Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : As much as we like to believe we ve evolved as a species, many people continue to be scared of things they don t understand. Yes, many organizations have embraced the cloud whole hog and are rushing headlong into the cloud age. Yet, it s a big world and millions of others remain paralyzed not really understanding cloud computing and taking the general approach that it can t be secure because, well, it just can t. Or it s too new. Or some other unfounded, incorrect perception. Kind of like when folks insisted that the Earth was the center of the universe. This blog series builds on our recent Pragmatic Security for Cloud and Hybrid Networks paper to focus on cloud native network architectures that provide security and availability in ways that you can t do in a traditional data center. We understand this evolution will happen over the next decade and organizations will need to support hybrid networks for some amount of time. But for those ready, willing and able to move to the future today, the cloud is waiting for you to break the traditional rules of how technology is developed, deployed, scaled, and managed. We ve been pretty aggressive in proselytizing our belief that the move towards the cloud is the single biggest disruption we ll see in technology for the next few decades. Yes, even bigger than the move from mainframes to client server yes, we re old folks . In this Resilient Cloud Network Architectures series, we re going to give you the basics of cloud network security and then present a few design patterns to illustrate the concepts. We d like to thank Resilient Systems for agreeing to license the content in this paper. As always, we ll build the content using our Totally Transparent Research methodology, which means we post everything to the blog first and then allow you our readers to poke holes in it. Once it s been sufficiently prodded, we ll publish a paper of the research for your reference. Defining Resilient ------------------ If we bust out the old dictionary to define resilient, we get able to become strong, healthy, or successful again after something bad happens able to return to an original shape after being pulled, stretched, pressed, bent, etc. In the context of computing, you want to deploy technology that is going to be able to not just become strong again, but be resistant to attack in the first place. Recoverability is also key, so if something does happen you want to be able to return service quickly, if an outage happens at all. From a network architecture perspective, we always default back to the cloud computing credo Design for failure. A resilient network architecture is going to both make it harder to compromise the application, as well as minimize downtime if the event of an issue. Key aspects of cloud computing that provide security and availability Network Isolation Using the inherent ability of the cloud to restrict connections via software firewalls security groups, which are described below , you can build a network architecture that fully isolates the different tiers of the application stack. That prevents a compromise in one application or database from getting at information stored in another. Account Isolation Another aspect of the cloud is the ability to use multiple accounts per application. So each of your different environments Dev, Test, Production, Logging, etc. you can use different accounts, which also provides isolation since you can t access cloud infrastructure across accounts without explicitly providing authorization. Immutability An immutable server is one that is never logged into or changed in production. In a cloud-native DevOps environment, servers are deployed in auto-scale groups based on standard images. This prevents human error and configuration drift from creating exploitation paths for the application. You take a new known-good state, and completely replace what is in production. Thus, no more patching and no more logging into servers. Regions You could certainly build multiple data centers around the world to provide redundancy. Of course, that s not necessarily a cheap option over time. To do the same thing in the cloud, you basically just replicate the entire environment in a different region via an API call or a couple of clicks in the cloud console. These regions are located all over the world and provide multiple availability zones within each region to further minimize single points of failure. You can load balance between zones and regions while leveraging the auto-scaling capabilities to keep your infrastructure working on the same images in real time. We ll describe this design pattern in the next post. The key takeaway here is that cloud computing provides architectural options that are either not possible or not economically feasible in a traditional data center to provide a higher level of protection and availability. Though the rest of the series, we ll describe the fundamentals of cloud networking to provide the context and then dig into the design patterns that provide both security and availability which we ve defined as resilience. Understanding Cloud Networks ---------------------------- The key difference between a network that runs in your data center and one that runs in the cloud is that cloud customers never access the real network or hardware. Cloud computing uses virtual networks abstracting the networks you see and manage from the underlying physical resources. When your server gets IP address 10.0.1.12, that isn t really an IP address on routing hardware it s a virtual IP address on a virtual network. Everything is handled in software. Cloud networking varies across cloud providers, but differs from traditional networks in the areas of visibility, management and velocity of change. You can t tap into the cloud providers virtual network, so you ll need to think differently about monitoring your networks. Additionally the cloud network is typically managed via scripts or programs making application programming interfaces API calls, and not a graphical console or