Scloud Aws Design Guide
Scloud Aws Design Guide
Cisco Public
June 2021
Appendix........................................................................................................................................ 83
Appendix A- AWS Security Groups with CDO ................................................................................................ 83
Appendix B- Acronyms Defined ...................................................................................................................... 84
Appendix C- AWS CloudFormation Template ................................................................................................ 84
Appendix D- Software Versions ...................................................................................................................... 85
Appendix E- References .................................................................................................................................. 85
Scope
This document illustrates the design and security aspects of an application hosted in AWS. Along with the
design and security specifications, this document also delves into the details of implementation and validation
steps for the proposed architecture.
● Cisco Tetration
● Cisco Advanced Malware Protection for Endpoints (AMP4E)
● Cisco Stealthwatch Cloud (SWC)
● Cisco Umbrella
● Cisco Firepower Next-Generation Firewalls Virtual (NGFWv)
● Cisco Adaptive Virtual Security Appliance (ASAv)
● Cisco Defense Orchestrator (CDO)
● AWS Web Application Firewall (WAF) and Shield service
● Radware Cloud Web Application Firewall (WAF) and DDOS prevention
● Cisco Duo Beyond
● Cisco SecureX threat response
For setting up the web application, we used the following AWS cloud components and services.
These validated designs provide guidance that is complete with configuration steps that ensure secure
deployments for your organization. Cisco Validated Designs (CVDs) for various SAFE PINs can be found at SAFE
home page.
Cisco SAFE simplifies network security by providing solution guidance using the concept of ‘Places in the
Network’ (PINs). This design guide is a recommended threat defense architecture for the Cloud PIN (see figure
1). Within the Cloud PIN, this design guide specifically covers the AWS cloud.
For more information on SAFE framework and architecture/design guides, check out the SAFE documentation
(select architecture/design tab).
This solution addresses the following business flows for a typical tiered web application hosted in AWS:
● Customer browsing an e-commerce web application. The customer, sitting somewhere out on the
Internet, browses the e-commerce web application hosted in the AWS cloud
● Application workloads downloading updates/patches from update servers outside the cloud (Internet).
Application workloads sitting in the cloud need to reach out to various update servers to fetch the
updates and patches at regular intervals
● Systems communicating east/west within the AWS cloud. For example- the frontend web servers will
make HTTP requests to backend application engine or the application workloads will make API calls
among themselves
● Application workloads transacting data with the database server within the cloud
● DevOps remotely accessing the management zone for workload management/update/patching purposes
Threats include; rogue identity, DDoS, web vulnerabilities, infections, and advanced persistent threats allowing
hackers the ability to take control of your devices and networks.
Considering the business flows elaborated in the last section (Figure 3), a deep dive into the attack surface for
each of those business flows is shown below.
● An untrusted/compromised user, out on the Internet, may try to exploit the cloud application or flood it
with fake traffic to render it incapable of serving the genuine users
Solution Overview
Cisco’s security approach for the modern cloud applications allows companies to achieve:
● Visibility - Complete visibility of users, devices, networks, applications, workloads, and processes
● Segmentation - Reduce the attack surface by preventing attackers from moving laterally, with
consistent security policy enforcement, application access control and micro-segmentation
● Threat Protection - Stop the breach by deploying multi-layered threat sensors strategically in the public
cloud to quickly detect, block, and dynamically respond to threats
The multi-tier architecture provides a general framework to ensure decoupled and independently scalable
application components. Each tier is separately developed, scaled, maintained and secured.
In the simplest tiered architecture form, the web applications would have the following layers:
Web tier: The end-user directly interacts with this layer. This tier has all the static web content.
Application tier: This tier is responsible for translating the user actions to application functionality. This tier
carries the core application code components. For example, application code performing the read/write
database operations.
Database tier: Storage tier or the database tier holds the data relevant to the application.
In this design, we are securing a tiered web application in the AWS cloud. We add various security capabilities
and controls, that we established in the previous sections, to a tiered web application model to make it much
more robust, secure and transparent in its security posture.
◦ Access to the web application is secured using Duo – Multi-Factor Authentication (MFA)
◦ WAF and DDoS Services protect against web vulnerabilities and denial of service attacks. In this
document, we will demonstrate Radware cloud WAF and DDoS service
◦ Perimeter segmentation is done using next-generation firewalls (NGFW) to protect against any
network level breaches. NGFWs also provide next-generation IPS and AMP capabilities along with
stateful firewall, AVC (Application Visibility and Control) and URL filtering
◦ Micro-segmentation of workloads is done using the Tetration policy enforcement agents. This would
prevent any malware or malicious movement within the pool of workloads in a specific tier
◦ Stealthwatch Cloud provides enhanced threat visibility into workload activity and the AWS cloud. It
looks for any anomalous activity within the application environment. It also facilitates the flow analytics
◦ Tetration agents allow us to gain a deep visibility into vulnerable packages and processes on the
workloads that an attacker may leverage. It also provides a very robust network flow analytics for
workload communications
◦ AMP4E detects and quarantines any malware that may infect the workloads
● Workloads downloading updates/patches from update servers
◦ Workloads are segmented into App and Web tier using Tetration Enforcement agents. No direct
inbound public access is allowed to the App and Web servers, management access is allowed only
from the management tier (also controlled via Tetration)
◦ DNS layer security is achieved using Cisco Umbrella. This prevents any accidental or deliberate
exposure to a malicious domain
◦ Stealthwatch Cloud and Tetration provide enhanced threat visibility and flow analytics
◦ AMP4E detects and quarantines any malware that may get downloaded to application workloads
● Systems communicating east/west within the AWS cloud
◦ Workloads are micro-segmented using Tetration Enforcement agents. Web, App, Database and
Inside tier has no direct inbound public access/addresses. Only Management and the Outside tier is
allowed Public IP addressing, hence exposing them to untrusted public network/internet
◦ Micro-segmentation within Web and App tier is done using the Tetration enforcement agents. This
restricts any internal movement among the workloads
◦ DNS layer security using Umbrella provides visibility into workload activity
◦ Stealthwatch Cloud and Tetration provide enhanced threat visibility and flow analytics for this flow.
