1

Securing AWS deployments with Sophos UTM

Helping address the AWS Shared Responsibility model

Peter Gordon, Senior Security Architect, IaaS peter.gordon@sophos.com

2

Agenda

• AWS Shared Responsibility Model Review• Using the Sophos UTM within AWS• Common use cases• Quick demo

3

Sophos Snapshot

• Founded 1985 in Oxford, UK• Publicly listed in 2015• Appx. $450 million in FY15 billings• Appx. 2,200 employees• Over 220,000 customers• Over 100 million users• HQ in Oxford, UK and Boston, MA• OEM Partners: Cisco, IBM, Juniper,

Citrix, Lenovo, Rackspace• Key development centers: Abingdon,

UK; Vancouver, BC; Karlsruhe, Germany; Linz, Austria; Budapest, Hungary; Ahmedabad, India

• 20+ additional offices worldwide Sophos in Oxford, UK

4

…where AWS is responsible for the security of the underlying cloud infrastructure and you are responsible for securing workloads you deploy in AWS.

http://d0.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf

Sharing the Security Responsibility

5

…AWS configures infrastructure components such as data center networks, routers, switches, and firewalls in a secure fashion. You are responsible for controlling access to your systems in the cloud and for configuring network security within your Amazon VPC, as well as secure inbound and outbound network traffic.

http://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf

Sharing the Security Responsibility

6

AWS Shared Responsibility model

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones Edge

Locations

AWS is responsible for the security OF

the Cloud

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network, & Firewall Configuration

Customer applications & contentCu

stom

ers

Customers are responsible for

security configurations IN the Cloud

• This means customers need to add their own security layers

https://aws.amazon.com/compliance/shared-responsibility-model/

7

AWS Built in Security

• Secure Access via API Endpoints using SSL• Built in Firewalls to control access to Instances and VPC’s• User Management for granular access to AWS resources• Encrypted Data Storage• Dedicated Hardware Based Crypto Key Storage• Dedicated Connection Options to connect offices• Trusted Advisor Service

Highly Secure Data Centers that staffed 24/7 plus:

8

So AWS has security controls already…

• NACLs, Security Groups, and WAF • But…

• UTM provides a Stateful Next-Gen firewall• Layers of security including inline IPS • Sophisticated WAF • Advanced Threats / APT detection• How about granular policies and controls like time of day?• What about detailed visibility for troubleshooting?• What about reporting?• Any rule limits? Security Groups, WAF, etc(http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html)• Sophos can also provide centrally managed AV for instances

• Sophos can complement and extend existing AWS controls

9

10

How does Sophos UTM work in AWS?

• Deployed as an EC2 instance in a public facing subnet, with optional auto-scaling and HA deployment models

• AMIs available on the AWS Marketplace• It can

• Protect Server instances using Firewall, IPS and WAF• Provide Secure VPN access to AWS for Customer and Partners• Easily connect physical offices to VPC for Hybrid Cloud environments• Control access and report on activity between VPC’s• and more…

11

AWS Security Competency programSophos one of only a few companies that qualify

12

Typical UTM on AWS network diagram

172.16.0.0/16

13

UTM on AWS High Availability

• Cold Standby & Warm Standby options (only 1 UTM license needed in either case)

• Launched via Sophos provided CloudFormation Templates• Works with AWS infrastructure services so failover can work

across AZs

Designed to work with AWS services

14

UTM Auto Scaling

• Launched via Sophos provided Cloud Formation Templates• Supports both hourly and BYOL licensing• Complies with AWS Architecture and Security “Best Practice”

guidance

Designed to work with AWS services

15

UTM is our most commonly used product on AWS

• Wireless controller forSophos access points

• Multi-zone (SSID) support• Guest Portal Options

UTM Wireless Protection

optional

• Dynamic Content Filtering• Antivirus & antispyware• L7 Application control• Custom, Scheduled Reports

UTM Web Protection

optionaloptio

nal

• Reverse proxy• Web Application Firewall• Reverse Authentication• Antivirus• Reporting

UTM WebserverProtection

• Intrusion prevention• S2S and Remote VPN• ‘RED’ support• ATP• Reporting

UTM Network Protection

optional

• Anti-spam & -phishing• Dual virus protection• Email encryption• DLP• Reporting

UTM EmailProtection

optional

• Stateful firewall• Network address translation• PPTP/L2TP remote access• Amazon VPC Connector

Essential Network Firewall

• Antivirus• HIPS• Device Control• Web Policy Control

UTM EndpointProtection

optional

16

Common AWS UTM Use Cases

• Next Gen firewall with logging/reporting• Network Intrusion Protection System• Advanced Threat Protection• VPN Connectivity for:

• Users• Physical Offices• AWS Regions

• Web Application Firewall protection• Outbound proxy and web content control

Features found in Network, Web, and Webserver Protections subscriptions

18

UTM on AWS as VPN Gateway

• UTM is commonly used to connect remote sites and users• IPsec site-to-site and SSL VPN remote access are the most

commonly used options

• Booze Allen Hamilton uses UTM as core VPN service for all Government clients that migrate to AWS

• General Electric is migrating most of their infrastructure to AWS and is now using UTM SSL VPN to provide access to their global workforce

19

UTM on AWS Web Application Firewall

• Probably the most commonly used UTM feature on AWS as most traffic entering AWS environment does so via Internet

• The use case that the new Auto Scaling UTM was designed to address

• Often used with AWS services such as Elastic Load Balancers which help distribute traffic to multiple backend servers

• Transport for London is a long time user that helped guide the design of Auto Scaling UTM.

• Radian is a US based financial lender that uses this feature to protect their PCI web applications.

21

Just for fun…

• Who tweeted this??“Finally trashed by @realDonaldTrump. Will still reserve him a seat on the Blue Origin rocket. #sendDonaldtospace

• And remember…

22© Sophos Ltd. All rights reserved.