KEMBAR78
더욱 진화하는 AWS 네트워크 보안 - 신은수 AWS 시큐리티 스페셜리스트 솔루션즈 아키텍트 :: AWS Summit Seoul 2021 | PDF
K O R E A | M A Y 1 1 - 1 2 , 2 0 2 1
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
더욱 진화하는 AWS 네트워크 보안
신은수
시큐리티 스페셜리스트 솔루션즈 아키텍트
AWS
Gateway Load Balancer & AWS Network Firewall
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway Load Balancer
- 네트워크 보안 요구 사항
- 3rd Party 보안 솔루션 구성
- Gateway Load Balancer 사용
AWS Network Firewall
- AWS Network Firewall 소개
- AWS Network Firewall 규칙의 사용
- AWS Network Firewall 구성안
주요 내용
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
개인정보보호나 규정 준수를 위해 침입차단솔루션
(IPS)을 구축하여야 하는데
AWS 환경에서는 어떻게 해야 하나요?
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway Load Balancer
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS 환경에서의 네트워크 보안 요구 사항
보안
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Active – Passive 구성
3rd Party 보안 솔루션 구성
EC2
Private IP
Public IP
보안 솔루션 Fail Over 시나리오, 확장의 어려움, Single Point of Failure.
Challenge
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3rd Party 보안 솔루션 구성
EC2
Private IP
Public IP
Client IP Address 로깅
Elastic Load Balancer 구성
Challenge
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3rd Party 보안 솔루션 구성
Elastic IP Gateway Load Balancer Endpoint
Private IP
Gateway Load Balancer 구성
EC2
EC2
Private Link
GENEVE 터널
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
트래픽 흐름
GWLB Endpoint
Source IP Destination IP
214.13.213.11 Public IP
Source IP Destination IP
214.13.213.11 Private EC2 IP
Inner Source IP Inner Destination IP
214.13.213.11 Private EC2 IP
Outer Source IP Outer Destination IP
GWLB IP Private Firewall IP
Inner Source IP Inner Destination IP
214.13.213.11 Private EC2 IP
Outer Source IP Outer Destination IP
Private Firewall IP GWLB IP
Source IP Destination IP
214.13.213.11 Private EC2 IP
GWLB
EC2
GENEVE 터널
Gateway Load Balancer 구성
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
GWLB 구성을 위한 라우팅 설정
GWLBE1
Availability Zone Availability Zone
GWLBE2
Destination Target
10.0.0.0/16 Local
Public Subnet1 GWLBe1
Public Subnet2 GWLBe2
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 GWLBE1
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 NGW
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 GWLBE2
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 NGW
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway Load Balancer
구성요소
장점
구축
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall
Firewall Subnet
Customer VPC
Availability Zone Availability Zone
Firewall Subnet
Public subnet Public subnet
Private subnet Private subnet
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
기존 네트워크 보안 기능과의 차이점
Network Access
Control List
흐름 처리 : Stateless
규칙 검사 : Order
규칙 액션 : Allow,Deny
적용 대상 : Subnet
Security
Group
흐름 처리 : Stateful
규칙 검사 : 모두 검사
규칙 액션 : Allow
적용 대상 : EC2orENI
Stateless
Engine
흐름 처리 : Stateless
규칙 검사 : Order
규칙 액션 : Pass,Drop,
Forward
적용 대상: Routing 기준
Stateful
Engine
흐름 처리 : Stateful
규칙 검사 : 모두 검사
규칙 액션 : Pass,Drop,Alert
적용 대상: StatelessForward
규칙 기준
AWS Network
Firewall
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall 기본 구조
• 사용자 트래픽은 Gateway Load Balancer Endpoint 를
이용해서 Network Firewall 로 전달