They also look for any anomalous movement within the application environment or among the
workloads within a tier. Tetration agents provide deep visibility into the workloads
◦ AWS Security Groups restrict access to the database. Only App tier is allowed to communicate with
database tier
◦ Stealthwatch Cloud and Tetration provide enhanced threat visibility and flow analytics. They also look
for any anomalous movement within the application environment or among the workloads within a tier.
Tetration agents provide deep visibility into the workloads
◦ Anyconnect VPN mobility client is used to provide Secure Remote Access to the management tier. An
ASA or NGFWv can be used for VPN termination. We tested a standalone ASAv for this design. Refer
to the Secure Remote Worker design guide for detailed information on secure remote access designs
and deployments
◦ Management zone is segmented using Tetration enforcement agents. This provides the control knob
for restricting access to workloads or the various other tiers
◦ Stealthwatch Cloud and Tetration provide enhanced threat visibility and flow analytics. They also look
for any anomalous movement or activity within the application environment or from the management
tier. Tetration agents provide deep visibility into the workloads
◦ AMP4E protects the jump servers and workloads against any malware infection
Security Integrations
Let’s look at each of the security integrations in this secure design in more depth, we will start from the security
controls on the workload itself and go all the way to the edge of our public cloud web application.
We start by looking at workload security using Tetration and Advanced Malware Protection, followed by an
agentless deployment of Stealthwatch cloud for greater visibility into the AWS environment and workload
activity. Then, we will look into Umbrella DNS layer security at the AWS VPC level.
Afterwards, we move to perimeter protection using Cisco Firepower NGFWv (policy orchestrated by Cisco
Defense Orchestrator). We will also explore WAF and DDoS protection using Radware Cloud service.
Lastly, we will secure the access to our cloud application using Duo Multi-Factor Authentication.
To connect all these security controls to a single pane of glass, we will look at Cisco SecureX integrations.
Tetration offers visibility and enforcement agents that are installed on the workloads. The enforcement agents
provide an additional capability to enforce policies.
Tetration can dynamically learn various ongoing changes in the cloud workload environment and enforce an
adaptive micro-segmentation. The Tetration portal allows us to create workspaces and graphical views for
applications and enforce security from the web application point of view unlike the traditional network
perspective.
The Tetration platform supports multi-cloud and hybrid environments and hence, make the whole process of
security operations seamless across the board.
Cisco Tetration
In this specific architecture, Web and Application tier has workloads in Auto Scaling Groups. To enable the
auto-provisioning of Tetration agents, we used the User Data option provided for EC2 Instances. When the Auto
Scaling Group deploys a new workload, the shell script will install the Tetration agent on it as part of the
initialization process. Refer to the implementation section of this guide for more details.
Once the Tetration agent on the new workload is registered with the Tetration cloud (SaaS), it starts exporting
the network flow and process information to the Tetration cloud engine for analysis. Tetration ensures Cisco's
Zero Trust model by offering key features like:
Based on all these features and more, the Tetration dashboard provides us with a very convenient and flexible
scoring mechanism to monitor the security compliance of cloud applications. Tetration considers six parameters
to calculate this score (Figure 8), and these parameters can be adjusted based on one’s preference or
requirements.
Refer to the Tetration documentation for more detailed information on cloud workload protection.
In this specific architecture, just like the Tetration agent, the web and application workloads in Auto Scaling
Group are auto-provisioned with AMP4E agents using User Data option available under Auto Scaling Group
configuration. When the Auto Scaling Group deploys a new workload, a shell script will install the AMP4E agent
on the workload as part of the initialization process.
As soon as AMP4E agent on the new workload registers with the AMP cloud, the workload is continuously
monitored and reported for any malicious activity. AMP’s host isolation feature comes in very handy to contain
any spread of malware in the cloud workloads.
Stealthwatch Cloud pulls the VPC flow logs from the designated S3 bucket. It learns the AWS environment and
baselines the resources. VPC flow logs have the flow information associated with various AWS resources, even
for those that are not strictly tied to a static IP address. SWC is capable of correlating the IPs and then tying
them back to their origin AWS service. In other words, SWC performs dynamic entity modeling and organizes all
the AWS resources based on the functions that they’re performing. For example, the entity could be
categorized as a firewall, an application server or a load balancer and so on. This type of resource profiling and
modeling is extremely important to look for any suspicious activity within the cloud application environments.
In addition to VPC flow logs, Stealthwatch Cloud also consumes other telemetry sources like AWS IAM,
CloudTrail, EC2, ElasticCache, Inspector, GuardDuty, RDS, S3, Auto Scale, Elastic Load Balancing service for
additional context and alerting.
Once the Stealthwatch Cloud finishes identifying the entities, it baselines their behavior over a fixed period of
time. As soon as the baselining is completed, any unexpected behavioral change of the entities and the way
different cloud services communicate with each other is alerted on. This helps to maintain deep visibility into the
cloud environment and hence, track and prevent any unauthorized transfer of data or resource access.
Some of the common Stealthwatch alerts related to the AWS services include:
● AWS API Watchlist IP Hit - This alert is triggered when an AWS API is accessed by an IP on a user-
supplied watchlist.
