SlideShare a Scribd company logo

Cloud Security: Limitations of Cloud Security Groups and Flow Logs

Priyanka Aash, profile picture
Priyanka Aash

The document outlines the key topics discussed at the 'Best of the World in Security Conference' held on November 12-13, 2020, focusing on cloud security challenges, including network security groups (NSGs) and application security groups (ASGs). It emphasizes the limitations of these security measures in single and multi-cloud environments, highlighting issues such as misconfiguration, lack of visibility, and challenges in cross-cloud policies. The document concludes by summarizing the deficiencies of Azure and AWS security models, noting their restricted ability to manage traffic across different cloud platforms effectively.

Technology
Related topics:
Cloud Security Insights
1 of 49
Downloaded 36 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Best Of The World In Security Conference Best Of The World In Security 12-13 November 2020 Cloud Security Limitations of Cloud Security Groups and Flow logs Avishag Daniely Guardicore S. Director of Product Marketing @avishugz
Best Of The World In Security Conference Boulderer, Painter, Yogarer, Dog lover Fluent in 3 languages + Learning Chinese Cyber Geek for 11+ years, Passion for Products, Marketing and Growth About Me
Best Of The World In Security Conference Agenda • The shift away from perimeters • Top Cloud Security Threats • Azure Terminology • NSGs and ASGs • Cloud Security Groups • Flow Logs • Limitations - Scenario Deep Dives • Single vNet • Multi vNet • Multi Cloud • AWS Security Groups and ACLs
Best Of The World In Security Conference We now live in a world with no defined perimeters
Best Of The World In Security Conference We are in the era of hybrid-cloud You own it: bare metals, routers, access switches 1993 Internet is more popular than ever, Facebook and Google emerge, SSL is the thing 2005 The cloud is born. You no longer own all the infrastructure 2006–2010 Containers are introduced to the world 2013 Data centers are hybrid. Virtual, Cloud, Bare Metal, serverless, VDI, laptops, DaaS - people work from Anywhere and everywhere 2021
Best Of The World In Security Conference 90% OF BUSINESS ARE IN THE CLOUD 45% OF INFECTION VECTORS ARE BASED ON CLOUD APPLICATIONS Based on 451 Based on X-Force
Best Of The World In Security Conference Access Management Network Misconfigurations Data Breaches and Data Leaks Insecure APIs Data Loss Top Cloud Security Threats
Best Of The World In Security Conference Some Concepts
Best Of The World In Security Conference VNET vs VPC VNET – AZURE VPC – AWS More info here
Best Of The World In Security Conference Cloud Security Groups
Best Of The World In Security Conference Source: arcitura
Best Of The World In Security Conference Azure Security Groups
Best Of The World In Security Conference Azure Security Groups The difference NSG is the Azure Resource that you will use to enforce and control the network traffic with ASG is an object reference within a Network Security Group. ASG & NSG NSG’s (Network Security Group) & ASG’s (Application Security Group) are used to administrate and control network traffic within a virtual network (vNET).
Best Of The World In Security Conference NSGs NSG’s control access by permitting or denying network traffic Between different workloads on a vNET From on-site environment into Azure Directly from the internet Theoretically: NSGs are a group of ACL rules that either allow or deny network traffic to a specific destination located on your vNET. All traffic entering or leaving your Azure network can be processed via the NSG They can be applied either on a virtual machine or subnet (one NSG can be applied to multiple subnets or virtual machines)
Best Of The World In Security Conference ASGs Used within an NSG to apply a network security rule to a specific workload or group of VMs Typically used for scalability Creating the virtual machine and assigning it to an ASG will provide it with all the NSG rules in place for that specific ASG
Best Of The World In Security Conference Limitations in a single vNet
Best Of The World In Security Conference Simulation Time – Application Migration to Azure Our Goal: Migrate App SWIFT to Azure Azure setup: Single vNet – subnet 10.0.2.0/24 vNet region – Brazil NSG assigned to our vNet ASGs assigned per Server roles
Best Of The World In Security Conference • The NSG • The ASGs
Best Of The World In Security Conference What this looks like Brazil Customer vNet – NSG assigned swift-all swift-apps swift-DBS swift-LBS
Best Of The World In Security Conference Following NSG rules were set: • Load Balancers to Web Servers, over specific ports, allow • Web Servers to Databases, over specific ports, allow • Deny all else between SWIFT servers.
Best Of The World In Security Conference What this looks like Brazil Customer vNet – NSG assigned swift-all swift-apps swift-DBS swift-LBS
Best Of The World In Security Conference The problem A critical backup operation fails What can be the cause? A configuration issue within the application, not policy related at all. The ASGs are misconfigured while NSGs are configured correctly. The ASGs are configured correctly but the NSGs are misconfigured.
Best Of The World In Security Conference Flow Logs
Best Of The World In Security Conference Flow log limitations • Dynamic IPs make it nearly impossible to track changes • Needle in a haystack – with no context of time or which server is the culprit • No Security Groups affect on traffic, only blocked indication, but by which rule? • No application or user context – only Ips and ports
