Securing AWS deployments with Sophos UTM
-
Upload
darrell-king -
Category
Technology
-
view
805 -
download
6
Transcript of Securing AWS deployments with Sophos UTM
1
Securing AWS deployments with Sophos UTM
Helping address the AWS Shared Responsibility model
Peter Gordon, Senior Security Architect, IaaS [email protected]
2
Agenda
• AWS Shared Responsibility Model Review• Using the Sophos UTM within AWS• Common use cases• Quick demo
3
Sophos Snapshot
• Founded 1985 in Oxford, UK• Publicly listed in 2015• Appx. $450 million in FY15 billings• Appx. 2,200 employees• Over 220,000 customers• Over 100 million users• HQ in Oxford, UK and Boston, MA• OEM Partners: Cisco, IBM, Juniper,
Citrix, Lenovo, Rackspace• Key development centers: Abingdon,
UK; Vancouver, BC; Karlsruhe, Germany; Linz, Austria; Budapest, Hungary; Ahmedabad, India
• 20+ additional offices worldwide Sophos in Oxford, UK
4
…where AWS is responsible for the security of the underlying cloud infrastructure and you are responsible for securing workloads you deploy in AWS.
http://d0.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf
Sharing the Security Responsibility
5
…AWS configures infrastructure components such as data center networks, routers, switches, and firewalls in a secure fashion. You are responsible for controlling access to your systems in the cloud and for configuring network security within your Amazon VPC, as well as secure inbound and outbound network traffic.
http://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
Sharing the Security Responsibility
6
AWS Shared Responsibility model
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones Edge
Locations
AWS is responsible for the security OF
the Cloud
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentCu
stom
ers
Customers are responsible for
security configurations IN the Cloud
• This means customers need to add their own security layers
https://aws.amazon.com/compliance/shared-responsibility-model/
7
AWS Built in Security
• Secure Access via API Endpoints using SSL• Built in Firewalls to control access to Instances and VPC’s• User Management for granular access to AWS resources• Encrypted Data Storage• Dedicated Hardware Based Crypto Key Storage• Dedicated Connection Options to connect offices• Trusted Advisor Service
Highly Secure Data Centers that staffed 24/7 plus:
8
So AWS has security controls already…
• NACLs, Security Groups, and WAF • But…
• UTM provides a Stateful Next-Gen firewall• Layers of security including inline IPS • Sophisticated WAF • Advanced Threats / APT detection• How about granular policies and controls like time of day?• What about detailed visibility for troubleshooting?• What about reporting?• Any rule limits? Security Groups, WAF, etc(http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html)• Sophos can also provide centrally managed AV for instances
• Sophos can complement and extend existing AWS controls
9
10
How does Sophos UTM work in AWS?
• Deployed as an EC2 instance in a public facing subnet, with optional auto-scaling and HA deployment models
• AMIs available on the AWS Marketplace• It can
• Protect Server instances using Firewall, IPS and WAF• Provide Secure VPN access to AWS for Customer and Partners• Easily connect physical offices to VPC for Hybrid Cloud environments• Control access and report on activity between VPC’s• and more…
11
AWS Security Competency programSophos one of only a few companies that qualify
12
Typical UTM on AWS network diagram
172.16.0.0/16
13
UTM on AWS High Availability
• Cold Standby & Warm Standby options (only 1 UTM license needed in either case)
• Launched via Sophos provided CloudFormation Templates• Works with AWS infrastructure services so failover can work
across AZs
Designed to work with AWS services
14
UTM Auto Scaling
• Launched via Sophos provided Cloud Formation Templates• Supports both hourly and BYOL licensing• Complies with AWS Architecture and Security “Best Practice”
guidance
Designed to work with AWS services
15
UTM is our most commonly used product on AWS
• Wireless controller forSophos access points
• Multi-zone (SSID) support• Guest Portal Options
UTM Wireless Protection
optional
• Dynamic Content Filtering• Antivirus & antispyware• L7 Application control• Custom, Scheduled Reports
UTM Web Protection
optionaloptio
nal
• Reverse proxy• Web Application Firewall• Reverse Authentication• Antivirus• Reporting
UTM WebserverProtection
• Intrusion prevention• S2S and Remote VPN• ‘RED’ support• ATP• Reporting
UTM Network Protection
optional
• Anti-spam & -phishing• Dual virus protection• Email encryption• DLP• Reporting
UTM EmailProtection
optional
• Stateful firewall• Network address translation• PPTP/L2TP remote access• Amazon VPC Connector
Essential Network Firewall
• Antivirus• HIPS• Device Control• Web Policy Control
UTM EndpointProtection
optional
16
Common AWS UTM Use Cases
• Next Gen firewall with logging/reporting• Network Intrusion Protection System• Advanced Threat Protection• VPN Connectivity for:
• Users• Physical Offices• AWS Regions
• Web Application Firewall protection• Outbound proxy and web content control
Features found in Network, Web, and Webserver Protections subscriptions
18
UTM on AWS as VPN Gateway
• UTM is commonly used to connect remote sites and users• IPsec site-to-site and SSL VPN remote access are the most
commonly used options
• Booze Allen Hamilton uses UTM as core VPN service for all Government clients that migrate to AWS
• General Electric is migrating most of their infrastructure to AWS and is now using UTM SSL VPN to provide access to their global workforce
19
UTM on AWS Web Application Firewall
• Probably the most commonly used UTM feature on AWS as most traffic entering AWS environment does so via Internet
• The use case that the new Auto Scaling UTM was designed to address
• Often used with AWS services such as Elastic Load Balancers which help distribute traffic to multiple backend servers
• Transport for London is a long time user that helped guide the design of Auto Scaling UTM.
• Radian is a US based financial lender that uses this feature to protect their PCI web applications.
21
Just for fun…
• Who tweeted this??“Finally trashed by @realDonaldTrump. Will still reserve him a seat on the Blue Origin rocket. #sendDonaldtospace
• And remember…
22© Sophos Ltd. All rights reserved.