● AWS Config Rule Violation – This alert uses the AWS Config Compliance observation and indicates that
the resource is not compliant with configured AWS Config rules
● AWS Login Failures – This alert is triggered when a user tries and fails to log in to the AWS Console
several times
● AWS Inspector Findings - Triggers when AWS Inspector reports a high severity event. This alert
indicates that the resource is not complying with AWS best practices
● AWS Lambda Invocation Spike- Triggers when AWS Lambda function is invoked a record number of
times. This alert may indicate a DoS attack.
Cisco Umbrella
Cisco Umbrella offers flexible cloud-delivered security. It combines multiple security functions into one solution.
Cisco Umbrella solutions provide DNS-layer security, secure web gateway, cloud-delivered firewall, cloud
access security broker (CASB), and interactive threat intel. This document covers Umbrella DNS-layer
protection for the workloads in the AWS Virtual Private Cloud (VPC).
The Umbrella DNS policies allow you to dictate block policy for a variety of pre-defined web categories. More
details on web categories can be found in Umbrella documentation. It also gives you the flexibility to apply the
policies to specific identities. For example, you could have one set of rules for your AWS cloud application and
another set for a different site.
We deploy Umbrella Virtual Appliances (VA) in the Management tier of the AWS VPC. These VAs act as DNS
forwarders to Umbrella. The AWS VPC offers the option to configure custom DNS settings (DHCP Options Set),
allowing us to point the cloud resources in a given VPC to Umbrella VAs instead of AWS local DNS. Every
resource, that is launched into the VPC, will use these Umbrella DNS forwarders, to provide a control knob for
the DNS layer security.
To provide secure remote access to the workloads and database instance, we use Cisco ASAv as a VPN
headend. Cisco ASAv offers secure remote access capabilities using Anyconnect VPN mobility client. You could
also use NGFWv for this purpose. For detailed information on secure remote access deployments, refer to the
Secure Remote Worker SAFE design guide.
Cisco Defense Orchestrator (CDO) is used for management and policy orchestration. CDO provides one
security policy, faster deployment, and smart configuration management. It eliminates the time-consuming
complexity of managing policies across multiple FTDs and ASAs.
If you choose to use AWS Security Groups alone for segmentation (without any next-generation firewalls), the
reference design is shared in Appendix A of this document. Cisco also provides CloudFormation templates and
scripts for deploying an auto-scaling group of FTDv appliances. This guide does not cover the auto scaling
solution, please refer to the Cisco documentation for more details.
Note: The terms Next-Generation Firewall (NGFW) and Firepower Threat Defense (FTD) are used
interchangeably throughout this guide. Both these terms refer to Cisco Firepower Next-Generation
Firewalls in the context of this document. AWS marketplace offering is available under the name ‘Cisco
Firepower NGFW Virtual (NGFWv)’.
When the user out on the Internet tries to browse the cloud-hosted web application, it lands on Outside
Network Load Balancer after being scanned by WAF and DDoS protection system for any malicious activity. The
destination IP at this point is the public IP of the Outside load balancer. Outside load balancer sits in the Outside
tier (segmented using AWS Security Group) and load balances traffic onto the pool of outside interfaces of
Before the traffic leaves the inside interface of the FTDv (in the Inside tier), the source of the web request is
translated (Network Address Translation) to FTD’s inside interface IP and the destination is changed to ‘Web’
load balancer IP. The source IP is translated here to ensure traffic symmetry.
Web server receiving this incoming request, after being load-balanced by the Web load balancer, fetches the
content from app workloads and returns the final response directly to the firewall which forwarded the initial
request. At this point, firewall routes this response back to the end-user via the outside interface.
Web Application Firewall and DDoS Prevention
Public cloud has become a common place to host critical applications and make these applications available to
end-users (internal or external). As a result, it is essential to ensure these applications receive the same level of
protection from distributed denial of service (DDoS) and advanced web attacks that on-premises applications
do.
Radware Cloud WAF service protects web applications from common web exploits. Radware’s Cloud Security
Services offer easy-to-deploy cloud-based security that can be integrated with any cloud environments to
provide proactive, automated protection from advanced threats. The Cloud WAF service provides full coverage
against OWASP top 10 attacks along with protection against 0-day web attacks. In addition to web traffic
protection, DDoS component provide network flow monitoring to protect against the full breadth of DDoS
attacks with real-time mitigation and no added latency in peacetime.
● Multi-Factor Authentication: Verify the identity of all users with Duo's strong multi-factor authentication
● Single Sign-on: Seamless, single dashboard access to all applications
● Remote Access: Secure access to cloud and on-premises applications and servers, with or without VPN
● Device Trust: Check that user devices meet security standards before granting them access
● Adaptive Access Policies: Set policies to allow or block access attempts by a user or a device, based on
contextual factors
In this design, we used Duo’s Multi-Factor Authentication (MFA) for our AWS cloud application. Multi-factor
authentication from Duo protects the cloud applications by using a second source of validation, like a phone or
token, to verify user identity before granting access. MFA not just allows you to build a zero-trust framework
but is also essential for compliance purposes. Duo provides native integration for any application. Refer to the
implementation section of this guide for more details.
Admins have several options when it comes to enrolling new users in Duo, such as self-enrollment, Active
Directory sync, and OpenLDAP sync. Duo admin portal allows a highly convenient way to track any user activity.
● Aggregated threat intelligence: Integrates threat intelligence from Cisco TALOS and third-party sources
to automatically research indicators of compromise (IOCs) and confirms threats quickly
● Automated enrichment: Automatically adds context from integrated Cisco Security products, so that you
instantly know which of your systems was targeted and how
● Incident tracking: Provides the capability you need to collect and store key investigation information, and
to manage and document your progress and findings
● Interactive visualizations - Shows your results on intuitive, configurable graphs for better situational
awareness and quick conclusions
● Seamless drill down - Makes deeper investigations easy using integrated Cisco Security products. A
single click takes you inside Cisco AMP for Endpoints
● Direct remediation - Lets you take corrective action directly from its interface. Block suspicious files,
domains, and more without having to log in to another product
In this architecture, we are receiving information from Stealthwatch Cloud, Umbrella, AMP and Tetration to
provide threat intelligence, contextual approach, and threat hunting capabilities. Integrations for and Radware
Cloud WAF and DDoS service are also available. Refer to the Cisco SecureX documentation for more details on
available Cisco and third-party integrations.