• Ingress Routing을 이용하여 Internet Gateway 의
라우팅 조정 Firewall Subnet
Customer VPC
Availability Zone Availability Zone
Firewall Subnet
Public subnet Public subnet
Private subnet Private subnet
AWS Managed VPC
AWS Network Firewall
Availability Zone Availability Zone
@AWS Network Firewall 은 사용중인 가용 영역에 모두 활성화하는 것을 권고합니다.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall 라우팅 흐름
Firewall Subnet A
Customer VPC
Availability Zone A Availability Zone B
Firewall Subnet B
Public subnet A Public subnet B
Private subnet A Private subnet B
GWLBE-A GWLBe-B
NGW-A NGW-B
10.0.0.0/16
10.0.1.0/24 10.0.2.0/24
10.0.11.0/24 10.0.12.0/24
10.0.21.0/24 10.0.22.0/24
Firewall Subnet A
Public Subnet A
Private Subnet A
Firewall Subnet B
Public Subnet B
Private Subnet B
Internet Gateway
Route Destination
10.0.0.0/16 Local
10.0.11.0/24 GWLBE-A
10.0.12.0/24 GWLBE-B
Route Destination
10.0.0.0/16 Local
0.0.0.0/0 IGW
GWLBE-A <-> Network Firewall
Route Destination
10.0.0.0/16 Local
0.0.0.0/0 IGW
GWLBE-B <-> Network Firewall
Route Destination
10.0.0.0/16 Local
0.0.0.0/0 GWLBE-A
Route Destination
10.0.0.0/16 Local
0.0.0.0/0 GWLBE-B
Route Destination
10.0.0.0/16 Local
0.0.0.0/0 NGW-A
Route Destination
10.0.0.0/16 Local
0.0.0.0/0 NGW-B
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Stateless 규칙의 적용 예시
"RuleDefinition": {
"MatchAttributes": {
"Sources": [
{
"AddressDefinition": "10.1.0.0/16"
}
],
"Destinations": [
{
"AddressDefinition": "214.21.233.12/32"
},
{
"AddressDefinition": "213.32.11.91/32"
}
], "SourcePorts": [
{
"FromPort": 0,
"ToPort": 65535
}
],
"DestinationPorts": [
{
"FromPort": 80,
"ToPort": 80
}
],
"Protocols": [
6
"TCPFlags": [
{
"Flags": [
"SYN"
],
"Masks": [
"SYN",
"ACK"
]
}
]
},
"Actions": [
"aws:pass"
]
},
"Priority": 1
}
리스트 지정
가중치 적용
TCP Flag 검사
범위 지정
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Stateful Rule Group 의 종류
5-Tuple Domain List
Suricata compatible
IPS rules
Protocol, IP, Port 정보를
기준으로 허용/차단
Host Header 나 SNI 정보를
기준으로 허용/차단
사용자 정의 Signature 를
기반으로 허용/차단
172.31.193.25
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Stateful 규칙의 적용 예시
"StatefulRules": [
{
"Action": "DROP",
"Header": {
"Protocol": "ICMP",
"Source": "Any",
"SourcePort": "Any",
"Direction": "FORWARD",
"Destination": "10.0.0.0/16",
"DestinationPort": "Any"
},
"RuleOptions": [
{
"Keyword": "sid:1"
}
]
"RulesSource": {
"RulesSourceList": {
"Targets": [
".google.com"
],
"TargetTypes": [
"HTTP_HOST",
"TLS_SNI"
],
"GeneratedRulesType": "ALLOWLIST"
}
}
"RuleGroup": {
"RulesSource": {
"RulesString": "drop tcp any any -> any any (msg:"Drop TCP Traffic"; flow:from_client, established;
sid:1000;)"
}
}
Domain 검사
Signature 검사
IP 검사
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rule Group Capacity 의 이해
Priority Protocol Source IP Destination IP Source Port
Destination
Port
Action Capacity
1
TCP
UDP
10.1.0.0/24
10.1.1.0/24
10.1.3.0/24
Any Any
80
443
Pass 12
2 All
10.1.0.0/24
10.1.1.0/24
10.1.3.0/24
Black List 1,000개 Any
80
443
Drop 6,000
3 All Any Any Any Any Drop 1
Protocol Source IP Destination IP Source Port Destination Port Action Capacity
Any 10.0.1.0/24 Any Any Any Pass 1
Any Any Any Any Any Drop 1
규칙 별 정보의 조합을 기준으로 Capacity 계산
규칙 하나당 1 Capacity
