![Service Components
▪ Valtix Controller SaaS portal [Valtix pays]
‒ Centralized controller
‒ Dashboard, security policy
‒ Manages lifecycle of VCFs
▪ Valtix Cloud Firewall (VCF)
‒ Single pass dataplane for WAF + NGFW
‒ Not deployed individually, only as part of a Valtix Gateway
▪ Valtix Gateway [Customer pays]
‒ Distributed dataplane as a cluster of auto scaling VCFs
‒ Deployed per region, across zones in the customer’s cloud account
‒ Reduces networking costs of traffic in/out of cloud VPC/VNET](https://image.slidesharecdn.com/awswebinar-04-mar-2020-advancednetworksecurityacrossvpcswithawstransitgateway-200317230949/85/Architecting-Advanced-Network-Security-Across-VPCs-with-AWS-Transit-Gateway-30-320.jpg)
Architecting Advanced Network Security Across VPCs with AWS Transit Gateway
- 1. Architecting Advanced Network Security Across VPCs with AWS Transit Gateway
- 2. Agenda AWS Transit Gateway - Basics of AWS Transit Gateway - Egress Filtering - VPC vs VPN Attachment Model - Ingress Filtering AWS Transit Gateway with Valtix - Architecture - How it works
- 3. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Security Capabilities Network Layer Application Layer Security group VPC Subnet Subnet NACL NACL Flow logs Traffic mirroring AWS WAF 3rd party appliance
- 4. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Transit Gateway • Interconnecting VPCs at scale • Consolidating edge connectivity • Flexibility with routing domains
- 5. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Transit Gateway Overview AWS Site-to-Site VPN AWS Direct Connect AWS TGW in another AWS Region AWS TGW VPC 1 VPC 2 VPC 3 VPC attachment - 1 VPC attachment - 2 VPC attachment - 3 VPN attachment Direct Connect Gateway attachment Peering Attachment Corporate data center VPC 4
- 6. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Transit Gateway Routing AWS Site-to-Site VPN AWS Direct Connect AWS TGW in another AWS Region AWS TGW VPC 1 VPC 2 VPC 3 VPC attachment - 1 VPC attachment - 2 VPC attachment - 3 VPN attachment Direct Connect Gateway attachment Peering Attachment Corporate data center VPC 4 tgw-route-table VPC 1 via att-1 VPC 2 via att-2 VPC 3 via att-3 Corp DC via DXGW att VPC 4 via peering att
- 7. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Egress Filtering with Transit Gateway VPC Attachment Model VPN Attachment Model Explicit Proxy Model
- 8. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Attachment Model Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 TGW ENI TGW ENI Instance 10.1.0.10 1 2 Firewall Firewallatt-1 att-2
- 9. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Attachment – Routing Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 TGW ENI TGW ENI Instance 10.1.0.10 1 2 Firewall Firewall TGW RT 0.0.0.0/0 via att-2 10.1.0.0/16 via att-1 att-1 att-2 Subnet RT 0.0.0.0/0 via TGW Subnet RT 0.0.0.0/0 via FW-2 Subnet RT 0.0.0.0/0 via FW-1 Subnet RT 0.0.0.0/0 via IGW 10.1.0.0/16 via TGW Subnet RT 0.0.0.0/0 via IGW 10.1.0.0/16 via TGW
- 10. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Attachment – Traffic Flow Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 TGW ENI TGW ENI Instance 10.1.0.10 1 2 Firewall Firewallatt-1 att-2 Subnet RT 0.0.0.0/0 via TGW Source Destination 10.1.0.10 Amazon.com Subnet RT 0.0.0.0/0 via IGW 10.1.0.0/16 via TGW SNAT Source Destination Firewall-2 Amazon.com TGW RT 0.0.0.0/0 via att-2 10.1.0.0/16 via att-1 Source Destination 10.1.0.10 Amazon.com Subnet RT 0.0.0.0/0 via FW-2 Source Destination 10.1.0.10 Amazon.com
- 11. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Attachment – High Availability Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 TGW ENI TGW ENI Instance 10.1.0.10 1 2 Firewall Firewallatt-1 att-2 Subnet RT 0.0.0.0/0 via FW-2 Subnet RT 0.0.0.0/0 via FW-1