Best Of The World In Security Conference Simulation Time – Let’s block threats Our Goal: Block Telnet & Insecure FTP Block a malware propegation Azure setup (same): Single vNet – subnet 10.0.2.0/24 vNet region – Brazil NSG assigned to our vNet ASGs assigned per Server roles
Best Of The World In Security Conference Security Group limitations • Block Telnet – Block over port 23 • Block FTP – HOW? • 21 not enough • What about dynamic high ports? • Block malware propagation – HOW? • Ports? Not good enough • No application aware policies! • No process level policies!
Best Of The World In Security Conference Limitation in multiple vNets
Best Of The World In Security Conference Simulation Time – Policies between applications, between VNets Our Goal: Security Policies between CMS to Billing and SWIFT Azure setup: 2 vNets vNet1 region – Brazil vNet2 region - West Europe NSG assigned to each vNet ASG assigned per app
Best Of The World In Security Conference • The NSG • The ASGs
Best Of The World In Security Conference Brazil Customer vNet App_Swift Billing_all West Europe Customer vNet CMS_ALL_Servers
Best Of The World In Security Conference What’s our goal? Allow CMS over port 80 to SWIFT and Billing Block all other port 80
Best Of The World In Security Conference The problem Would it be possible to create a rule with an ASG for the CMS App servers to the SWIFT & Billing applications even though they are in separate vNets?
Best Of The World In Security Conference NO
Best Of The World In Security Conference According to Azure documentation Each subscription in Azure is assigned to a specific, single, region. Multiple subscriptions cannot share the same vNet. NSGs can only be applied within a vNet.
Best Of The World In Security Conference documentation “If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network. For example, if AsgLogic contained network interfaces from VNet1, and AsgDbcontained network interfaces from VNet2, you could not assign AsgLogic as the source and AsgDb as the destination in a rule. All network interfaces for both the source and destination application security groups need to exist in the same virtual network.”
Best Of The World In Security Conference It is not possible to create policies for applications spanning vNets or Regions!
Best Of The World In Security Conference Limitation in multi-cloud
Best Of The World In Security Conference Simulation Time – Application Migration from Azure to AWS Our Goal: Migrate App CMS from Azure to AWS Azure setup: 2 vNets, Brazil & West Europe AWS setup: Single VPC
Best Of The World In Security Conference • The NSG • The ASGs
Best Of The World In Security Conference • The rules
Best Of The World In Security Conference Migrating The policy Rules from Azure to AWS Deny rules in Azure Security Groups must be translated into either: • Allow rules for all other traffic in AWS security groups • Network layer deny rules in AWS access control lists (ACLs).
Best Of The World In Security Conference AWS ACLs & Sec Groups Sec Groups Security groups are applied at the EC2 level and are tied to an asset, not an IP. They only enable whitelisting traffic and are stateful. This is the first layer of defense; thus traffic must be allowed by Security Groups to then be analyzed by an ACL. ACLs Access control lists are applied at the VPC level, thus are directly tied to IPs. They support both allow and deny rules, but as they are tied to specific IPs, they do not support blocking by application context. They are not stateful and thus are not valid for compliance requirements.
Best Of The World In Security Conference AWS security groups vs ACLs Security groups • do not support blacklisting functionalities and only enable whitelisting ACLs • support both deny and allow rules but are tied to an IP address within a VPC, enabling blocking only static IPs or a whole subnet
Best Of The World In Security Conference Simulation Time – Policies cross cloud Our Goal: Accounting App in AWS must access ONLY the Billing App in Azure (and no other app in azure) Azure setup: 2 vNets, Brazil & West Europe AWS setup: Single VPC, London
Best Of The World In Security Conference The problem Cloud providers’ native tools do not offer full support for other providers’ clouds, which can limit their usability in multicloud environments
Best Of The World In Security Conference Security Groups Limitations Azure and AWS Security Groups or ACLs enable controlling cross-cloud traffic based only on the public IPs of the cloud providers
Best Of The World In Security Conference Sum Up - Limitations Azure Security Groups & Flow logs • Limited visibility • No policy simulation or indication of impact on traffic • NSGs can only be applied within a Vnet • Multiple subscriptions cannot share the same VNet • To allow connections between clouds, one must permit the whole cloud range to communicate • Default NSGs are set in a permissive mode from day 1 • ASGs are assigned to assets by IPs. What if the ip is dynamic? needs to change?
Best Of The World In Security Conference Sum Up - Limitations AWS Security Groups & ACLs • Limited visibility • No policy simulation or indication of impact on traffic • Security groups only enable Allow, no deny • AWS ACLs support both deny and allow rules, but are tied to an IP address within a VPC in AWS, enabling blocking only static IPs or a whole subnet
Best Of The World In Security Conference Thank You! @avishugz avishag-daniely

