Roy FeintuchCTO

roy@dome9.com

Best Practices for Securing Your AWS Cloud Network

Harish AgastyaCMO

harish@dome9.com

2

Who Are We

An advanced SaaS-based security solution designed to secure public and hybrid clouds

Over 1000 Customers, 100,000 Cloud Servers Protected

3

Agenda

On this webinar, you will learn about:

•Typical network security issues seen by Dome9 while working with organizations on AWS

•Best practices to address these issues (without Dome9)

•Leveraging Dome9 to address these best practices

4

What’s Not Covered in this Webinar

Things around general AWS security issues:

• Console security

• Identity and Access Mgmt

• Specific AWS services hardening (such as S3 security)

• Server / OS hardening

• User accounts management

• Encryption

5

The Challenges of being an AWS Security Admin

▪Mission-critical enterprise applications are now being run on AWS

▪De-facto platform leader with many built-in security controls

▪Not a dedicated security operations console, challenging to operate at scale at the speed of cloud

▪You still need to ensure ALL servers maintain adequate security ALWAYS - and you have to be able to prove it

▪3rd party security tools have limited visibility across AWS services & don’t leverage the existing AWS security controls

6

9 Best Practice Recommendations from Dome9

1. Prevent firewall misconfiguration

2. Ensure correct AWS Security group assignments

3. Implement Network ACL correctly

4. Ensure SSH/RDP not open to the Internet

5. Plan for firewall change management and audit

6. Have firewall logs in place

7. Use human readable security policies

8. Manage your inventory of IP addresses

9. Deploy security in depth with host controls

7

#1: Prevent Firewall Misconfiguration

▪Firewall misconfiguration (e.g. ports opened to the entire internet) is one of the main causes of breach

▪The Dome9 Way: Alerts, Visualization of Security Group Policies

▪Recommendations: ▪ Set and Review Alerts from AWS Trusted Advisor▪ Periodic review of your Security groups

8

#2: Ensure correct AWS Security Group assignments

▪ Incorrect assignment of instances to SG. Especially with more complex deployments and where an instances is assigned to multiple SGs

▪Recommendation: Assign security specialist to regularly monitor AWS console

▪The Dome9 Way: Visualization of Instances Effective Policy

9

#3: Implement Network ACLs. Correctly

▪Security teams often neglect to implement Network ACLs or to complement them with Security Groups

▪Recommendations:

▪ Implement Network ACLs to segregate networks

▪Make sure that Security Groups are implemented as a fine-grained network control

▪Dome9 Tip: Look for Yellow color-coded instances in Dome9 Clarity Visualization

10

#4: Ensure SSH/RDP not open to Internet

▪SSH/RDP or other administrative services are frequently kept open for simplicity

▪The Dome9 Way: Dome9 dynamic access leases enable fine-grained on-demand access

▪Recommendations:

▪ Limit the scope of these services to a few trusted IP addresses

▪Use bastion hosts to reduce exposure of internal cloud servers

11

#5:Plan for firewall change management & audit

▪Many organizations overlook this in AWS environments compared to internal datacenters

▪Recommendations:▪ Implement AWS Cloudtrail and create

alerts for security related changes▪Have strict IAM policy in place

▪The Dome9 Way: ▪ Strong user permissions system▪ Security groups ‘Tamper Protection’ ▪ Auditing and notifications system

12

#6: Have firewall logs in place

▪Firewall logging information is critical to improve your security, however AWS does not currently provide that functionality.

▪The Dome9 Way: Deploy Dome9 Agents and turn on logging policy

▪Recommendations: ▪ Enable ELB , CloudFront and S3

access logs. ▪ Configure host-based logging via

Linux IPtables and Windows FW logging capabilities.

13

#7: Use human readable security policies

▪Challenge: large scale firewall policies becomes very difficult to manage

▪Recommendations:

▪ Utilize AWS tags for SG to add as much information as possible

▪Maintain external documentation (Excel?) for all your security policies - with relevant context, ports and purpose of the service

▪ The Dome9 Way: Dome9 policies (even when defined in AWS) can be annotated with human descriptions and tags.

14

#8: Manage your inventory of IP addresses

▪ IP addresses are a source of rigidity in security operations. Eventually they will become a source of misconfiguration and security risk

• Recommendation: Make sure to documents all IP addresses that are used in AWS policies (Excel?)

• The Dome9 Way: Dome9 provides an IP address center to manage IP Lists & DNS objects

15

#9: Deploy security in depth with host controls

▪For mission critical servers, it is important to include additional host based security controls beyond what’s available in AWS

▪Recommendation: Implement proper server hardening techniques and deploy host-based security controls like OSSEC

▪The Dome9 Way: Dome9 agents can provide managed FIM as a second line of defence (based on OSSEC)

16

9 Best Practice Recommendations Recap

1. Prevent firewall misconfiguration

2. Ensure correct AWS Security group assignments

3. Implement Network ACL correctly

4. Ensure SSH/RDP not open to the Internet

5. Plan for firewall change management and audit

6. Have firewall logs in place

7. Use human readable security policies

8. Manage your inventory of IP addresses

9. Deploy security in depth with host controls

17

Take Dome9 Out for a Spin

• Sign up for a 30-day free trial @ www.dome9.com

• 5 minute setup

REGISTER NOW

Q&A

www.dome9.com | +1-650-489-5999 | info@dome9.com

19

Server Access Control

The Dome9 Solution

Large Scale Network Firewall

Management

Host Firewall and File Integrity

Continuous Monitoring and

Auditing

1 32 4