Implementing Security and Incident Response with the ELB Miguel - - PowerPoint PPT Presentation

github.com/zzenonn linkedin.com/in/zzenonn

SECURITY ENGINEER

Implementing Security and Incident Response with the ELB

Miguel Zenon Nicanor L. Saavedra

t h s

Define Elastic Load Balancing Understand different ELB security features Understand how to use auto-scaling groups for DDoS protection Demonstrate incident response techniques behind a load balancer

Module Overview

Load Balancers

Distributes incoming traffic across instances Performs health checks

• n instances

Scales without disrupting

• verall flow of requests

Security Benefits of an ELB

Single point of contact and first line of defense Authentication management End-to-end encryption using TLS for HTTPS

Types of Load Balancers

Application Load Balancer Network Load Balancer Classic Load Balancer

Types of Load Balancers

Application Load Balancer Network Load Balancer

Advanced load balancing of HTTP and HTTPS traffic Operates at the request level (Layer 7) Load balancing of TCP, TLS, and UDP traffic Operates at the network level (Layer 4)

Application vs. Network Load Balancer

Comparison of Load Balancers

Network Transport Session Presentation Application

Ne Netw twork k Load ad Bal alan ancer Ap Applicati tion Load ad Bal alan ancer

• Operates at Layer 4
• Load balancing of TCP packets
• For high-performance applications
• Integrates with AWS Shield Advanced
• Operates at Layer 7
• Routes traffic based on content of the requests
• Provides user authentication
• Integrates with AWS Certificate Manager, AWS

WAF, and AWS Shield Advanced

VS VS.

Public vs. Private ELB

We Webtier Se Securit ity Group Ap Apptier Se Securit ity Group We Webtier EL ELB B Security ty Group Da Datatier Se Securit ity Group Ap Apptier EL ELB B Security ty Group Inbound Rule Allow TCP Port 443 Source: 0.0.0.0/0 (Any) Inbound Rule Allow TCP Port 80 Source: Webtier ELB Security Group Inbound Rule Allow TCP Port 8088 Source: Webtier Security Group Inbound Rule Allow TCP Port 8088 Source: Apptier ELB Security Group Inbound Rule Allow TCP Port 3306 Source: Apptier Security Group

Pu Public subnet Pr Private subnet

Av Availability Zone 2 Av Availability Zone 1 Av Availability Zone 2 Av Availability Zone 1

ELB TLS Options

EC2 Security Group EC2 Security Group EC2 Security Group Elastic Load Balancing (no termination)

HTTPS HTTPS HTTPS HTTPS

Elastic Load Balancing (Terminate TLS & Re-negotiate) Elastic Load Balancing

Encrypted Unencrypted Encrypted Encrypted Encrypted Encrypted

TLS Termination TLS Termination & Renegotiate TLS Pass Through

Globomantics’ Needs

ALB: Path-based Routing

globomantics.com Application Load Balancer

Availability Zone A Availability Zone B /posts /profile /msgs Pr Profile Ms Msgs Po Posts Pr Profile Ms Msgs Po Posts

What about authentication?

ALB: Authentication

HTTPS Listener

• 1. Unauthenticated request
• 2. Redirect to Open ID Provider
• 4. Authenticated Session
• 3. Authenticate User

OpenID Provider Action Authenticate-

• idc

Forward Identity Headers

Target Application

Action

Application Load Balancer

Globomantics’ Needs

NLB: UDP and Static IP

VO VOIP VO VOIP VO VOIP 5600/UDP 5600/UDP 5 6 / U D P

Summary of Load Balancers

Application Load Balancer Network Load Balancer Classic Load Balancer

Protocols Platforms Logging Health checks TLS offloading Path-based routing Static/elastic IPs User authentication HTTP, HTTPS TCP, UDP, TLS TCP, TLS/SSL, HTTP, HTTPS VPC VPC EC2-Classic, VPC

Mitigating DDoS Attacks

An explicit attempt by an attacker to prevent legitimate use of a service

Denial of Service Attack

Many machines performing DoS actions

Distributed Denial of Service

Distributed Denial of Service

Network Transport Session Presentation Application

La Layer 3 & 4 Attacks La Layer 7 7 Attacks

• UDP Reflection
• SYN Flood
• ICMP Flood
• HTTP Flood
• Slow loris

s h s

Minimize the attack surface Safeguard exposed resources Be ready to scale and absorb the attack

DDoS Mitigation Strategies

Sample Architecture

Availability Zone B Public subnet Private subnet Protected subnet RDS Standby DB instance Availability Zone A Public subnet Private subnet Protected subnet NAT Gateway

RDS Master DB instance

ELB Internet Gateway Routers and route tables Subnets

VPC

172.16.0.0 172.16.1.0 172.16.2.0

NAT Gateway Security Groups

App Servers App Servers Web Servers Web Servers

Sample Architecture

Availability Zone B Public subnet Private subnet Protected subnet RDS Standby DB instance Availability Zone A Public subnet Private subnet Protected subnet NAT Gateway

RDS Master DB instance

ELB Internet Gateway Routers and route tables Subnets

VPC

172.16.0.0 172.16.1.0 172.16.2.0

NAT Gateway Security Groups

App Servers App Servers Web Servers Web Servers

Sample Architecture

Availability Zone B Public subnet Private subnet Protected subnet App Servers RDS Standby DB instance Availability Zone A Public subnet Private subnet Protected subnet App Servers NAT Gateway

RDS Master DB instance

ELB

Web Servers Web Servers

Internet Gateway Routers and route tables Subnets

VPC

172.16.0.0 172.16.1.0 172.16.2.0

Auto Scaling Auto Scaling

NAT Gateway Security Groups

“Isn’t scaling expensive?”

AWS Shield AWS Shield Advanced

AWS DDoS Mitigation

Always on (Free) Automatic Layer 3 and 4 Protection Integrates with Cloudfront All Shield features ELB+EC2 Protection Cost Protection 24/7 Response Team Comes with free WAF

AWS DDoS Mitigation

Responding to Incidents

Incident and Globomantics

Hacker Customer Engineer

Demo

t h s

Respond to an incident on an EC2 instance Document an instance for quarantine using tags Isolate an incident for further investigation All using the CLI

t h s

Load balancers

• Security features
• Design patterns

DDoS Protection Instance isolation

Summary