More Related Content

PDF
Cyber Security Governance
Priyanka Aash
 
PDF
Cloud Security - Made simple
Sameer Paradia
 
PDF
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
PDF
Hardware Security on Vehicles
Priyanka Aash
 
PDF
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
PDF
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Shah Sheikh
 
PPTX
DTS Solution - Outsourcing Outlook Dubai 2015
Shah Sheikh
 
PDF
Practical Enterprise Security Architecture
Priyanka Aash
 
Cyber Security Governance
Priyanka Aash
 
Cloud Security - Made simple
Sameer Paradia
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
Hardware Security on Vehicles
Priyanka Aash
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Shah Sheikh
 
DTS Solution - Outsourcing Outlook Dubai 2015
Shah Sheikh
 
Practical Enterprise Security Architecture
Priyanka Aash
 

What's hot (20)

PDF
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
PDF
DTS Solution - Cyber Security Services Portfolio
Shah Sheikh
 
PPTX
Overview of Google’s BeyondCorp Approach to Security
Priyanka Aash
 
PDF
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
Shah Sheikh
 
PDF
Pöyry ICS Cyber Security brochure (English)
Pöyry
 
PPTX
NIST Cybersecurity Framework (CSF) on the Public Cloud
CloudHesive
 
PPT
Top Tactics For Endpoint Security
Ben Rothke
 
PDF
Accelerating OT - A Case Study
Digital Bond
 
PPTX
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Scalar Decisions
 
PDF
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
PPTX
Supply Chain Threats to the US Energy Sector
Kaspersky
 
PPTX
The Top Cloud Security Issues
HTS Hosting
 
PDF
Cloud summit demystifying cloud security
David De Vos
 
PDF
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
Shah Sheikh
 
PDF
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
Risk Analysis Consultants, s.r.o.
 
PDF
Tenable Solutions for Enterprise Cloud Security
MarketingArrowECS_CZ
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
PDF
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
Cam Fulton
 
PDF
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Andris Soroka
 
PPTX
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
DTS Solution - Cyber Security Services Portfolio
Shah Sheikh
 
Overview of Google’s BeyondCorp Approach to Security
Priyanka Aash
 
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
Shah Sheikh
 
Pöyry ICS Cyber Security brochure (English)
Pöyry
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
CloudHesive
 
Top Tactics For Endpoint Security
Ben Rothke
 
Accelerating OT - A Case Study
Digital Bond
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Scalar Decisions
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Supply Chain Threats to the US Energy Sector
Kaspersky
 
The Top Cloud Security Issues
HTS Hosting
 
Cloud summit demystifying cloud security
David De Vos
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
Shah Sheikh
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
Risk Analysis Consultants, s.r.o.
 
