Bring your own firewall to the cloud — Palo Alto Networks, Checkpoint, Fortinet and more. Enterprises have grown their cloud environment to a degree that Cloud network traffic requires in-line firewalling. There is a growing requirement for inserting services like IDS/IPS, layer 7 (application layer) filtering and malware detection in cloud networks.
Aviatrix Transit DMZ allows you to bring your own trusted firewall solution and easily build out a Cloud Transit DMZ. This Aviatrix solution supports next-generation firewalls for inspection of all traffic flows: on-premise to/from Cloud, Egress to Internet, Ingress from Internet and VPC to VPC/VNET traffic.
Learn more about the joint Palo Alto Networks and Aviatrix solution here.
Transit DMZ is different from the traditional cloud firewall deployments.
Traditionally, instance based firewall appliances require IPSEC tunnels (or ECMP) to send traffic from VPCs to these appliances. This increases the complexity of managing the firewalls and reduces performances for the security features that you want them to perform.
Transit DMZ decouples networking functions and security functions. There is no IPSEC tunnels between the Aviatrix Transit GW and the firewall appliances, thus simplifying firewall deployment, maximizing firewall appliance performance and allowing them to scale independently.
Aviatrix Next Gen Transit Network provides a DMZ architecture in the public cloud that allows firewall instances to be inserted inline for traffic inspection.
Advantages include:
Maximizes firewall performance. This architecture eliminates the performance burden of IPSec tunnels and routing functions on the firewall instances. So, each firewall instance can perform security operations at maximum throughput. Aviatrix transit DMZ also allows you to scale-out your firewall instances.
Inspect all traffic flows: The solution allows inspection of all traffic flows: on-premise to and from the Cloud, between cloud networks, internet ingress and internet egress. Get full visibility in your cloud by eliminating need for source NAT (SNAT).
Built-in High Availability: Aviatrix Controller manages the HA and failover of firewalls by monitoring the health of the instances. When a failure is detected, the controller reprograms cloud infrastructure route entry to avoid the defective instance.
How does Aviatrix DMZ compare to virtual firewall-only implementation?
Controlling Outbound VPC Traffic
An important security measure for your VPCs is to effectively control outbound network traffic (egress), delineating legitimate from illegitimate requests. If internal users or cloud instances are compromised, they can pose a significant threat if attackers are able to exfiltrate data. Many compliance frameworks like PCI DSS and HIPPA require egress security controls.That said, there are many reasons why cloud users or instances within VPCs need Internet access.
The reasons range from getting basic software updates from Microsoft, Google or Ubuntu, to needing application access to another third party or SaaS service over the Internet. If you have more than a handful of VPCs, management of whitelists on a per-VPC basis can become a major source of pain. Also, it can be cost prohibitive to deploy next generation firewall solutions per VPC. What’s needed is centrally managed, scalable, cost-effective solution.
Begin quotationSquid jerky is too tough to chew.End quotation
—CHARLIE, CLOUD OPS
Open source project Squid is just hard to manage and limited for cloud VPCs:
Manual admin of policies, per VPC
Tedious config of each new instance to use Squid, new instances can appear without reconfig’ing Squid = big security risk
Troubleshooting and debugging Squid will make you salty
Limited protocol support — example: Squid doesn’t handle SFTP so someone could easily export data!
THE AVIATRIX SOLUTION
VPC Egress Security
Aviatrix VPC Egress Security
The Aviatrix solution provides inline AVX Gateways with egress firewall functions in each VPC with centralized management of policies in the AVX Controller. It blocks all outbound internet traffic except specific whitelisted domain names (FQDN). This solution directs the outbound traffic through the AVX filtering and monitoring instance on a per VPC basis. The inline Gateways are highly available, designed to leverage Availability Zones (AZs) and automatic failover.
The Controller provides CloudOps teams with centralized policy management, from the ability to tag VPCs and assign policies to tags. The Controller also provides centralized audit logs. Finally, using AVX Cloud Formation Templates, CloudOps teams can automate the deployment of VPC egress security with new VPCs. This is a cost-effective solution, priced at a fraction of other popular solutions.
How AVX stacks up to other popular solutions.
AVIATRIX SQUID + NAT INSTANCE(S) AWS NAT GATEWAY
Highly Available; Fault Tolerant Automatic Use a script and custom monitoring code Automatic
Filter Traffic by IP Address Yes Yes Partial: must update security group of each instance (maximum 50 IPs)
Filter Traffic by FQDN Yes Yes No
FQDN filtering Using Wildcards Yes Yes No
Supports HTTP/HTTPS Protocols Yes Yes No
Supports Additional Protocols (sftp, ftp, icmp, etc.) Yes No No
Central Management Console Yes No: must manage each VPC separately Yes
Integrated Audit Logging Yes Yes Partial: must use VPC flow logs
Non-Networking Engineer Friendly Yes No Yes
HOW WE’RE DIFFERENT
Centrally Managed Security for AWS
Cloud Native Design
Push policies instantly to one VPC or hundreds of VPCs.
Reduces AWS Costs
AVX Gateways run on t2.micro instances. Per-hour metering on your cloud bill.
Centralized Management Console
Click and done. With AVX point-and-click interface, configuring and monitoring of all policies and traffic can be administered centrally by both engineers and non-engineers.
FQDN Discovery
Discover what Internet sites your apps visit before you configure.
Security Policy Tagging
Create tags for different policies like “dev” and “prod.” Apply those tags to VPCs.
Easily Audit Security Events
Everything is logged – including the packets. View in AVX or export logs to Splunk, Sumologic, Datadog and other tools to standardize reporting and event correlation.
LEARN MORE
What is VPC Egress Filtering & Security?
When businesses consider their network traffic security measures for AWS VPCs, they need to ensure that outbound network traffic is recognized alongside inbound network traffic. Egress is the outbound network traffic that originates from internally networked instances in your AWS VPC to another network. In the case of servers and VPCs, this is generally internet bound egress.
It is important that outbound network traffic is effectively controlled, characterizing allowed requests from prohibited requests. If internal users or cloud instances in VPCs are compromised, they can pose a significant threat if attackers are able to exfiltrate data or use your outbound network traffic for their malicious activities. Learn more about VPC Egress Filtering.
No comments:
Post a Comment