Stateless Rule Group = 최대 10,000
Stateful Rule Group = 최대 30,000
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall 엔진의 규칙 검사
Pass Drop Forward
규칙 Priority
Pass규칙
Drop규칙
Alert규칙
Custom Action
Default Action
Network Firewall
Customer VPC
Inbound
Firewall Subnet Public Subnet
Pass
Outbound
Pass
Default Pass
수정 불가
Pass Drop Forward
Log
Metric
@Stateful Rule Group 규칙은 액션 처리 순서를 따름
Stateless
Engine
Stateful
Engine
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Black List IP 통신 차단
정책 요건 – VPC 내의 Public Subnet 에 대해서만 HTTP/HTTPS 접근을 허용하고 그 이외에는 차단하며 Black List IP
와의 통신 차단
IP Stateless Rule Group – 아래와 같이 Stateless Rule Group 생성
Priority Protocol Source IP Destination IP Source Port Destination Port Action
1 All Black List Any Any Any Drop
2 All Any Black List Any Any Drop
3 TCP VPC CIDR Any
80
443
Any Pass
4 TCP Any VPC CIDR Any
80
443
Pass
100 All Any Any Any Any Drop
Tip. Domain Filtering 이나 IPS 정책 등의 적용이 필요 없는 경우에는 Stateless Rule Group 을 적극적으로 활용
주의. Stateless Rule Group 의 경우 Logging 기능을 지원하지 않음
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Outbound Domain White List 정책
정책 요건 – Public Subnet에서 White List Domain 에 대해서만 허용 HTTP/HTTPS 접속을 허용하고 나머지는 모두 차단
Domain Rule Group – 접근을 허용하고자 하는 Domain 에 대해 “Allow” 액션 규칙 등록. (예, AWS 서비스 관련 도메인 )
Pass Drop Alert Default Pass
White List Domain 접속
비업무사이트 접속 규칙 검사 순서
Hit
Hit
EC2
Miss
Traffic To Inspect Domain List Action
HTTP, HTTPS White List Domain Allow
Priority Protocol Source IP Destination IP Source Port Destination Port Action
1 TCP Public Subnet Any
80
443
Any Forward
2 TCP Any Public Subnet Any
80
443
Forward
100 All Any Any Any Any Drop
IP Stateless Rule Group – 아래와 같이 Stateless Rule Group 생성
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Suricata Compatible 규칙 사용의 예
VPC
AWS Services
데이터센터
EC2
요건 1. VPC 내부에서 AWS Public Endpoint 로
접근 허용
요건 2. 지정된 데이터센터 네트워크에서 EC2
로 SSH 접근 허용
요건 3. 위 요건을 제외한 모든 TCP 트래픽 차단
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Suricata Compatible 규칙 사용의 예
pass tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:”AWS Service SNI”; tls_sni;
content:”.amazonaws.com”; sid:1001; rev:1;)
AWS Public Endpoint 에 대한 접근 허용
pass tcp $OFFICE_NET any -> $HOME_NET 22 (msg:"Allow SSH traffic"; sid:1002; rev:1;)
오피스 및 데이터센터 네트워크에서 VPC 로의 SSH 접근 허용
drop tcp any any -> any any (msg:"Drop tcp traffic"; flow:from_client, established; sid:1003; rev:1;)
모든 Ingress/Egress 에 대한 TCP 접속 차단
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
변수를 이용한 IPS 규칙 생성
{
"RuleVariables": {
"IPSets": {
"HTTP_SERVERS": {
"Definition": [
"10.0.2.0/24",
"10.0.1.19"
]
}
},
"PortSets": {
"HTTP_PORTS": {
"Definition": ["80", "8080"]
}
}
},
"RulesSource": {
"RulesString": "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:".htpasswd access attempt";
flow:to_server,established; content:".htpasswd"; nocase; sid:210503;
rev:1;)"
}
}
AWS CLI = aws network-firewall create-rule-group --rule-group-name
"RuleVariable-Group" --type STATEFUL --rule-group file://rulefile.json --
capacity 1000
정책 요건 – 지정된 IP Group 과 Port Group 을
이용하여 IPS 규칙을 생성한 후 적용
규칙 생성 – Rule Variable 을 이용한 규칙은 AWS
CLI 를 이용하여 생성할 수 있음
참고! Rule Variable 을 이용한 규칙은 생성 이후
Rule Variable 값을 Management Console 에서는