Design Implementation
Now that we have established the design specifics of our tiered application in the AWS cloud, we will begin
implementing and setting up the secure AWS application.
We will start by setting up the AWS VPC (Virtual Private Cloud) as per the tiered architecture specifications. We
will then integrate the Stealthwatch Cloud and onboard the VPC to CDO for Security Group management. After
that we will set up the Umbrella VAs in the management tier and update the DNS server settings for the VPC.
Once the AWS VPC and related integrations are finished, we will configure an RDS database instance and bring
up the Auto Scaling Groups for the Application and Web workloads (with Tetration, AMP4E agents and Duo
MFA plugin). We will then set up the Network Load Balancers for Web and Application Auto Scaling Groups. At
this point we will have a fully functional application running in the AWS cloud.
In the last step, we will configure the firewalls, enable WAF and DDoS protection and then conclude our set up
with Cisco SecureX integration.
Note: Cisco Tetration, AMP, Cisco SecureX threat response, Stealthwatch Cloud, Umbrella, Duo and CDO
offer EU based locations for customers having to follow EU rules.
Note: Before you begin, make sure you have the appropriate privileges to create all the VPC components.
Follow the AWS Documentation for more information on IAM service.
Implementation procedure:
Step 1. Create the VPC
Step 2. Set up the Subnets
Step 3. Set up the Internet gateway
Step 4. Set up the NAT gateways
Step 5. Set up the Routing Tables
Step 6. Create the Security Groups
Step 1. Create the VPC - Log on to the AWS console and select the VPC service, click on Create VPC
and fill in the required details. We chose the IPV4 CIDR block as 10.0.0.0/16.
Step 2. Set up the Subnets – Based on the tiered architecture, we defined two subnets for each tier
- one for each AWS Availability Zone.
Go to VPC Dashboard > Subnets and create all these subnets and name them appropriately.
Step 3. Set up the Internet gateway– Navigate to VPC Dashboard > Internet Gateways to create an
Internet Gateway for providing Internet access to Public resources in the VPC.
Note: We will use this Internet Gateway as the next hop for default routes in Firewall Route table (For
Inside and Outside subnets) and the Management Route Table (For Management Subnets) respectively.
Step 4. Set up the NAT gateways - Navigate to VPC Dashboard > NAT Gateway to create NAT
Gateways for providing Internet access to all resources in private subnets.
Note: We will use these NAT Gateways as the next hop for default routes in Web, App and Db Route
tables.
Step 5. Set up the Routing Tables - Go to VPC Dashboard > Route Tables and create the routing
tables with subnet associations as per the table below.
Step 6. Create the Security Groups - Go to ‘VPC Dashboard > Security Groups’, set up a Security
Group corresponding to each tier in the design. Set up the inbound access rules as per the
application requirements. We used the following inbound rules.
Port Reason
TCP port Allow HTTP access from the inside subnets to web servers
80
appSG
Port Reason
TCP port Allow HTTP access from workloads within application tier subnets (allows load balancer health
80 checks).
Allow HTTP access from web tier subnets.
dbSG
Port Reason
mgmtSG
Port Reason
UDP 53 Allow DNS traffic from appSG, webSG, dbSG and mgmtSG
firewallSG
Port Reason
All traffic Allow all access from internet, we will control the traffic using firewall access lists.
Note: AWS Elastic Network Load Balancer (NLB) preserves the source IP of incoming connections from
web tier workloads, hence we need to allow the source subnets specifically. We cannot use Security
Groups to allow traffic from NLB, we must use subnets. Follow the AWS Documentation for more
information on Security Group requirements for NLB.
Step 2. Create the Umbrella VA instances - Create two VA instances using the AMI set up in Step1
and place these appliances in the management tier. We assign the static IP addresses
10.0.8.100 and 10.0.9.100 to these Umbrella Virtual Appliances. These VAs will act as DNS
forwarders for the resources in our AWS application environment.
Optionally, you can create and assign a site name for your AWS VAs. This site name can be used as
an identity to configure specific policies for AWS Cloud. Click on Settings on the same page to add
site name and then update the VA entries above.
Step 3. Configure the local DNS on Umbrella Virtual Appliances - Follow the Umbrella documentation
to configure local DNS on each VA. Based on the CIDR block chosen for lab VPC, the second IP
address i.e. 10.0.0.2/24 is the local DNS. Set this IP as local DNS on both Umbrella VAs.
Note: We had set up Secure Remote Access to management tier using ASAv, we use the secure VPN
connection to SSH into the VAs via a jump server hosted in the management tier. For more information on
Secure Remote Access, refer to the Secure Remote Worker SAFE Design guide.
Step 4. Set up policies to exempt internal domains - Log on to the Umbrella portal, go to
Deployments > Configuration > Domain Management and add the internal domains that
Step 5. Update the DHCP Options Set for the VPC - Go to VPC Dashboard > DHCP Options Sets and
create a new DHCP options set. Set the domain name servers to two IPs that we assigned to
Umbrella VAs – 10.0.8.100 and 10.0.9.100.
Go to VPC Dashboard > Your VPCs, select the newly created VPC above and update the DHCP
options set from the drop-down list. This will ensure that any instance deployed in this VPC is
assigned the Umbrella VAs as DNS forwarders.
Follow the AWS documentation for more details on DHCP Options Sets.
