{"id":2605,"date":"2019-03-10T21:55:06","date_gmt":"2019-03-10T20:55:06","guid":{"rendered":"http:\/\/miro.borodziuk.eu\/?p=2605"},"modified":"2019-08-27T19:39:42","modified_gmt":"2019-08-27T17:39:42","slug":"protecting-network-boundaries","status":"publish","type":"post","link":"http:\/\/miro.borodziuk.eu\/index.php\/2019\/03\/10\/protecting-network-boundaries\/","title":{"rendered":"Protecting Network Boundaries"},"content":{"rendered":"<p><span style=\"color: #3366ff;\">VPC (Virtual Private Cloud)<\/span><\/p>\n<ul>\n<li>Isolate workloads into separate VPCs (based on application, department, test, dev, etc.)<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n<p>Security features in Amazon VPC include:<\/p>\n<ul>\n<li>Network ACLs<\/li>\n<li>Security groups<\/li>\n<li>Routing tables<\/li>\n<li>External gateways<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #3366ff;\">NACLs (Network Access Control Lists)<\/span><\/p>\n<ul>\n<li>Works at the subnet level<\/li>\n<li>Stateless = inbound and outbound rules are separate, no dependencies<\/li>\n<li>Granular control over IP protocols (allow and deny rules for inbound and outbound evaluated in order)<\/li>\n<li>Work with security groups (NACL applies for the whole subnet, security groups apply to members)<\/li>\n<li>Ephemeral ports: Client requests depending on OS (ports 1024-65535)<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #3366ff;\">Security Groups<\/span><\/p>\n<p>Security groups are software firewalls that can be attached to network interfaces and (by association) products in AWS. Security groups each have inbound rules and outbound rules. A rule allows traffic to or from a source (IP, network, named AWS entity) and protocol.<\/p>\n<p>Security groups have a hidden implicit\/default deny rule but cannot explicitly deny traffic.<\/p>\n<p>They are stateful \u2014 meaning for any traffic allowed in\/out, the return traffic is automatically allowed. Security groups can reference AWS resources, other security groups, and even themselves.<\/p>\n<ul>\n<li>Works at the interface level<\/li>\n<li>Default group enables inbound communication from other members of the same group and outbound communication to any destiny.<\/li>\n<li>Group instances with similar functions<\/li>\n<li>Stateful = every allowed TCP or UDP port will be allowed in both directions<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2651\" src=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/SecurityGroup.jpg\" alt=\"\" width=\"596\" height=\"444\" srcset=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/SecurityGroup.jpg 596w, http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/SecurityGroup-300x223.jpg 300w\" sizes=\"(max-width: 596px) 100vw, 596px\" \/><\/p>\n<p>Host-Based Firewalls: OS-level firewalls as needed<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2608\" src=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/NETSecurity.jpg\" alt=\"\" width=\"710\" height=\"578\" srcset=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/NETSecurity.jpg 710w, http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/NETSecurity-300x244.jpg 300w\" sizes=\"(max-width: 710px) 100vw, 710px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #3366ff;\">AWS Web Aplication Firewall (AWS WAF)<\/span><\/p>\n<ul>\n<li>WAF rules are based on conditions, such as:<\/li>\n<\/ul>\n<p>\u2022 IP addresses<\/p>\n<p>\u2022 HTTP headers<\/p>\n<p>\u2022 HTTP body<\/p>\n<p>\u2022 Uniform Resource Identifier (URI) strings<\/p>\n<p>\u2022 SQL injection<\/p>\n<p>\u2022 Cross-site scripting (XSS)<\/p>\n<ul>\n<li>Integrated with AWS services:<\/li>\n<\/ul>\n<p>\u2022 CloudFront<\/p>\n<p>\u2022 API Gateway<\/p>\n<p>\u2022 Application Load Balancer<\/p>\n<ul>\n<li>When using WAF on ALB, rules run in region<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2592\" src=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/WAF.jpg\" alt=\"\" width=\"617\" height=\"727\" srcset=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/WAF.jpg 617w, http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/WAF-255x300.jpg 255w\" sizes=\"(max-width: 617px) 100vw, 617px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #3366ff;\">AWS Shield<\/span><\/p>\n<ul>\n<li>Service that helps protect your applications from DDoS attack.<\/li>\n<li>Mittigates 99% of attacks in 5 minutes or less.<\/li>\n<li>Mittigates attacks aganist Elastic Load Balancing in less than 5 minutes.<\/li>\n<li>Mittigates attacks aganist CloudFront and Route 53 in less than 1 second<\/li>\n<li>Usually mitigates all other attack in less than 20 minutes.<\/li>\n<\/ul>\n<p>Two flavors of AWS Shield:<\/p>\n<ul>\n<li><strong>Standard<\/strong> &#8211; defends aganist common layer 3 and 4 DDos attacks as SYN flood and UDP reflection attacks. Shield standard is automatically activated and no additional cost for all AWS customers.<\/li>\n<li><strong>Advanced<\/strong> &#8211; provides the same protection as Shield Standard but also includes protection aganist layer 7 attacks, such as HTTP flood attacks that overhelm an application with HTTP GET or POST requests. EC2 instance must have elastic IP address to obtain layer 7 protection. You also get attack notifications, forensic reports, and 24\/7 assistance from AWS DDoS response team. AWS WAF is included at no charge.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #3366ff;\">Bastion Hosts<\/span><\/p>\n<ul>\n<li>&#8220;Gate&#8221; that protects our infrastructure but allows access for updates or other management<\/li>\n<li>\u00a0Used to control remote access (e.g., via RDP or SSH)<\/li>\n<li>These should be hardened and secured very carefully and regularly<\/li>\n<li>Can have an Elastic IP address that never changes and can be whitelisted<\/li>\n<li>We can have standby bastion hosts for higher availability<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2643\" src=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/BastionHost.jpg\" alt=\"\" width=\"631\" height=\"594\" srcset=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/BastionHost.jpg 631w, http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/BastionHost-300x282.jpg 300w\" sizes=\"(max-width: 631px) 100vw, 631px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #3366ff;\">NAT Gateways<\/span><\/p>\n<ul>\n<li>Enable instances in a private subnet to access the Internet for updates<\/li>\n<li>The instances in a private subnet are not accessible via the Internet<\/li>\n<li>If updates\/outside communication is business critical, consider using multiple NAT gateways<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2644\" src=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/NATGateways.jpg\" alt=\"\" width=\"633\" height=\"608\" srcset=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/NATGateways.jpg 633w, http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/NATGateways-300x288.jpg 300w\" sizes=\"(max-width: 633px) 100vw, 633px\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>VPC (Virtual Private Cloud) Isolate workloads into separate VPCs (based on application, department, test, dev, etc.)<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[74],"tags":[],"_links":{"self":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2605"}],"collection":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/comments?post=2605"}],"version-history":[{"count":11,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2605\/revisions"}],"predecessor-version":[{"id":2656,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2605\/revisions\/2656"}],"wp:attachment":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media?parent=2605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/categories?post=2605"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/tags?post=2605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}