Tenable Solutions for Enterprise Cloud Security
MarketingArrowECS_CZ
 
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
Cam Fulton
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Andris Soroka
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
Ad

Similar to Cloud Security: Limitations of Cloud Security Groups and Flow Logs (20)

PDF
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
AlgoSec
 
PDF
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...
AlgoSec
 
PDF
Alcatel-Lucent Tech Symposium 2013: SDN: Innovating for Growth with Nuage Net...
Nuage Networks
 
PDF
Succeeding with Secure Access Service Edge (SASE)
Cloudflare
 
PPTX
Policy Based SDN Solution for DC and Branch Office by Suresh Boddapati
buildacloud
 
PDF
Secure SDN
APNIC
 
PPTX
SDN's managing security across the virtual network final
AlgoSec
 
PDF
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
OpenStack Korea Community
 
PPTX
Introducing Azure Arc
Mohamed Wali
 
PDF
Firewalling a Service Mesh with WebAssembly.pdf
micharaeck
 
PPTX
ciplaasfqewfefewtwegndkvndsgjbsdz-dfafd.pptx
kreshenka
 
PDF
Hybridní cloud s F5 v prostředí kontejnerů
MarketingArrowECS_CZ
 
PDF
Cloud On-Ramp Project Briefing
Robert McDermott
 
PDF
Global Azure Bootcamp 2018 - Azure Network Security
Scott Hoag
 
PPTX
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
PPTX
Nuage meetup - Flexible and agile Software Defined Networking (SDN)
SDN_Paris
 
PDF
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera Technologies
 
PDF
1. aws security and compliance wwps pre-day sao paolo - markry
Amazon Web Services LATAM
 
PPTX
CCI2018 - Azure Network - Security Best Practices
walk2talk srl
 
PDF
VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...
VMworld
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
AlgoSec
 
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...
AlgoSec
 
Alcatel-Lucent Tech Symposium 2013: SDN: Innovating for Growth with Nuage Net...
Nuage Networks
 
Succeeding with Secure Access Service Edge (SASE)
Cloudflare
 
Policy Based SDN Solution for DC and Branch Office by Suresh Boddapati
buildacloud
 
Secure SDN
APNIC
 
SDN's managing security across the virtual network final
AlgoSec
 
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
OpenStack Korea Community
 
Introducing Azure Arc
Mohamed Wali
 
Firewalling a Service Mesh with WebAssembly.pdf
micharaeck
 
ciplaasfqewfefewtwegndkvndsgjbsdz-dfafd.pptx
kreshenka
 
Hybridní cloud s F5 v prostředí kontejnerů
MarketingArrowECS_CZ
 
Cloud On-Ramp Project Briefing
Robert McDermott
 
Global Azure Bootcamp 2018 - Azure Network Security
Scott Hoag
 
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
Nuage meetup - Flexible and agile Software Defined Networking (SDN)
SDN_Paris
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera Technologies
 
1. aws security and compliance wwps pre-day sao paolo - markry
Amazon Web Services LATAM
 
CCI2018 - Azure Network - Security Best Practices
walk2talk srl
 
VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...
VMworld
 
Ad

More from Priyanka Aash (20)

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
Priyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 

Recently uploaded (20)

PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Teaching material agriculture food technology
LiaRayya
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
A Presentation on Artificial Intelligence
memembruh336
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Approach and Philosophy of On baking technology
30anthuong17
 
Cloud computing and distributed systems.
kkkkkhan
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 

