3 ways to secure your hybrid datacenter
To unleash the power of the hybrid cloud, enterprises need to create increasingly complex environments using a growing number of resources on top of Infrastructure-as-a-service platforms (IaaS). However, creating robust network topologies on top of IaaS is challenging and complicated. So, how can organizations implement a true, connected, secured hybrid cloud datacenter solution? A hybrid networking environment may look the same, but actually acts differently. Cloud providers’ tools and configuration often limit flexibility, jeopardizing visibility with poor network control.
Building a proper hybrid datacenter requires a deep understanding of the provider environment to connect, secure, segment, configure routing and enable access policy with a mix of internal and external subnets. What follows are three options for securing a hybrid cloud datacenter built on Amazon Web Services. If you don’t have a hybrid cloud datacenter with AWS, you can learn more about implementing one here.
Integrating with AWS-provided firewall & VPN
Using the AWS-provided firewall and VPN is straightforward, easy to implement and most of all -- cheap. But it also has its limitations including reduced management and configuration capabilities, basic monitoring and auditing that do not comply with various standards and regulations, limited list of supported VPN devices, and limited monitoring of rule base.
Here are the steps to create the environment:
- Configure the inbound/outbound filters on your security groups
- Configure ACL on your subnets
- Configure a subnet and routing for NAT device if needed
- Route private segments through NAT device.
- Configure hardware virtual private gateway with:
- IP address of customer gateway (the other end of VPN)
- Type of VPN device (make sure AWS supports your enterprise VPN device)
- Static or dynamic routing rules
The biggest challenge of this topology is making sure that servers route relevant traffic via the VPN gateway for each segment in the network.
Integrating with AWS using a third-party firewall & VPN
The option of using a third-party firewall adds complexity and considerable expenses, alongside the advantages of unified management capability and robust logging, monitoring and management options.
Here’s a list of what’s needed to integrate a third-party firewall to a virtual private cloud (VPC):
- Create a subnet dedicated to the firewall device in your VPC
- Set up IP range for the subnet and do proper routing in your VPC route table
- Deploy a cluster for redundancy
- Configure security groups and ACLs
- Think about separation of duties when deciding which host keys to use when launching the instance.
- Launch your instance and connect to it
- For cluster configuration, extra work on routing and segmentation is required. Also note that cluster members require IAM roles assigned to them - and IAM roles can not be changed after assigned - so plan ahead.
- Perform East-West traffic inspection. Third-party firewalls on top of AWS are built to handle North-South traffic (internet to servers) better than East-West traffic (instances to other instances). Enterprises can still implement firewall filtering between two subnets, but it requires tweaking the routing and creating NAT on subnets. Remember that in this configuration some of the filtering is still made at the AWS router level. So, make sure to configure ACLs and VPC flow-logs correctly.
Another challenge of using third-party firewalls is coping with the dynamic side of the cloud. Cloud instances are moved between segments or are duplicated to handle performance issues. The traditional firewall stateful inspection mechanism may drop packets when integrated into this dynamic environment.
Integrating with AWS using a cloud network
A cloud overlay solution abstracts the underlying network elements into a cloud network. The cloud network tunnels traffic from physical and cloud datacenters into the cloud network, where routing and security can be enforced. This approach results in a simplification of the hybrid datacenter connectivity and security as there are no “point to point” network configurations and no need to manage platform specific security mechanism (i.e AWS security groups).
Cloud networks come in various flavors. Some are designed to primarily interconnect multiple clouds (AWS, Azure and Google), and others are used to interconnect cloud and physical data centers. A comprehensive architecture that connects on-premise and cloud assets into a simple and secure network can address multiple use cases.
Overall, creating a hybrid datacenter with AWS is complicated. Although the infrastructure may look the same as an on-premises datacenter, there are many limitations in connectivity, security and integration that make the process long and complex. Enterprises need to understand that any solution comes with tradeoffs, and managing expense while ensuring maximum security and manageability should be the ultimate goal.
Gur is co-founder and CTO of Cato Networks. Prior to Cato Networks, he was the co-founder and CEO of Incapsula Inc., a cloud-based web applications security and acceleration company. Before Incaspula, Gur was director of product development, VP of engineering and products at Imperva, a web application security and data security company. Gur holds a BSc in computer science from Tel Aviv College.