확인할 수 없으며 AWS CLI 를 이용하여 확인 가능
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall – 분산형 방화벽 구조
• 각 AZ 별로 Firewall 을 활성화 – Endpoint 자동 생성
• Ingress, Egress 에 대한 트래픽 제어
Firewall Subnet
Customer VPC
Availability Zone Availability Zone
Firewall Subnet
Public subnet Public subnet
Private subnet Private subnet
AWS Managed VPC
AWS Network Firewall
Availability Zone Availability Zone
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall – 중앙집중식 방화벽 구조
https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html
AWS Managed VPC
AWS Network Firewall
Availability Zone Availability Zone Firewall Subnet
Customer VPC
Availability Zone Availability Zone
Firewall Subnet
Firewall Subnet Firewall Subnet
To-FW To-FW
Internal VPC
Availability Zone Availability Zone
TWG subnet TWG subnet
To-FW To-FW
Private Subnet Private Subnet
Internal VPC
Availability Zone Availability Zone
TWG subnet TWG subnet
To-FW To-FW
Private Subnet Private Subnet
Internal VPC
Availability Zone Availability Zone
TWG subnet TWG subnet
To-FW To-FW
Private Subnet Private Subnet
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
여러분의 소중한 피드백을 기다립니다.
강연 종료 후, 강연 평가에 참여해 주세요!
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
감사합니다
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.

더욱 진화하는 AWS 네트워크 보안 - 신은수 AWS 시큐리티 스페셜리스트 솔루션즈 아키텍트 :: AWS Summit Seoul 2021

  • 1.
    K O RE A | M A Y 1 1 - 1 2 , 2 0 2 1
  • 2.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. 더욱 진화하는 AWS 네트워크 보안 신은수 시큐리티 스페셜리스트 솔루션즈 아키텍트 AWS Gateway Load Balancer & AWS Network Firewall
  • 3.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Gateway Load Balancer - 네트워크 보안 요구 사항 - 3rd Party 보안 솔루션 구성 - Gateway Load Balancer 사용 AWS Network Firewall - AWS Network Firewall 소개 - AWS Network Firewall 규칙의 사용 - AWS Network Firewall 구성안 주요 내용
  • 4.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. 개인정보보호나 규정 준수를 위해 침입차단솔루션 (IPS)을 구축하여야 하는데 AWS 환경에서는 어떻게 해야 하나요?
  • 5.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Gateway Load Balancer
  • 6.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS 환경에서의 네트워크 보안 요구 사항 보안
  • 7.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Active – Passive 구성 3rd Party 보안 솔루션 구성 EC2 Private IP Public IP 보안 솔루션 Fail Over 시나리오, 확장의 어려움, Single Point of Failure. Challenge
  • 8.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3rd Party 보안 솔루션 구성 EC2 Private IP Public IP Client IP Address 로깅 Elastic Load Balancer 구성 Challenge
  • 9.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3rd Party 보안 솔루션 구성 Elastic IP Gateway Load Balancer Endpoint Private IP Gateway Load Balancer 구성 EC2 EC2 Private Link GENEVE 터널
  • 10.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. 트래픽 흐름 GWLB Endpoint Source IP Destination IP 214.13.213.11 Public IP Source IP Destination IP 214.13.213.11 Private EC2 IP Inner Source IP Inner Destination IP 214.13.213.11 Private EC2 IP Outer Source IP Outer Destination IP GWLB IP Private Firewall IP Inner Source IP Inner Destination IP 214.13.213.11 Private EC2 IP Outer Source IP Outer Destination IP Private Firewall IP GWLB IP Source IP Destination IP 214.13.213.11 Private EC2 IP GWLB EC2 GENEVE 터널 Gateway Load Balancer 구성
