment needs and how many VNS3 controller instances will be securing that application deployment. Standard enterprise application network throughput requirements are often accommodated by an instance with 2 virtual CPUs and 4 GB of memory. 17

Use Static IPs Using static and assignable public IPs whenever possible allows for fast DR with little to no reconfiguration. Additionally referencing the DNS hostname in configuration of the Overlay Network connected clients and VNS3 controller peering takes advantage of the AWS private IP resolution when available to keep traffic on the internal AWS network to increase performance and reduce costs. 18

Create Logical Subnets with the VNS3 Firewall Smaller subnets within the defined Overlay Network CIDR along with VNS3 firewall rules enforce traffic policies to provide segmentation and isolation. This orthogonal control ensures that the devices are communicating with each other via an encrypted switch and the intra Overlay Network communication is limited to what is necessary. *This is an example Overlay Network Addressing scheme with a /26 subnet size. Overlay Network subnet sizes can be anything from a /28 to a /16. It's not recommended to configure an Overlay Network with a bit block larger than 16 bits. Web 172.31.1.0/29 unassigned 172.31.1.8/29 App 172.31.1.16/29 unassigned 172.31.1.24/29 DB 172.31.1.32/29 MQ 172.31.1.40/29 Overlay Subnet - 172.31.1.0/26* unassigned 172.31.1.48/29 VNS3 Controllers 172.31.1.56/29 19

Monitor traffic with VNS3 NIDS/WAF Containers All the traffic coming into, going out of and moving within the VNS3 Overlay Network pass through the VNS3 controllers. Run traffic management and security services like NIDS and WAF on the VNS3 controllers. WAF NIDS container plugin VNS3 Hypervisor Hardware 20

Check out clientpacks Clientpacks are available to be fetched programmatically via the VNS3 API. Checking out a clientpack makes that credentials unavailable via the API. Mark clientpacks that are currently connected and in use via the check out feature. 21

Use clientpack name tag Tagging each clientpack via the key value tagging system available on VNS3 allows easier tracking and administration of the Overlay connected client servers. 22

Disable unused clientpacks Unused clientpacks can be marked as disabled to deny any incoming connections from using that credential. 23

Build a VNS3 Peered mesh network Controllers connect to each other in a process called Peering. Peered Controllers create a redundant, highly available and secure overlay network and share traffic load from the overlay network connected servers. Connected client servers can specify a list of VNS3 controllers to connect to in order to join the Overlay Network. In the event one controller is in accessible, the connected client server attempts to connect to the next VNS3 controller in the list. Use Peering if federating any cloud resources across availability zone, data center, region, or cloud provider. True n-mesh Peering 24

IPsec Tunnels Recommended IPsec tunnels negotiated with VNS3: Policy-based VPN - encapsulates traffic between two sites as defined by a specific policy or ACL. This is used instead of a Route-based VPN that encapsulates traffic based on routes on both sides which can make it easier to administer but downgrades the security. Encapsulating Security Packet (ESP) wire level protocol - encrypting and authenticating of the data flowing over the tunnel. This is used instead of Authenication Header (AH) which only authenticates. Tunnel Mode - encapsulates the entire IP packet for communication over untrusted networks. This is used instead of Transport mode that only encapsulates the IP payload. Internet Key Exchange (IKE) - protocol used to setup the shared security associations (SA) for the IPsec tunnel. This is used instead of manual key exchange. Main Mode - used to setup the IPsec tunnel SAs using IKE. This is used instead of Aggressive mode that requires fewer messages to establish the SA but does so in a less secured manner. Preshared Key (PSK) - used for authentication between two connecting parties. This is used instead of certificates. 25

Match all tunnel parameters IPsec devices often have parameter groups and list from which IPsec tunnel definition information is sourced. Often the in-force IPsec parameter information is different from the intended definition. Specifying the exact parameters required for IPsec negotiation ensures the correct encryption details are used. 26

Recommended IPsec Parameters Based on experience connecting thousands of partner and customer devices we recommend the following IPsec tunnel settings: AES256 algorithms SHA1 (or SHA2 256) authentication hashing DH5 or DH14 Perfect Forward Secrecy DPD Phase1 Lifetime of 3600s/1h Phase2 Lifetime of 28800s/8h 27

IPsec Failover - BGP IPsec HA can be achieved using VNS3 Peered mesh and IPsec BGP tunnels that decide the quickest path. This is completely dependent on the connecting party's hardware and expertise. Cloud Server A Overlay IP: 172.31.1.1 VNS3 Overlay Network - 172.31.1.0/24 Cloud Server B Overlay IP: 172.31.1.2 Cloud Server C Overlay IP: 172.31.1.3 Primary DB Overlay IP: 172.31.1.4 Peered VNS3 Controller 1 VNS3 Controller 2 Public IP: 52.1.108.23 Public IP: 52.22.100.95 Active ebgp IPsec Tunnel Active ebgp IPsec Tunnel Data Center 1 Seattle, WA 28

IPsec Failover - Normal IPsec VNS3 provides an add-on for instance-based automatic IPsec VPN failover solution to reduce RTO in the event of cloud connectivity failure. VNS3 Overlay - 172.31.1.0/24 Office LAN - 192.168.100.0/24 VNS3 Primary Active IPsec Tunnel Client Server Overlay IP: 172.31.1.1 Host IP: 192.168.100.1 VNS3:ha Failover VNS3:ha Backup VNS3:ms 29

Separate UI and API Credentials Many regulated industries have to follow best practices like changing default username and passwords. Having different access credentials for people and programs and a logical extension. 30

Use multi-factor / multi-party authentication We send an encrypted passphrase to generate a private key used by Cohesive Support staff to access the VNS3 Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed the user can disable remote support access and invalidate the access key. 31

VNS3 snapshots for DR VNS3 Snapshots include all the running configuration details. Use VNS3 snapshots to move configuration state from one VNS3 controller instance to another. 32

Use VNS3:ms for management and monitoring A single dashboard to manage and monitor VNS3 networks plus all underlying cloud VLAN network components (CIDR, subnets, route tables, ACLs, security groups, etc.) 01 02 03 Central Log Status Info Password Recovery Snapshot Mgmt User Auth & Role Mgmt VNS3 Management System Key Management Registration Licensing 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback