AWS Cloud – firewalls, load balancers, WAF …



I’ve worked with firewalls, load balancers, WAFs, SIEM products, etc and I've installed them both physical and virtual appliances. I’ve also worked with cloud providers like OVH, Arsys, Bluehost, etc but none of them are like AWS Cloud because Amazon has changed the way we see this IT world with many services and easy payments where we pay as we use. However, installing network or security appliances into the Amazon Cloud, at first, it’s not an easy task because we have to change our mind to the Amazon World where, for instance, all traffic is unicast and the ARP protocol is gone.

The first time I take the plunge to use AWS Cloud was to install a firewall with VPN and IDS/IPS services with three simple networks. This, although it seems easy and simple, needs lots of hours of reading and understanding the Amazon World because, first, they already have VPN services like AWS Direct Connect or AWS VPN CloudHub, second, they have also Security services like EC2 Security Groups and Network ACLs, third, there is no SPAN ports or mirroring ports for IDS, forth, there is no VLANs but Virtual Private Clouds (VPC) and subnets, as you can see, we have to adapt our infrastructure and knowledge to the Amazon World if we want to use AWS Cloud.

EC2 Security Group
 
Another common task is to install a load balancer for better performance and availability of web services. Again, AWS Cloud has their own load balancers like Application Load Balancer (ALB) and Classic Load Balancer (CLB) into the Elastic Load Balancing (ELB) service. This is an “easy” way to balance our traffic between virtual machines, also called EC2 instances, and even configuring SSL offloading with AWS Certificate Manager (ACM) and AWS Identity and Access Management (IAM). Auto Scaling configuration is also a must for a quickly and easy growth. What’s more, GSLB is also an option thanks to Amazon Route 53 where we can have high availability between different AWS regions.

Cross-Zone Load Balancing
 
If we want to protect our web services against layer 7 attacks like SQLi, XSS or CSRF, we’ll need to install a WAF as well. Once again, Amazon has his own AWS WAF, which is useful to mitigate OWASP’s top 10 Web Application Vulnerabilities and it is integrated perfectly with ELB (Elastic Load Balancing) and Amazon CloudFront for delivering highly available and secure web services through the Content Delivery Network (CDN) of Amazon. In addition, we can also protect our services against layer 3/4 attacks with AWS Shield to mitigate, for example, DDoS attacks.

Web site with Amazon CloudFront and AWS WAF
 
As we can see, there are many Amazon services and there are many more like AWS Directory Service, Amazon EBS, Amazon S3, AWS KMS, Amazon RDS, AWS CloudTrail, etc. However, we can also install commercial solutions of Fortinet, Check Point, F5 Networks, Radware, Alienvault, etc into the AWS Cloud. Therefore, we can search Amazon Machine Images (AMI) from AWS Marketplace to install commercial products into the Amazon Cloud.

AWS Marketplace
 
Today, AWS Cloud has many services, many customers and lots of guide and docs to deliver our services in a reliable way, meanwhile, we’ll see how Google and Microsoft do their homework to eat a piece of this cake.

Best regards my friends!

Commentaires