  • 11.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. GWLB 구성을 위한 라우팅 설정 GWLBE1 Availability Zone Availability Zone GWLBE2 Destination Target 10.0.0.0/16 Local Public Subnet1 GWLBe1 Public Subnet2 GWLBe2 Destination Target 10.0.0.0/16 Local 0.0.0.0/0 IGW Destination Target 10.0.0.0/16 Local 0.0.0.0/0 GWLBE1 Destination Target 10.0.0.0/16 Local 0.0.0.0/0 NGW Destination Target 10.0.0.0/16 Local 0.0.0.0/0 IGW Destination Target 10.0.0.0/16 Local 0.0.0.0/0 GWLBE2 Destination Target 10.0.0.0/16 Local 0.0.0.0/0 NGW
  • 12.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Gateway Load Balancer 구성요소 장점 구축
  • 13.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Network Firewall
  • 14.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Network Firewall
  • 15.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Network Firewall Firewall Subnet Customer VPC Availability Zone Availability Zone Firewall Subnet Public subnet Public subnet Private subnet Private subnet
  • 16.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. 기존 네트워크 보안 기능과의 차이점 Network Access Control List 흐름 처리 : Stateless 규칙 검사 : Order 규칙 액션 : Allow,Deny 적용 대상 : Subnet Security Group 흐름 처리 : Stateful 규칙 검사 : 모두 검사 규칙 액션 : Allow 적용 대상 : EC2orENI Stateless Engine 흐름 처리 : Stateless 규칙 검사 : Order 규칙 액션 : Pass,Drop, Forward 적용 대상: Routing 기준 Stateful Engine 흐름 처리 : Stateful 규칙 검사 : 모두 검사 규칙 액션 : Pass,Drop,Alert 적용 대상: StatelessForward 규칙 기준 AWS Network Firewall
  • 17.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Network Firewall 기본 구조 • 사용자 트래픽은 Gateway Load Balancer Endpoint 를 이용해서 Network Firewall 로 전달 • Ingress Routing을 이용하여 Internet Gateway 의 라우팅 조정 Firewall Subnet Customer VPC Availability Zone Availability Zone Firewall Subnet Public subnet Public subnet Private subnet Private subnet AWS Managed VPC AWS Network Firewall Availability Zone Availability Zone @AWS Network Firewall 은 사용중인 가용 영역에 모두 활성화하는 것을 권고합니다.
  • 18.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Network Firewall 라우팅 흐름 Firewall Subnet A Customer VPC Availability Zone A Availability Zone B Firewall Subnet B Public subnet A Public subnet B Private subnet A Private subnet B GWLBE-A GWLBe-B NGW-A NGW-B 10.0.0.0/16 10.0.1.0/24 10.0.2.0/24 10.0.11.0/24 10.0.12.0/24 10.0.21.0/24 10.0.22.0/24 Firewall Subnet A Public Subnet A Private Subnet A Firewall Subnet B Public Subnet B Private Subnet B Internet Gateway Route Destination 10.0.0.0/16 Local 10.0.11.0/24 GWLBE-A 10.0.12.0/24 GWLBE-B Route Destination 10.0.0.0/16 Local 0.0.0.0/0 IGW GWLBE-A <-> Network Firewall Route Destination 10.0.0.0/16 Local 0.0.0.0/0 IGW GWLBE-B <-> Network Firewall Route Destination 10.0.0.0/16 Local 0.0.0.0/0 GWLBE-A Route Destination 10.0.0.0/16 Local 0.0.0.0/0 GWLBE-B Route Destination 10.0.0.0/16 Local 0.0.0.0/0 NGW-A Route Destination 10.0.0.0/16 Local 0.0.0.0/0 NGW-B
  • 19.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Stateless 규칙의 적용 예시 "RuleDefinition": { "MatchAttributes": { "Sources": [ { "AddressDefinition": "10.1.0.0/16" } ], "Destinations": [ { "AddressDefinition": "214.21.233.12/32" }, { "AddressDefinition": "213.32.11.91/32" } ], "SourcePorts": [ { "FromPort": 0, "ToPort": 65535 } ], "DestinationPorts": [ { "FromPort": 80, "ToPort": 80 } ], "Protocols": [ 6 "TCPFlags": [ { "Flags": [ "SYN" ], "Masks": [ "SYN", "ACK" ] } ] }, "Actions": [ "aws:pass" ] }, "Priority": 1 } 리스트 지정 가중치 적용 TCP Flag 검사 범위 지정