- 12. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Attachment – High Availability Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 TGW ENI TGW ENI Instance 10.1.0.10 1 2 Firewall Firewallatt-1 att-2 Subnet RT 0.0.0.0/0 via blackhole Subnet RT 0.0.0.0/0 via FW-1 Custom automation required
- 13. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPN Attachment Model Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 Instance 10.1.0.10 1 2 Firewall Firewallatt-1 AWS Site-to-Site VPN
- 14. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPN Attachment – Routing Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 Instance 10.1.0.10 1 2 Firewall Firewallatt-1 AWS Site-to-Site VPN TGW RT 0.0.0.0/0 via VPN-1 0.0.0.0/0 via VPN-2 10.1.0.0/16 via att-1 Subnet RT 0.0.0.0/0 via TGW Subnet RT 0.0.0.0/0 via IGW Subnet RT 0.0.0.0/0 via IGW
- 15. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPN Attachment – Traffic Flow Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 Instance 10.1.0.10 1 2 Firewall Firewallatt-1 AWS Site-to-Site VPN Subnet RT 0.0.0.0/0 via TGW Source Destination 10.1.0.10 Amazon.com TGW RT 0.0.0.0/0 via VPN-1 0.0.0.0/0 via VPN-2 10.1.0.0/16 via att-1 Source Destination 10.1.0.10 Amazon.com Subnet RT 0.0.0.0/0 via IGW SNAT Source Destination Firewall-2 Amazon.com
- 16. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPN Attachment – High Availability Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 Instance 10.1.0.10 1 2 Firewall Firewallatt-1 AWS Site-to-Site VPN TGW RT 0.0.0.0/0 via VPN-1 0.0.0.0/0 via VPN-2 10.1.0.0/16 via att-1
- 17. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPN Attachment – High Availability Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 Instance 10.1.0.10 1 2 Firewall Firewallatt-1 AWS Site-to-Site VPN TGW RT 0.0.0.0/0 via VPN-1 0.0.0.0/0 via VPN-2 10.1.0.0/16 via att-1 Route removed automatically by Border Gateway Protocol (BGP)
- 18. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Explicit Proxy Model Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 TGW ENI TGW ENI Instance 10.1.0.10 Proxies Proxiesatt-1 att-2 NLB
- 19. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Explicit Proxy - Routing Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 TGW ENI TGW ENI Instance 10.1.0.10 Proxies Proxiesatt-1 att-2 NLB TGW RT 10.2.0.0/16 via att-2 10.1.0.0/16 via att-1 Subnet RT 10.2.0.0/16 via TGW Subnet RT 10.2.0.0/16 via local Subnet RT 0.0.0.0/0 via IGW 10.1.0.0/16 via TGW
- 20. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Explicit Proxy – Traffic Flow Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 TGW ENI TGW ENI Instance 10.1.0.10 Proxies Proxiesatt-1 att-2 NLB Subnet RT 10.2.0.0/16 via TGW Source Destination 10.1.0.10 NLB TGW RT 10.2.0.0/16 via att-2 10.1.0.0/16 via att-1 Subnet RT 0.0.0.0/0 via IGW Source Destination Proxy Amazon.com Subnet RT 10.2.0.0/16 via local
- 21. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Explicit Proxy – High Availability Internet gateway VPC 10.1.0.0/16 VPC 10.2.0.0/16 TGW ENI TGW ENI Instance 10.1.0.10 Proxies Proxiesatt-1 att-2 NLB Proxy health-checks provided by Network Load Balancer (NLB)
- 22. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Egress Filtering Summary VPC Attachment Model VPN Attachment Model Explicit Proxy Model No Encryption Overhead High Availability Transparent to clients Custom Automation Required BGP NLB Health- Check
- 23. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ingres Filtering with Transit Gateway Reverse Proxy Model
- 24. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Reverse Proxy Model Internet gateway VPC 10.1.0.0/16 VPC 10.3.0.0/16 Web Servers Proxies/Firewalls att-1 att-2 NLB UsersALB
- 25. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Reverse Proxy Model Internet gateway VPC 10.1.0.0/16 VPC 10.3.0.0/16 Web Servers att-1 att-2 NLB Users Source Destination Users NLB Source Destination Users Proxies Source Destination Proxies ALB Source Destination ALB WebServers ALB Proxies/Firewalls