Step 2. Set up the RDS database instance – Set up the database instance as per your application
requirements, follow the AWS documentation for further help. Use the Subnet Group defined in
Step 1 above. The database instance is placed in Security Group ‘dbSG’.
Make sure you note the username, password, endpoint hostname and port, we need these details to
set up our cloud application later in this section.
Per our tiered design, we will set up a ‘Web’ Network Load Balancer (NLB) for the Web Server workloads and
an ‘App’ Network Load Balancer (NLB) for the Application workloads. We will create Target Groups for each
NLB; the workloads register themselves with these Target Groups.
We will not register any instances to the Target Groups at this point but in the next section when we create the
Auto Scaling Groups, we will integrate the Auto Scaling Groups with each of these blank Target Groups that we
The Load Balancers will be configured to run health checks for each instance that is launched into the Target
Groups. As soon as an instance is marked healthy, the Load Balancer starts load balancing traffic to it. When
the instance becomes unhealthy, it is removed from the pool.
Implementation procedure:
Step 1. Set up the Web Network Load Balancer
Step 2. Set up the App Network Load Balancer
Step 1. Set up the Web Network Load Balancer - The Web NLB is used to load balance web traffic
coming from the Internet to the Auto Scaled pool of Web workloads. This load balancer is
placed in the ‘webSG’ Security Group in the subnets – ‘WebSubnet1a’ and ‘WebSubnet1b’. A
new Target Group ‘WebServerPool’ is also created as part of load balancer configuration, this
will be used later while setting up Auto Scaling Group for Web Servers.
Assign static IP addresses in each availability zone. Make a note of these IP addresses, we will
require these IPs while setting up the static NAT translations on FTD appliances in later section of this
document.
Implementation procedure:
Step 1. Host the configuration files in an S3 bucket
Step 2. Set up Launch Configurations
Step 3. Set up the Auto Scaling Groups
Step 4. Configure the Auto Scaling policies
◦ App workloads – Modified Publicly available ‘WordPress’ blog code with database connection
information (we recorded the database credentials while setting up RDS previously). Duo Plugin was
also hosted in this S3 bucket.
◦ Web workloads – The Web Server config file. This file has the FQDN address of App Network Load
Balancer that we created in previous steps.
● AMP4E agent installer (AMP rpm and GPG). These were obtained from AMP cloud portal
● Tetration agent installer (Enforcement agent). These are downloaded from Tetration SaaS portal
Note: For Duo MFA for the cloud application, we used Duo WordPress plugin. However, if you choose to
include the Duo integration in your native application, follow the DUO Web SDK documentation.
Step 2. Set up the Launch Configurations - Go to EC2 Dashboard> Auto Scaling > Launch
Configuration and create launch configurations for web and application servers. For more
information on creating Launch Configurations follow the AWS documentation.
● For the base image/operating system, we chose CentOS
● Under the Advanced details options, make sure not to assign any public IPs to the instances in the
launch configuration
● Under the same Advanced details options, we use the User Data option to initialize the EC2 instances
when they are launched into the auto scaling pool. For more details on User Data option, check out the
AWS documentation. As part of this initialization process, we perform the following tasks:
◦ Install packages (php, wget, unzip, lsof, httpd, ipset, nginx) on the workloads. Some of these are
prerequisites for AMP4E and Tetration agents. Refer to the corresponding product documentation to
understand these requirements
◦ Download the WordPress Duo plugin from S3 bucket to the application workloads
◦ Download and install the Tetration enforcement agent to all the workloads
#Setting up the web server and updating it with hosted configuration file.
sudo mv nginx.conf nginx.conf.backup
sudo wget https://safelabfiles.s3.us-east-2.amazonaws.com/config/nginx.conf
sudo systemctl restart nginx
sudo systemctl enable nginx
#Downloading the Tetration enforcement agent from AWS S3 bucket and installing it.
sudo wget https:// safelabfiles.s3.us-east-
2.amazonaws.com/config/tetration_installer_intgssopov_enforcer_linux.sh
sudo chmod 755 tetration_installer_intgssopov_enforcer_linux.sh
sudo ./tetration_installer_intgssopov_enforcer_linux.sh --skip-pre-check
#Downloading the AMP4E agent hosted in an AWS S3 bucket and installing it.
sudo wget https:// safelabfiles.s3.us-east-2.amazonaws.com/config/cisco.gpg
sudo rpm --import ./cisco.gpg
sudo wget https:// safelabfiles.s3.us-east-2.amazonaws.com/config/AWS_rhel-centos-
7fireamplinux_connector.rpm
sudo yum install -y AWS_rhel-centos-7fireamplinux_connector.rpm
#Downloading the Tetration enforcement agent from AWS S3 bucket and installing it.
sudo wget https://safelabfiles.s3.us-east-
2.amazonaws.com/config/tetration_installer_intgssopov_enforcer_linux.sh
sudo chmod 755 tetration_installer_intgssopov_enforcer_linux.sh
sudo ./tetration_installer_intgssopov_enforcer_linux.sh --skip-pre-check
#Downloading the AMP4E agent hosted in an AWS S3 bucket and installing it.
sudo wget https://safelabfiles.s3.us-east-2.amazonaws.com/config/cisco.gpg
sudo rpm --import ./cisco.gpg
sudo wget https://safelabfiles.s3.us-east-2.amazonaws.com/config/AWS_rhel-centos-
7fireamplinux_connector.rpm
sudo yum install -y AWS_rhel-centos-7fireamplinux_connector.rpm
Step 3. Set up the Auto Scaling Groups - Create two Auto Scaling Groups using the Launch
Configurations created in the previous step, one for the Web servers and another one for the
Application servers. For more information on creation of Auto Scaling groups, follow the AWS
documentation.