Cloud Security: Limitations of Cloud Security Groups and Flow Logs

  • 1. Best Of The World In Security Conference Best Of The World In Security 12-13 November 2020 Cloud Security Limitations of Cloud Security Groups and Flow logs Avishag Daniely Guardicore S. Director of Product Marketing @avishugz
  • 2. Best Of The World In Security Conference Boulderer, Painter, Yogarer, Dog lover Fluent in 3 languages + Learning Chinese Cyber Geek for 11+ years, Passion for Products, Marketing and Growth About Me
  • 3. Best Of The World In Security Conference Agenda • The shift away from perimeters • Top Cloud Security Threats • Azure Terminology • NSGs and ASGs • Cloud Security Groups • Flow Logs • Limitations - Scenario Deep Dives • Single vNet • Multi vNet • Multi Cloud • AWS Security Groups and ACLs
  • 4. Best Of The World In Security Conference We now live in a world with no defined perimeters
  • 5. Best Of The World In Security Conference We are in the era of hybrid-cloud You own it: bare metals, routers, access switches 1993 Internet is more popular than ever, Facebook and Google emerge, SSL is the thing 2005 The cloud is born. You no longer own all the infrastructure 2006–2010 Containers are introduced to the world 2013 Data centers are hybrid. Virtual, Cloud, Bare Metal, serverless, VDI, laptops, DaaS - people work from Anywhere and everywhere 2021
  • 6. Best Of The World In Security Conference 90% OF BUSINESS ARE IN THE CLOUD 45% OF INFECTION VECTORS ARE BASED ON CLOUD APPLICATIONS Based on 451 Based on X-Force
  • 7. Best Of The World In Security Conference Access Management Network Misconfigurations Data Breaches and Data Leaks Insecure APIs Data Loss Top Cloud Security Threats
  • 8. Best Of The World In Security Conference Some Concepts
  • 9. Best Of The World In Security Conference VNET vs VPC VNET – AZURE VPC – AWS More info here
  • 10. Best Of The World In Security Conference Cloud Security Groups
  • 11. Best Of The World In Security Conference Source: arcitura
  • 12. Best Of The World In Security Conference Azure Security Groups
  • 13. Best Of The World In Security Conference Azure Security Groups The difference NSG is the Azure Resource that you will use to enforce and control the network traffic with ASG is an object reference within a Network Security Group. ASG & NSG NSG’s (Network Security Group) & ASG’s (Application Security Group) are used to administrate and control network traffic within a virtual network (vNET).
  • 14. Best Of The World In Security Conference NSGs NSG’s control access by permitting or denying network traffic Between different workloads on a vNET From on-site environment into Azure Directly from the internet Theoretically: NSGs are a group of ACL rules that either allow or deny network traffic to a specific destination located on your vNET. All traffic entering or leaving your Azure network can be processed via the NSG They can be applied either on a virtual machine or subnet (one NSG can be applied to multiple subnets or virtual machines)
  • 15. Best Of The World In Security Conference ASGs Used within an NSG to apply a network security rule to a specific workload or group of VMs Typically used for scalability Creating the virtual machine and assigning it to an ASG will provide it with all the NSG rules in place for that specific ASG
  • 16. Best Of The World In Security Conference Limitations in a single vNet
  • 17. Best Of The World In Security Conference Simulation Time – Application Migration to Azure Our Goal: Migrate App SWIFT to Azure Azure setup: Single vNet – subnet 10.0.2.0/24 vNet region – Brazil NSG assigned to our vNet ASGs assigned per Server roles
  • 18. Best Of The World In Security Conference • The NSG • The ASGs
  • 19. Best Of The World In Security Conference What this looks like Brazil Customer vNet – NSG assigned swift-all swift-apps swift-DBS swift-LBS
  • 20. Best Of The World In Security Conference Following NSG rules were set: • Load Balancers to Web Servers, over specific ports, allow • Web Servers to Databases, over specific ports, allow • Deny all else between SWIFT servers.
  • 21. Best Of The World In Security Conference What this looks like Brazil Customer vNet – NSG assigned swift-all swift-apps swift-DBS swift-LBS
  • 22. Best Of The World In Security Conference The problem A critical backup operation fails What can be the cause? A configuration issue within the application, not policy related at all. The ASGs are misconfigured while NSGs are configured correctly. The ASGs are configured correctly but the NSGs are misconfigured.
  • 23. Best Of The World In Security Conference Flow Logs
  • 24. Best Of The World In Security Conference Flow log limitations • Dynamic IPs make it nearly impossible to track changes • Needle in a haystack – with no context of time or which server is the culprit • No Security Groups affect on traffic, only blocked indication, but by which rule? • No application or user context – only Ips and ports
  • 25. Best Of The World In Security Conference Simulation Time – Let’s block threats Our Goal: Block Telnet & Insecure FTP Block a malware propegation Azure setup (same): Single vNet – subnet 10.0.2.0/24 vNet region – Brazil NSG assigned to our vNet ASGs assigned per Server roles
