Implementing Security and Incident Response with the ELB Miguel - PowerPoint PPT Presentation

Implementing Security and Incident Response with the ELB Miguel Zenon Nicanor L. Saavedra SECURITY ENGINEER github.com/zzenonn linkedin.com/in/zzenonn

t h s Module Define Elastic Load Balancing Overview Understand different ELB security features Understand how to use auto-scaling groups for DDoS protection Demonstrate incident response techniques behind a load balancer

Load Balancers

Distributes incoming traffic across instances Performs health checks on instances Scales without disrupting overall flow of requests

Security Benefits of an ELB Single point of contact and first line of defense Authentication management End-to-end encryption using TLS for HTTPS

Types of Load Balancers Network Load Application Load Classic Load Balancer Balancer Balancer

Types of Load Balancers Network Load Application Load Balancer Balancer

Application vs. Network Load Balancer Advanced load balancing of HTTP and Load balancing of TCP, TLS, and HTTPS traffic UDP traffic Operates at the request level Operates at the network level (Layer 7) (Layer 4)

Comparison of Load Balancers VS VS. Ne Netw twork k Load ad Bal alan ancer Ap Applicati tion Load ad Bal alan ancer Application Presentation Transport Network Session • Operates at Layer 4 • Operates at Layer 7 • Load balancing of TCP packets • Routes traffic based on content of the requests • For high-performance applications • Provides user authentication • Integrates with AWS Shield Advanced • Integrates with AWS Certificate Manager, AWS WAF, and AWS Shield Advanced

Public vs. Private ELB Availability Zone Av Av Availability Zone Pu Public subnet 1 2 Inbound Rule Allow TCP Port 443 Webtier EL We ELB B Security ty Group Source: 0.0.0.0/0 (Any) Private subnet Pr Av Availability Zone Av Availability Zone 1 2 Inbound Rule Allow TCP Port 80 We Webtier Se Securit ity Group Source: Webtier ELB Security Group Inbound Rule Allow TCP Port 8088 Ap Apptier EL ELB B Security ty Group Source: Webtier Security Group Inbound Rule Allow TCP Port 8088 Ap Apptier Se Securit ity Group Source: Apptier ELB Security Group Inbound Rule Allow TCP Port 3306 Da Datatier Se Securit ity Group Source: Apptier Security Group

ELB TLS Options TLS Termination TLS Termination & Renegotiate HTTPS HTTPS HTTPS HTTPS EC2 EC2 Encrypted Encrypted Unencrypted Encrypted Security Group Security Group Elastic Load Balancing Elastic Load (Terminate TLS & Re-negotiate) Balancing TLS Pass Through EC2 Encrypted Encrypted Security Group Elastic Load Balancing (no termination)

Globomantics’ Needs

ALB: Path-based Routing Availability Availability Zone A Zone B globomantics.com Profile Pr Profile Pr /profile /msgs Ms Msgs Ms Msgs Application Load /posts Po Posts Po Posts Balancer

What about authentication?

ALB: Authentication Target Application Application Load Balancer HTTPS Listener 1. Unauthenticated request Action Action 2. Redirect to Open ID Provider Authenticate- Forward oidc 4. Authenticated Session Identity Headers 3. Authenticate User OpenID Provider

Globomantics’ Needs

NLB: UDP and Static IP VOIP VO 5600/UDP 5600/UDP VOIP VO 5 6 0 0 / U D P VO VOIP

Summary of Load Balancers Classic Application Network Load Balancer Load Balancer Load Balancer Protocols HTTP, HTTPS TCP, UDP, TLS TCP, TLS/SSL, HTTP, HTTPS Platforms VPC VPC EC2-Classic, VPC Logging Health checks TLS offloading Path-based routing Static/elastic IPs User authentication

Mitigating DDoS Attacks

Denial of Service Attack An explicit attempt by an attacker to prevent legitimate use of a service

Distributed Denial of Service Many machines performing DoS actions

Distributed Denial of Service La Layer 3 & 4 Attacks La Layer 7 7 Attacks Application Presentation Network Transport Session • UDP Reflection • HTTP Flood • Slow loris • SYN Flood • ICMP Flood

s h s Minimize the attack surface DDoS Mitigation Safeguard exposed resources Strategies Be ready to scale and absorb the attack

Sample Architecture Security Groups VPC Availability Zone B NAT Public subnet Private subnet Protected subnet Gateway RDS Standby App Servers Web Servers DB instance 172.16.0.0 172.16.1.0 Internet 172.16.2.0 Gateway Routers and Availability Zone A route tables NAT Gateway Web Servers App Servers RDS Master DB instance ELB Public subnet Private subnet Protected subnet Subnets

Sample Architecture Security Groups VPC Availability Zone B NAT Public subnet Private subnet Protected subnet Gateway RDS Standby App Servers Web Servers DB instance 172.16.0.0 172.16.1.0 Internet 172.16.2.0 Gateway Routers and Availability Zone A route tables NAT Gateway Web Servers App Servers RDS Master DB instance ELB Public subnet Private subnet Protected subnet Subnets

Sample Architecture Security Groups Auto Scaling Auto Scaling VPC Availability Zone B NAT Public subnet Private subnet Protected subnet Gateway RDS Standby App Servers Web Servers DB instance 172.16.0.0 172.16.1.0 Internet 172.16.2.0 Gateway Routers and Availability Zone A route tables NAT Gateway Web Servers App Servers RDS Master DB instance ELB Public subnet Private subnet Protected subnet Subnets

“Isn’t scaling expensive?”

AWS DDoS Mitigation AWS Shield AWS Shield Advanced

AWS DDoS Mitigation Always on (Free) All Shield features Automatic Layer 3 and 4 Protection ELB+EC2 Protection Integrates with Cloudfront Cost Protection 24/7 Response Team Comes with free WAF

Responding to Incidents

Incident and Globomantics Customer Hacker Engineer

t h s Respond to an incident on an Demo EC2 instance Document an instance for quarantine using tags Isolate an incident for further investigation All using the CLI

t h s Summary Load balancers - Security features - Design patterns DDoS Protection Instance isolation