Once the Auto Scaling Groups are created, select each group and click on edit. In the edit
menu, update the target groups and health check types. For Web Server Auto Scaling group,
set the target group to ‘WebServerPool’ as created during the Web NLB set up. Also, update
the health check type to ELB to integrate the Auto Scaling Group with Load Balancer. Repeat
the same steps for the App Server Auto Scaling Group, use the target group ‘AppServerPool’
created during App NLB set up.
Follow the AWS documentation for more further details on scaling policies.
Once the firewalls are set up, we will enable public access to the application via an ‘Outside’ Network Load
Balancer.
Implementation procedure:
Step 1. Set up the AWS Environment for NGFWv
Step 2. Deploy NGFWv EC2 instances
Step 3. Onboard the NGFWv to CDO
Step 4. Configure interfaces, routes, NAT and access control on NGFWv
Step 5. Set up the Outside Network Load Balancer
Step 1. Set up the AWS Environment for NGFW- To deploy Firepower Threat Defense Virtual we need
to set up the Network Interfaces for the appliance and allocate Elastic IPs to be assigned to the
Management and Outside Interfaces. We use the IP addressing as defined in table below.
Navigate to EC2 Dashboard > Network Interfaces and Create Network Interfaces for inside and
outside interfaces of each FTDv appliance.
Select the network interfaces that were created and right click on Change Source/Dest. Check to
disable it.
Navigate to EC2 Dashboard > Elastic IPs and click on Allocate New Address to allocate two elastic
IPs.
Step 2. Deploy NGFWv EC2 instances– Navigate to EC2 AWS console and click on launch and choose
an AMI for Cisco Firepower NGFW virtual appliance. Choose the Instance Type.
Click the Add Device button under Network interfaces to add the eth1 network interface.
Change the Subnet to match your previously created management subnet that is used for eth0.
Under Advanced Details, add the default login information as User data.
Click Next to Add Storage. You can accept the default or change the volume. Click Next again to add
a Tag, this step is optional as well.
Lastly, Select Next again to Configure Security Group. Click Select an existing Security Group and
choose the previously configured Firewall Security Group.
Select the newly configured FTDv appliance and click Actions, select Networking > Attach Network
Interface to attach the outside and inside Network Interfaces created in Step 1.
Go back to FDM portal and go to Cloud Services option under System Settings. Paste the
Registration Key, specify the Region and click on Register.
Repeat the same steps for the other firepower device, CDO will sync the configuration for both the
devices. At this point we have successfully finished onboarding both the FTDs to CDO.
Go back to the same menu and go to Routing option now, set the default route pointing to the
gateway on outside the subnet- 10.0.0.1. Also, add the route for internal subnets (web, app and
database subnet) pointing to the gateway on the inside subnet- 10.0.1.1. Lastly, add a route for AWS
Metadata Server IP address for health probes, set the next hop as the inside subnet gateway.
Next, we set up three NAT rules. First is an optional dynamic PAT rule to allow outbound traffic to the
Internet from the application workloads. You would need this rule if you decide to forward any
outbound flows to the internet via NGFWv appliance. The translation would be as below.
Source: WorkloadIP:Port => OutsideFWInterfaceIP:Port
In a similar manner, we pick a random health check port for FTD (example – TCP port 6612) and set
up third NAT translation rule to forward the health check traffic to AWS metadata server. When
Outside NLB sends TCP health probes on port 6612 to outside interface of FTD, the FTD would
translate the source to Inside interface IP and destination to AWS metadata server on port 80 and
forward the traffic.
Source translation: InternetUserIP:Port => InsideFWInterfaceIP:Port
Destination translation: OutsideFTDIP:HealthCheckPort => AWSMetaDataServer:HTTP
Lastly, we configure access control policies to allow traffic from inside zone to outside zone. We also
allow HTTP traffic incoming from the Internet users and health probes from outside NLB.
Go to Policies > FTD Rulesets on CDO portal and click on plus button to add a an FTD ruleset. Within
this newly created ruleset, add the access rules and attach it to the newly onboarded FTD appliances.
Repeat the same set up for the second FTD device and then deploy all the changes.
Step 5. Set up the outside NLB - In this step, we will set up the outside NLB with the Target Group for
outside interfaces of the two FTDv appliances.
At Step 3, specify a Name for the Target group for FTD appliances. Select the Target type as IP and
Protocol as TCP on Port 80. For Health checks, override the Port to 6612 (we had previously set up
the FTD to redirect health probes on port 6612 to AWS metadata server). Click Next after making all
the changes.
Click Next and Review and submit the changes to finish Outside NLB creation.
Radware Cloud WAF and DDoS services are integrated by using CNAME DNS records. Deployment is
independent of any specific Cloud service providers.
Implementation procedure:
Note: As part of the onboarding process, each customer can choose between immediate and learning
based protection. Immediate protection will enforce a predefined security policy, preventing known
attacks. In order to cover both known and unknown attacks, Radware recommends using the learning-
based protection method. During the first 2 weeks (duration can vary depending on traffic), Radware
evaluates traffic patterns and can automatically update both negative and positive security models by
refining signatures, creating exceptions and building the allowed file extension list per application, greatly
reducing false positives.
Once the details are saved, the application can be seen as below.
Click on the application and copy the allocated CNAME. We need to create a DNS record for our
application with this Radware CNAME.
Step 3. Update the DNS setting to point traffic to Radware Cloud – Once the domain registration is
completed, go back to Route 53 hosted domain and update the DNS record sets with Radware
CNAME. After this change, it might take a few minutes for the DNS update to propagate. Once
the DNS records are fully updated, the traffic will start getting redirected to Radware Cloud
servers before it hits the ‘origin server’ in the AWS cloud.
