View
226
Download
1
Category
Preview:
Citation preview
Extending Security of your AWS
Infrastructure with OpenSource Tools
Applicable to Azure and mostly other clouds.
Swiss Army Knife
About pfSense Appliance
●pfSense® - World's Most Trusted Open Source Firewall
●Available as Virtual Appliance in AWS & Azure.
●Get it from Marketplace.
Single Entry Point for Administration with
SSH or Control over SSH
Access
PfSense As JumpBox
●Another ready-made solution.●NAT + Firewall Capabilities●Support Inbound NAT with Port
Forward.
Responsibilities●NAT Gateway+ Port NAT
Monthly Price Advantage : $25
Yearly Price Advantage: $300
●Bastion Host
Typical Aws ELB Infra
Limitations with ELB● No HTTP ACLs ● No HTTPS redirect from ELB ● No SSL Client Auth● No SSL SNI Support.
(Got introduced in ALB)
Elastic LB or HA Proxy●ELB is a great product. still with limitations.
ELB replaced with HAProxy
IF we use HAProxy.●ACL with various regular expressions, Black listing.●More Frontend and Backend Options.●Better Monitoring Options.●Re-Configurability./Customisations.● HTTPS redirection from HAProxy itself.●SSL Termination with SNI.( Multiple SSLs and Multiple IPs)
● SSL Client Authentication.
Responsibilities●NAT GW + Port NAT + Network FW
+ Bastion Host + Load Balancer + Web Application Firewall
Price Advantage Monthly : $50/-Price Advantage Yearly : $600/-
Remote Access VPN●In AWS, No Ready Solution.●Marketplace has many options
●PfSense works as the most Cost effective.
WoW ! It is worth the money
Cisco Cloud Router $2233/year + AWS Instance Charges
Fortinet Firewall with VPN $1992/year + AWS Instance Charges
PaloAlto Firewall with VPN $4500/year + AWS Instance Charges.
Sophos UTM $788/year + AWS Instance Charges.
Netgate pfSense Firewall with VPN $600/year
You can run a t2.nano pfSense for $75/year
Responsibilities●NAT GW + Network FW●Bastion Host●Load Balancer + Web Application
●Remote Access VPNPrice Advantage Monthly : $50 +$116 = $166Price Advantage Yearly : $600+ $1392 = $1992
Site-Site VPN●Extends your Office network securely.
●No need to have endpoint client softwares.
Options.●AWS Managed VPN Gateways.
●pfSense VPN Gateway for Site-Site Access.
AWS VPN Gateway
Replace with pfSense
Advantages of pfSense over AWS Managed
Solution.●AWS is restricted with only ipSec option.
●PfSense has more options like ipSec, OpenVPN, Tinc, etc.
●No Added price for additional Tunnel.
Responsibilities● NAT GW + Network FW●Bastion Host●Load Balancer + Web Application ●Remote Access VPN●Site-Site VPN ( OpenvVPN / ipSec)
Price Advantage Monthly: $166 +$73 = $239
Price Advantage Yearly: $1992 + $876= $2868
IPS Solutions● No Ready Made Solutions.● Market place has options like
Alert Logic / McAfee
PfSense Options.● Snort IDS / IPS● Suricata IDS/ IPS
Can use it as Host/Network IDS
Rule Sets are available for HTTP/SMTP/POP3S/IMAPS/ Apache etc.
Responsibilities●NAT Gateway●Bastion Host●Load Balancer + Web Application ●Remote Access VPN●IDS/ IPS Functionalities
Price Advantage Monthly: $239 +$198 = $437
Price Advantage Yearly: $2868 +$2376 = $5244
Redundancy and Failover
Possible to Setup Failover of pfSense Instance With Carp.
Round-robin DNS Records
Now your AWS Infra is more Secure and fit more to your Pocketwith Single Device.
contactus@fcoos.netTeam FCOOS
Questions. ?
Thank You
Other OpenSource Tools
●Fail2ban:
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc
●Scout2:
Scout2 is an open source tool that helps assessing the security posture of AWS environments. Using the AWS API, the Scout2 Python scripts fetch CloudTrail, EC2, IAM, RDS, and S3, configuration data
Recommended