command line . That means a developer can do pretty much anything, including standing up networks and reconfiguring them instantaneously via code. Finally, cloud networks change much faster than physical networks because cloud environments change faster, spinning up and shutting down servers via automation. So your traditional workflows to govern network change won t really map to your cloud network. Although it can be confusing because the cloud network looks the same as traditional networks, including routing tables and firewalls. But looks can be deceiving and although the constructs seem the same, there are significant differences. Cloud Network Architectures --------------------------- You need to understand the types of cloud network architectures and the different technologies that enable them, to fit your needs to the right solution. There are two basic types of cloud network architectures Public cloud networks These networks are entirely Internet-facing. You connect to your instances servers via the public Internet with no special routing every instance has a public IP address. Private cloud networks Also called virtual private clouds or VPCs, these networks look like your internal LANs using private IP addresses. You access these networks via some kind of separate connection typically a VPN to access your environment. Cloud networks are enabled and supported by the following technologies Internet Gateways An Internet gateway connects your cloud network to the Internet. You don t normally manage it directly your cloud provider does it for you since it s their underlying technology that is going to move packets from your internal network to the Internet. Internal Gateways These devices are used to connect existing datacenters to your private cloud network. You access these networks via a VPN offered by the cloud provider or a direct connection, which looks a lot like a traditional point to point connection from days gone by. Virtual Private Networks You can also set up your own overlay network to bridge your private and public cloud networks within your cloud provider. This provides a private segment with access for users, developers, and administrators. These terms will come into play when we present the design patterns in the next post. Network Security Controls ------------------------- Your network is different in the cloud, so your network security controls will be different as well. But to provide some comfort, the categories will sound familiar. These controls fall generally into five buckets 1. Perimeter security These controls generally provide a course level of protection from very common network-based attacks, including denial of service attacks. The cloud provider puts these controls in place and manages them, so you have no visibility or control over them. 2. Software firewalls These firewalls are built into the cloud platform called security groups in AWS vernacular and protect cloud assets such as instances, offer basic access control capabilities via ports protocols and sources destinations, and are designed for auto scaling and other cloud-specific uses. This capability combines the best of network and host firewalls, allowing you to deploy policies on individual servers or even network interfaces like a host firewall, but you manage them like network firewalls. This is going to be your main technique to provide virtual network isolation, as described above. 3. Access Control Lists While the software firewall work at a per-instance or per-object level, ACLs restrict communications between subnets in your virtual network. Old school networking folks will be familiar with how you use ACLs to control access into and out of the subnets in your virtual cloud network. 4. Virtual appliances A number of traditional network security tools, such as IDS IPS, WAF, and NGFW are available in virtual form factors to add expanded features for network security, but require you to route your cloud traffic through the device. 5. Host security agents These agents are built into your immutable server images and provide visibility and protection to each server instance in your cloud environment. The thing about cloud networking is that you don t need to apply the same controls or even configurations to your entire network, as you do in your own data centers. You can make architectural and security control decisions based on the project. Perhaps you decide an entirely cloud-based VPC is more appropriate for one application and for another you ll need to build an overlay VPN to connect a totally different VPC to your datacenter to support a hybrid environment. You may need to route traffic through an inspection point to prevent data leakage in one application and in another you rely exclusively on security groups to provide full isolation between the different layers of your cloud stack. The permutations are infinite, which provides you with flexibility you don t have in your data center. These fundamentals should provide the context you ll need to understand the design patterns will present in the next post to illuminate these concepts. - Mike Rothman 0 Comments Subscribe to our daily email digest

Les mots clés de la revue de presse pour cet article : network
Les videos sur SecuObs pour les mots clés : network fundamentals
Les mots clés pour les articles publiés sur SecuObs : network
Les éléments de la revue Twitter pour les mots clé : network





Les derniers articles du site "Security Bloggers Network" :

- In An Era Of Decline, News Sites Can t Afford Poor Web Performance
- BeautifulPeople.com experiences data breach 1m affected
- Swedish Air Space Infringed, Aircraft Not Required
- Why cybercriminals attack healthcare more than any other industry
- Setting the Benchmark in the Network Security Forensics Industry
- Spotify denies hack users subjected to weird music beg to differ
- The Dangerous Game of DNS
- Threat Recap Week of April 22nd
- Is your security appliance actually FIPS validated
- Deploying SAST Static Application Security Testing

---

S'abonner au fil RSS global de la revue de presse

---