  • 20.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Stateful Rule Group 의 종류 5-Tuple Domain List Suricata compatible IPS rules Protocol, IP, Port 정보를 기준으로 허용/차단 Host Header 나 SNI 정보를 기준으로 허용/차단 사용자 정의 Signature 를 기반으로 허용/차단 172.31.193.25
  • 21.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Stateful 규칙의 적용 예시 "StatefulRules": [ { "Action": "DROP", "Header": { "Protocol": "ICMP", "Source": "Any", "SourcePort": "Any", "Direction": "FORWARD", "Destination": "10.0.0.0/16", "DestinationPort": "Any" }, "RuleOptions": [ { "Keyword": "sid:1" } ] "RulesSource": { "RulesSourceList": { "Targets": [ ".google.com" ], "TargetTypes": [ "HTTP_HOST", "TLS_SNI" ], "GeneratedRulesType": "ALLOWLIST" } } "RuleGroup": { "RulesSource": { "RulesString": "drop tcp any any -> any any (msg:"Drop TCP Traffic"; flow:from_client, established; sid:1000;)" } } Domain 검사 Signature 검사 IP 검사
  • 22.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Rule Group Capacity 의 이해 Priority Protocol Source IP Destination IP Source Port Destination Port Action Capacity 1 TCP UDP 10.1.0.0/24 10.1.1.0/24 10.1.3.0/24 Any Any 80 443 Pass 12 2 All 10.1.0.0/24 10.1.1.0/24 10.1.3.0/24 Black List 1,000개 Any 80 443 Drop 6,000 3 All Any Any Any Any Drop 1 Protocol Source IP Destination IP Source Port Destination Port Action Capacity Any 10.0.1.0/24 Any Any Any Pass 1 Any Any Any Any Any Drop 1 규칙 별 정보의 조합을 기준으로 Capacity 계산 규칙 하나당 1 Capacity Stateless Rule Group = 최대 10,000 Stateful Rule Group = 최대 30,000
  • 23.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Network Firewall 엔진의 규칙 검사 Pass Drop Forward 규칙 Priority Pass규칙 Drop규칙 Alert규칙 Custom Action Default Action Network Firewall Customer VPC Inbound Firewall Subnet Public Subnet Pass Outbound Pass Default Pass 수정 불가 Pass Drop Forward Log Metric @Stateful Rule Group 규칙은 액션 처리 순서를 따름 Stateless Engine Stateful Engine
  • 24.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Black List IP 통신 차단 정책 요건 – VPC 내의 Public Subnet 에 대해서만 HTTP/HTTPS 접근을 허용하고 그 이외에는 차단하며 Black List IP 와의 통신 차단 IP Stateless Rule Group – 아래와 같이 Stateless Rule Group 생성 Priority Protocol Source IP Destination IP Source Port Destination Port Action 1 All Black List Any Any Any Drop 2 All Any Black List Any Any Drop 3 TCP VPC CIDR Any 80 443 Any Pass 4 TCP Any VPC CIDR Any 80 443 Pass 100 All Any Any Any Any Drop Tip. Domain Filtering 이나 IPS 정책 등의 적용이 필요 없는 경우에는 Stateless Rule Group 을 적극적으로 활용 주의. Stateless Rule Group 의 경우 Logging 기능을 지원하지 않음
  • 25.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Outbound Domain White List 정책 정책 요건 – Public Subnet에서 White List Domain 에 대해서만 허용 HTTP/HTTPS 접속을 허용하고 나머지는 모두 차단 Domain Rule Group – 접근을 허용하고자 하는 Domain 에 대해 “Allow” 액션 규칙 등록. (예, AWS 서비스 관련 도메인 ) Pass Drop Alert Default Pass White List Domain 접속 비업무사이트 접속 규칙 검사 순서 Hit Hit EC2 Miss Traffic To Inspect Domain List Action HTTP, HTTPS White List Domain Allow Priority Protocol Source IP Destination IP Source Port Destination Port Action 1 TCP Public Subnet Any 80 443 Any Forward 2 TCP Any Public Subnet Any 80 443 Forward 100 All Any Any Any Any Drop IP Stateless Rule Group – 아래와 같이 Stateless Rule Group 생성
