top of page
©

Networking & Connectivity: Security Principle of the month 

Updated: Aug 28, 2020

When we think about Network, we tend to associate it automatically with the good old fashioned on-premise Switches, Routers, Firewalls and endless RJ45 cables. Those are not going away in a Cloud world, but only become a CSP responsibility to manage, while we consume it as SDN (Software Defined Network).

So although we are now excused from guarding and managing the physical network, the focus shifts to how we protect communications at all directions.


The guiding Principle is:

Network traffic and connections to/from/within Cloud platforms, must be secured to allow a continuous flow of information, enabling its availability


Here are few high-level key points to help us improve securing networking & connectivity, in the spirit of the Principle:



Public & Private Gateways:

  • Secure Public gateways traffic via: A Proxy (white-list basis) and Deep Packet Inspection (or a separate IDS/IPS based on the use-case)

  • Utilise intra-cloud based-routing primitives of ingress/egress traffic from/to an gateway to a dedicated DPI/IDS/IPS/FW instance

  • Route only approved infrastructure to the gateways

  • Enable Malware protection solution for ingress traffic

  • Map out all active private and public connections (VPN, Dedicated link, Peering, etc), identifying end-to-end routes and protocols in-use, while ensuring only those required are active, with an appropriate access control to changes on routing configuration

  • For specific use-cases , consider using CDN (with signed URLs and Cookies) to serve content, while protecting the source and potentially eliminating the need of a direct access into the environment

Subnets:

  • Ensure subnets are categorised and separated for each purpose, based on the different infrastructure stacks

  • Prioritise everything into private subnets by default, with other designated services ( e.g. Load-Balancer) in public subnets, fronting internal stacks

Network ACLs (Stateless):

  • Enable nACLs on subnets and configure in accordance to the minimal operational requirements and risk level

  • Understand CSP’s default configuration. It will usually be set on 'any-any'


Security Groups/Firewalls (Stateful):

  • To be implemented both on the Instance/VM and load-balancer levels

  • Default policy should follow the “Drop all, allow some” model, minimising machine-to-machine or resource-to-resource comms where possible, results in reducing the number of open firewall rules

  • Ensure Security Groups and Firewalls are categorised and separated for each purpose, based on the different infrastructure stacks

  • Fast changes in sensitive environments must be tracked/alerted

3rd Parties Access/API connectivity/Sockets/CSP services connectivity:

  • Map out frequently all active connections and methods in-use (e.g. peering, API connections, VPNs, Cross-Account connections, Public IP, etc.) across all environments

  • For API connectivity, perform an API discovery and clean-up exercises (which are public and which are private, are they encrypted, alert & remove unused/non-authorised APIs), use only approved technology for signing API requests, potential issues around certs, use approved types only (e.g. REST), look into ‘OWASP Top 10 for API Security’, use API GW for enhanced control/security (based on the use-case), classify APIs based on different risk levels and protect accordingly, consider 3rd parties tools able to identify anomalies/spoofing and providing decoying/honeypoting, as a preventive measure

  • Enable Deep Packet Inspection (or a separate IDS/IPS based on the use-case) with WAF capabilities

  • Allow 3rd party access via temporary/short-lived credentials only. Exceptions must be subject to a defined process with a periodical review.

  • Utilise as possible private CSP endpoints to access services over the internal provider’s network, rather than over a public network. When public network must be used, ensure data in-transit is protected properly (e.g. IPSEC)

  • Ensure strong authentication/authorisation/admission controls on APIs


All ways lead to Cloud!

*The "Security Principle Of The Month" posts are a series of short articles aim to help and guide the security SME, whether it's a Consultant who is reviewing a a solution design proposal, or a DevSecOps engineer deploying a solution, by listing key points of various security controls which should be considered for the proposed solution or to an existing product/environment. This list should be used as a 'complementary' list to any other security controls and strategies already in use within solutions.



**Sources:

- (ISC)² CCSP certification exam materials

- 'AWS Certified Security Speciality'certification exam materials

- 'Azure Security Technologies certification exam materials

- NCSC (National Cyber Security Centre); Cloud Security Principles

- Broad projects experience

- Online information

Comments


Commenting has been turned off.
©
bottom of page