  • 26. Best Of The World In Security Conference Security Group limitations • Block Telnet – Block over port 23 • Block FTP – HOW? • 21 not enough • What about dynamic high ports? • Block malware propagation – HOW? • Ports? Not good enough • No application aware policies! • No process level policies!
  • 27. Best Of The World In Security Conference Limitation in multiple vNets
  • 28. Best Of The World In Security Conference Simulation Time – Policies between applications, between VNets Our Goal: Security Policies between CMS to Billing and SWIFT Azure setup: 2 vNets vNet1 region – Brazil vNet2 region - West Europe NSG assigned to each vNet ASG assigned per app
  • 29. Best Of The World In Security Conference • The NSG • The ASGs
  • 30. Best Of The World In Security Conference Brazil Customer vNet App_Swift Billing_all West Europe Customer vNet CMS_ALL_Servers
  • 31. Best Of The World In Security Conference What’s our goal? Allow CMS over port 80 to SWIFT and Billing Block all other port 80
  • 32. Best Of The World In Security Conference The problem Would it be possible to create a rule with an ASG for the CMS App servers to the SWIFT & Billing applications even though they are in separate vNets?
  • 33. Best Of The World In Security Conference NO
  • 34. Best Of The World In Security Conference According to Azure documentation Each subscription in Azure is assigned to a specific, single, region. Multiple subscriptions cannot share the same vNet. NSGs can only be applied within a vNet.
  • 35. Best Of The World In Security Conference documentation “If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network. For example, if AsgLogic contained network interfaces from VNet1, and AsgDbcontained network interfaces from VNet2, you could not assign AsgLogic as the source and AsgDb as the destination in a rule. All network interfaces for both the source and destination application security groups need to exist in the same virtual network.”
  • 36. Best Of The World In Security Conference It is not possible to create policies for applications spanning vNets or Regions!
  • 37. Best Of The World In Security Conference Limitation in multi-cloud
  • 38. Best Of The World In Security Conference Simulation Time – Application Migration from Azure to AWS Our Goal: Migrate App CMS from Azure to AWS Azure setup: 2 vNets, Brazil & West Europe AWS setup: Single VPC
  • 39. Best Of The World In Security Conference • The NSG • The ASGs
  • 40. Best Of The World In Security Conference • The rules
  • 41. Best Of The World In Security Conference Migrating The policy Rules from Azure to AWS Deny rules in Azure Security Groups must be translated into either: • Allow rules for all other traffic in AWS security groups • Network layer deny rules in AWS access control lists (ACLs).
  • 42. Best Of The World In Security Conference AWS ACLs & Sec Groups Sec Groups Security groups are applied at the EC2 level and are tied to an asset, not an IP. They only enable whitelisting traffic and are stateful. This is the first layer of defense; thus traffic must be allowed by Security Groups to then be analyzed by an ACL. ACLs Access control lists are applied at the VPC level, thus are directly tied to IPs. They support both allow and deny rules, but as they are tied to specific IPs, they do not support blocking by application context. They are not stateful and thus are not valid for compliance requirements.
  • 43. Best Of The World In Security Conference AWS security groups vs ACLs Security groups • do not support blacklisting functionalities and only enable whitelisting ACLs • support both deny and allow rules but are tied to an IP address within a VPC, enabling blocking only static IPs or a whole subnet
  • 44. Best Of The World In Security Conference Simulation Time – Policies cross cloud Our Goal: Accounting App in AWS must access ONLY the Billing App in Azure (and no other app in azure) Azure setup: 2 vNets, Brazil & West Europe AWS setup: Single VPC, London
  • 45. Best Of The World In Security Conference The problem Cloud providers’ native tools do not offer full support for other providers’ clouds, which can limit their usability in multicloud environments
  • 46. Best Of The World In Security Conference Security Groups Limitations Azure and AWS Security Groups or ACLs enable controlling cross-cloud traffic based only on the public IPs of the cloud providers
  • 47. Best Of The World In Security Conference Sum Up - Limitations Azure Security Groups & Flow logs • Limited visibility • No policy simulation or indication of impact on traffic • NSGs can only be applied within a Vnet • Multiple subscriptions cannot share the same VNet • To allow connections between clouds, one must permit the whole cloud range to communicate • Default NSGs are set in a permissive mode from day 1 • ASGs are assigned to assets by IPs. What if the ip is dynamic? needs to change?
  • 48. Best Of The World In Security Conference Sum Up - Limitations AWS Security Groups & ACLs • Limited visibility • No policy simulation or indication of impact on traffic • Security groups only enable Allow, no deny • AWS ACLs support both deny and allow rules, but are tied to an IP address within a VPC in AWS, enabling blocking only static IPs or a whole subnet
  • 49. Best Of The World In Security Conference Thank You! @avishugz avishag-daniely