- 26. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Reverse Proxy Model – High Availability Internet gateway VPC 10.1.0.0/16 VPC 10.3.0.0/16 Web Servers Proxies/Firewalls att-1 att-2 NLB UsersALB Proxy health-checks provided by Network Load Balancer (NLB)
- 27. 27 Automated Deployment Network Security Policies Management Console Telemetry and monitoring API Valtix Cloud Controller SaaS Security-as-a-Service ▪ Fully managed network security ○ Software updates ○ Auto scaling ○ Networking ▪ Simplified deployment ▪ Unified policy & enforcement Cloud-Native Architecture ▪ Decoupled control and data plane ▪ Multi-cloud, region, zone ▪ Single pass inspection ○ WAF + Trustwave ruleset ○ IPS + Talos ruleset ○ TLS Decryption/Encryption throughout Manage Globally, Enforce Locally HUB VPC Policy and Telemetry (no production traffic) Internet EDGE Customer accounts Valtix cloud account Valtix Cloud Firewalls KMS S3
- 28. ● Attack vectors ○ Malicious insiders, infected users, misconfiguration... ○ Vulnerable Servers ■ Apache Struts exploit: CVE-2017-5638 ■ Windows SMB: NotPetya malware ○ Connections to command-n-control (C2) cannot be differentiated from legit sites: ■ GitHub org repo vs public repo’s ■ canonical.com vs rapidshare.com ○ Lateral movement from vulnerable servers ● Impact ○ Drive up costs ○ Exfiltrate data ○ Disrupt operations ○ Reputation damage Bitcoin mining Malware Distribution HackerCommand-n-Control Server Infected User or Malicious Insider Bug or Vulnerable Server Data Exfiltration Example Attacks
- 29. ▪ Customer provides cloud IAM credentials ▪ Valtix continuously discovers: ○ Cloud applications and network inventory Discover Deploy Defend ▪ Automated deployment of a cluster of autoscaling VCF’s aka Valtix Gateway via ○ Valtix Cloud Controller SaaS ○ API ○ Terraform ▪ Edge and Hub mode ▪ Automated networking changes ▪ Define security policy by app name and workload tags ▪ Multi-cloud, region, zone policies ▪ Integration with SIEMs and datalake ▪ Support for threat and vulnerability management tools like AWS GuardDuty Onboarding Flow
- 30. Service Components ▪ Valtix Controller SaaS portal [Valtix pays] ‒ Centralized controller ‒ Dashboard, security policy ‒ Manages lifecycle of VCFs ▪ Valtix Cloud Firewall (VCF) ‒ Single pass dataplane for WAF + NGFW ‒ Not deployed individually, only as part of a Valtix Gateway ▪ Valtix Gateway [Customer pays] ‒ Distributed dataplane as a cluster of auto scaling VCFs ‒ Deployed per region, across zones in the customer’s cloud account ‒ Reduces networking costs of traffic in/out of cloud VPC/VNET
- 31. Use Case 1: Hub Mode With AWS Transit Gateway - Egress Internet Gateway VPC 10.2.0.0/16 VPC 10.1.0.0/16 TGW ENI TGW ENI Instance 10.1.0.10 att-1 att-2 Valtix Cloud Controller SaaS Managed by Valtix ● VCF deployment ● TGW routing ● Security policies ● Auto Scaling of VCF’s Security VPC AWS Transit Gateway NLB Valtix Cloud Firewalls
- 32. Use Case 2: Hub Mode With AWS Transit Gateway - Ingress Internet Gateway VPC 10.2.0.0/16 VPC 10.1.0.0/16 TGW ENI TGW ENI att-1 att-2 NLB Valtix Cloud Controller SaaS Managed by Valtix ● VCF deployment ● TGW routing ● Security policies ● Auto Scaling of VCF’s ALB Set DNS of app to NLB in Route 53 Valtix Cloud Firewalls Security VPC
- 33. Use Case 3: PaaS Security, including API Gateway Internet Gateway VPC 10.2.0.0/16 TGW ENI TGW ENI att-1 att-2 NLB Valtix Cloud Firewalls Valtix Cloud Controller SaaSManaged by Valtix ● VCF deployment ● TGW routing ● Security policies ● Auto Scaling of VCF’s Valtix Cloud Firewalls VPC 2 VPC 1 VPC 3 AWS S3 Amazon API Gateway AWS Lambda +
- 34. info@valtix.com www.valtix.com Learn more: ● Try Valtix Sandbox in our environment www.valtix.com/sandbox ● 14-Day Free Trial for POC www.valtix.com/trial ● Available on AWS Marketplace https://aws.amazon.com/marketplace/pp/B081781QXX ?ref_=srh_res_product_title