Note: To eliminate direct origin attacks, Radware recommends configuring the perimeter firewall to only
allow the Cloud WAF to access the application origin server directly. The service IP addresses can be
requested from Radware Support Team. For more information, check out the Radware Cloud WAF Quick
Start guide (login required).
Implementation procedure:
Step 1. Add Integration modules
Step 2. Save the module
Step 1. Add Integration modules - Log on to the SecureX dashboard and go to Integration modules
tab, click on Add a New Module and select from the available modules. SecureX dashboard
displays all the steps on API key generation and integration for each available module.
Validation Testing
Tetration
Validation procedure overview:
Validation procedure:
Step 1. Build an inventory
Step 2. Define scopes
Step 3. Create a workspace
Step 1. Build an inventory – Define the attributes that would help you segregate your tiered application
workloads in the cloud and hence construct policies for them. We will use a combination of two
different methods to add user annotations - 1) Upload a CSV file 2) Auto generate annotations
using external AWS orchestration.
1.1: Based on the architecture of our tiered application (elaborated in the previous sections of this document),
the following annotations were used (Table: AWS Cloud Inventory). Save this in a CSV file format.
1.3: Go to ‘Visibility > External Orchestrator’. Click on ‘Create New Configuration’ and fill in the required details
as shown below.
Note: - You will need to create an Access Key in your AWS account to be used in this configuration.
Follow AWS documentation for more details on access key creation.
Step 2. Define scopes – We will define a scope to group together all the workloads in our tiered
application in the AWS cloud. We will make use of the annotations/filters that we constructed in
Step 1. We created the scope ‘AWS-US-EAST’, which includes all the workloads from our
tiered app in ‘US-East’ region in AWS Cloud.
Click on the settings icon in the top right corner of the portal and then go to ‘Scopes’ option. Click on ‘Create
New Scope’ and fill in the name of the Scope and a query as below.
Step 3. Create a workspace - Application workspaces are the containers for defining, analyzing and
enforcing policies for a particular application. We will create a workspace for our tiered AWS
cloud application in this step.
Click on ‘Segmentation’ and then click on ‘Create New Workspace’. Give the workspace a name and select the
Scope that we created in Step 2.
At this point, we have successfully built the inventory, created a scope and defined a workspace for our tiered
cloud application.
Validation procedure:
Step 1. Discover policies using ADM
Step 2. Refine inventory filters, clusters and policies
Step 3. Create the App View
Step 1. Discover policies using ADM - Before running the ADM, ensure that all types of traffic flows
are generated in the application environment. This would provide ADM the required data to
generate an accurate policy set and hence ensure that we don’t miss any critical but less
common traffic flows.
Go to the newly created workspace and click on ‘Start ADM Run’ on the top right corner, select a suitable time
range to ensure that you cover all the traffic flows.
Step 2. Refine inventory filters, clusters and policies - Post the ADM run, policies and clusters would
be generated. At this point, we manually update and customize all the cluster queries and
approve them.
2.1: Go to ‘Clusters’ tab, click on any of the clusters, the panel on the right-hand side will show the cluster
details like name, description, cluster query, workloads, neighbors. Update name and description to make it
more intuitive, update the cluster query if need be. For example, we updated the cluster query for auto scaled
workloads. We used previously defined annotation to dynamically identify the workloads in Auto Scaling groups
for the web and application servers.
Validation procedure:
Step 1. Publish the policies
Step 2. Verify policy enforcement on workloads
Step 1. Publish the policies – Select the ‘Enforcement’ tab on the Tetration portal within the application
workspace and click on ‘Enforce Policies’.
Step 2. Verify policy enforcement on workloads - Since we had CentOS based workloads, we
monitored the ‘/usr/local/tet/log/tet-enforcer.log’ to see if policies are successfully enforced. A
simple ping or telnet test can also be used to verify the lockdown of ports and protocols.
Validation procedure:
Step 1. Check the vulnerability report
Step 2. Fix a vulnerability and rerun the report
Step 1. Check the vulnerability report – Go to ‘Security > Vulnerabilities’, click on ‘Packages’ tab to
see all the vulnerable packages installed on various workloads in our three-tier application. For
the sake of this test, let’s consider ‘libcurl-7.29.0-51.e17’ as shown below.
Step 2. Fix the vulnerability and rerun the report – We update the libcurl package from this workload
to the latest version which has the fix to the CVEs listed in step.
Wait for a few minutes after the uninstall, go back to Tetration portal and check the vulnerability report again.
We can see that none of the CVEs related to libcurl show up anymore.
Validation procedure:
Step 1. Setting up AMP4E policy to quarantine a suspicious file
Step 2. Verifying the deletion of a suspicious file
Step 3. Setting up AMP4E policy to quarantine a suspicious file – For the validation purpose, we
consider a 1 MB PDF file that we will block list using AMP ‘Simple Custom Detections’. We will
then try to download the same PDF file on a cloud workload and assert that our policy works as
expected.
As per our initial AMP4E set up, we had configured the group ‘Secure Cloud’ (Management > Groups) for our
workloads in the AWS cloud.
Note: During our implementation phase we had used the AMP4E agent tied to this specific group ‘Secure
Cloud’, which we had created as part of the initial AMP4E set up (not elaborated in this guide, follow
It can be seen in the snapshot above that we tied the specific group to Linux policy ‘CloudApp-LinuxPolicy’. Go
to ‘Management > Policies’ and select the specific Linux policy.
Note: We had preconfigured the Linux policy associated with AMP4E group ‘Secure Cloud’. We also tied
a new Simple Custom Detection ‘CloudApp-CSD’ to the Linux policy. If there was no initial config on AMP
console, then you would see default policies here.
As we see in the snapshot, the Linux policy above is tied to Simple Custom Detections ‘CloudApp-CSD’
(Outbreak Control > Simple).