  • 26.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Suricata Compatible 규칙 사용의 예 VPC AWS Services 데이터센터 EC2 요건 1. VPC 내부에서 AWS Public Endpoint 로 접근 허용 요건 2. 지정된 데이터센터 네트워크에서 EC2 로 SSH 접근 허용 요건 3. 위 요건을 제외한 모든 TCP 트래픽 차단
  • 27.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Suricata Compatible 규칙 사용의 예 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:”AWS Service SNI”; tls_sni; content:”.amazonaws.com”; sid:1001; rev:1;) AWS Public Endpoint 에 대한 접근 허용 pass tcp $OFFICE_NET any -> $HOME_NET 22 (msg:"Allow SSH traffic"; sid:1002; rev:1;) 오피스 및 데이터센터 네트워크에서 VPC 로의 SSH 접근 허용 drop tcp any any -> any any (msg:"Drop tcp traffic"; flow:from_client, established; sid:1003; rev:1;) 모든 Ingress/Egress 에 대한 TCP 접속 차단
  • 28.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. 변수를 이용한 IPS 규칙 생성 { "RuleVariables": { "IPSets": { "HTTP_SERVERS": { "Definition": [ "10.0.2.0/24", "10.0.1.19" ] } }, "PortSets": { "HTTP_PORTS": { "Definition": ["80", "8080"] } } }, "RulesSource": { "RulesString": "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:".htpasswd access attempt"; flow:to_server,established; content:".htpasswd"; nocase; sid:210503; rev:1;)" } } AWS CLI = aws network-firewall create-rule-group --rule-group-name "RuleVariable-Group" --type STATEFUL --rule-group file://rulefile.json -- capacity 1000 정책 요건 – 지정된 IP Group 과 Port Group 을 이용하여 IPS 규칙을 생성한 후 적용 규칙 생성 – Rule Variable 을 이용한 규칙은 AWS CLI 를 이용하여 생성할 수 있음 참고! Rule Variable 을 이용한 규칙은 생성 이후 Rule Variable 값을 Management Console 에서는 확인할 수 없으며 AWS CLI 를 이용하여 확인 가능
  • 29.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Network Firewall – 분산형 방화벽 구조 • 각 AZ 별로 Firewall 을 활성화 – Endpoint 자동 생성 • Ingress, Egress 에 대한 트래픽 제어 Firewall Subnet Customer VPC Availability Zone Availability Zone Firewall Subnet Public subnet Public subnet Private subnet Private subnet AWS Managed VPC AWS Network Firewall Availability Zone Availability Zone
  • 30.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Network Firewall – 중앙집중식 방화벽 구조 https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html AWS Managed VPC AWS Network Firewall Availability Zone Availability Zone Firewall Subnet Customer VPC Availability Zone Availability Zone Firewall Subnet Firewall Subnet Firewall Subnet To-FW To-FW Internal VPC Availability Zone Availability Zone TWG subnet TWG subnet To-FW To-FW Private Subnet Private Subnet Internal VPC Availability Zone Availability Zone TWG subnet TWG subnet To-FW To-FW Private Subnet Private Subnet Internal VPC Availability Zone Availability Zone TWG subnet TWG subnet To-FW To-FW Private Subnet Private Subnet
  • 31.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. 여러분의 소중한 피드백을 기다립니다. 강연 종료 후, 강연 평가에 참여해 주세요! © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 32.
    © 2021, AmazonWeb Services, Inc. or its affiliates. All rights reserved. 감사합니다 © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.