Go to ‘Outbreak Control > Simple Custom Detections’ and click on edit ‘CloudApp-CSD’ to upload the PDF file
that we want to block list in the AWS cloud environment. Uploading the PDF file will add the SHA value to the
SCD policy and quarantines the file associated with it from all the cloud workloads registered under the specific
group.
We also confirm the quarantine event from the event logs on the AMP Cloud portal. Log on to the AMP Cloud
portal and go to ‘Analysis > Event’, we see a ‘Quarantine successful’ event post our steps above.
Validation procedure:
Step 1. Monitor suspicious activity in Stealthwatch Cloud
Step 1. Monitor suspicious activity in Stealthwatch Cloud - Login to the Stealthwatch cloud portal.
Go to ‘alerts’, we see the alert ‘Excessive Access Attempts’ as shown below. This alert
indicated that there were numerous attempts to get SSH access from an unexpected geo
location, which is a suspicious behavior.
Validation procedure:
Step 1. Set up DNS policy for AWS workloads
Step 2. Confirm if malware domain is blocked
Step 1. Set up DNS policy for AWS workloads – Go to ‘Policies > Management > DNS Policies’, add a
new policy and make sure ‘Malware’ is set to block under security settings. Save the change.
To further confirm the block action, select ‘Reporting > Activity Search’ and filter the accessed malware
domain. Events show the action as ‘Blocked’.
Validation procedure:
Step 1. Configure and enforce the access policy
Step 2. Verify the access block
Step 1. Configure and enforce the access policy - We log on to a Web Server workload and try to
access a non-standard TCP port on a server on the Internet. We can see in the snapshot below
that the Web Server workload is able to connect at this point.
We want to block outbound access to such random TCP ports from our Web workloads. Log on to the CDO
portal and go to ‘Policies > AWS VPC policies’, we can see that the ‘WebSG’ policy allows the Web workloads
to access any destination on any port on the Internet.
Step 2. Verify the access block - Now that we have updated the policy, we will try and attempt to
verify the access. We SSH to a web server again and try to access websites on a random TCP
port 666. We can see the connection timing out or getting blocked now. We can also see that
an outbound access to a server on the internet on standard HTTP and HTTPS is still allowed.
Validation procedure:
Step 1. Monitor Web and DDoS activity on Radware Cloud WAF and DDoS Portal.
Step 1. Monitor Web activity and DDoS activity on Radware Cloud - On the Radware Cloud portal, go
to Monitor > Security Events to see all the WAF and DDOS events generated from any
malicious activity targeting your application.
Radware’s Application Analytics combines a large number of similar events and consolidating them into small,
manageable sets of recurring activities. This helps to streamline response by providing additional context to
security events needing attention.
● Test Case 1 - Set up the cloud application for Two-Factor Authentication (2FA)
● Test Case 2 - Monitor 2FA activity from Duo admin portal
Test Case 1: Set up the cloud application for Two-Factor Authentication (2FA)
This test case involves logging into the application for the first time and activating the duo plugin. Previously,
during the implementation phase, we had already downloaded the plugin to application workloads using AWS
User Data option. Follow the Duo documentation (skip step 2 under ‘Install and Configure the Plugin’) to activate
WordPress Duo plugin. After activating the plugin, log out and log in again. This time Duo will prompt the user
to enroll their phone for 2FA. After successful enrollment, user gets the ability to approve subsequent login
attempts.
Validation procedure:
Step 1. Set up Duo 2FA for a new user
Step 2. Log onto the cloud application
Step 1. Set up Duo 2FA for a new user - After the initial plugin activation, the Duo MFA kicks in and
since this is the first authentication attempt, the user is prompted to enroll for MFA.
Validation procedure:
Step 1. Verify the 2FA enrolled devices
Step 2. Track the user logins in authentication logs
Step 3. Verify the 2FA enrolled devices - Logon to the Duo admin portal and select ‘2FA Devices’, the
portal shows the list of enrolled devices along with other details like platform, hardware model
and usernames.
Implementation procedure:
Step 1. Investigate a malicious SHA value
Step 2. Track the file trajectory
Step 1. Investigate a malicious SHA value - Log on to the threat response portal and select
‘Investigate’. Add the SHA value in provided space and click on ‘Investigate’. Threat response
pulls all the information about the associated file and what workloads the specific file had
interacted with. Under the ‘Observables’ section, we can see that AMP4E detected this SHA
Step 2. Track the file trajectory - Click on the ‘SHA-256 Hash’ shown in the Relations Graph. Expand
the drop-down menu and click on ‘File trajectory’.
Clicking on ‘File trajectory’ should redirect you to AMP4E portal page which displays the trajectory of the
malicious file on the specific workload. Clicking on a particular timestamp displays the related events. The event
history shows all the events associated with the specific file.
We can use CDO as a single pane to manage the AWS Security Groups, providing a centralized management
solution across multiple AWS VPCs.
VA - Virtual Appliance
Appendix E- References
This section lists all the references.
● Cisco SAFE:
https://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_safe.html
● AWS Three Tier Architecture:
https://d0.awsstatic.com/whitepapers/aws-web-hosting-best-practices.pdf
● Cisco Tetration:
https://www.cisco.com/c/en/us/products/security/tetration/index.html
● Cisco Stealthwatch Cloud:
https://www.cisco.com/c/en/us/products/security/stealthwatch-cloud/index.html
● Cisco AMP for Endpoint:
https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html
● Cisco Duo Beyond:
https://duo.com/docs/wordpress
● Cisco Umbrella:
https://docs.umbrella.com/deployment-umbrella/docs/deploy-vas-in-amazon-web-services
● Cisco Defense Orchestrator:
https://www.cisco.com/c/en/us/products/security/defense-orchestrator/index.html