Securing Web Applications in the AWS Cloud

  • View

  • Download

Embed Size (px)


Alert Logic demos Web Security Manager for Amazon Web Services

Text of Securing Web Applications in the AWS Cloud

  • 1. Alert Logic Web Security Manager for AWS December 3, 2013Jon Vaught Sales EngineerDiane Garey Product Marketing

2. Todays Agenda Web Security Manager for AWS Architecture What you need to run Web Security Manager Getting Started Quick Tour Next Steps Trial Q&APage 2 3. Alert Logic Web Security Manager WAF IntroductionActive Protection for Web Applications, Management Included Positive & Negative Security Active protection using signatures and leading learning engine Key Compliance Coverage Supports PCI 6.6 and OWASP Top 10 risks Management Included 24x7 management by experienced security analystsAWS Auto Scaling Protection scales dynamically with your web apps Security Where You Need It Works wherever you have your datacenter Page 3 4. Web Security Manager Architecture4 5. Web Security Manager AWS System Overview Deployment for Auto Scaling and High Availability in AWS VPCAmazon VPC Internet GatewayAvailability Zone 1Availability Zone 2 Elastic Load BalancerWeb ServerWeb ServerPage 5 6. Web Security Manager AWS System Overview Deployment for Auto Scaling and High Availability in AWS VPC AmazonOverview 1 Master AS group with 1 master at all times 1 Worker AS group with 2-n workers at all timesVPC Internet Gateway S3Availability Zone 1Availability Zone 2Public SubnetPublic SubnetNAT InstanceNAT InstanceELB Master Master Subnet WSM MasterELB Master External interface for WSM Master Management and monitoring (https and ssh)WSM WorkerS3 Bucket Persists configuration data NAT Instances Required for S3 access from private subnetsElastic Load Balancer Worker SubnetELB Worker SSL Termination Load balances web traffic to worker AS groupWorker Subnet WSM WorkerWSM Master Acts as management node for configuration Queues and transports logs, stats from workers EBS Log Volume Persists Deny Log and Stats data for master Attached at instance start upElastic Load Balancer Internal Elastic Load Balancer EBS Log VolumeWeb ServerWeb ServerPage 6WSM Worker Retrieves configuration on instance launch Protects web traffic in front of internal ELB Transports logs, stats to master queue 7. Website Traffic Data Flow Amazon VPC Internet Gateway ClientAvailability Zone 1S3Availability Zone 2Public SubnetPublic SubnetNAT InstanceNAT InstanceELB Master Master Subnet WSM MasterELB Worker Worker Subnet WSM WorkerWorker Subnet Worker Subnet WSM Worker WSM WorkerInternal ELB for your application EBS Log VolumeWeb ServerWeb ServerPage 7Website Traffic Browser clients connect to worker ELB Traffic is load balanced to Web Security Manager appliances Web Security Manager appliances connect to backend ELB 8. Web Security Manager Performance Web Security Manager Master Instance Processing Capacity The estimated processing capacity per Master instance is: m1.medium: 10 workers, 250 Mbps (inbound + outbound) total across workers m1.large: 25 workers, 1 Gbps (inbound + outbound) total across workersWorker Processing Capacity in Mbps Worker instance processing capacity: m1.small: 13 Mbps total (inbound + outbound) c1.medium: 50 Mbps total (inbound + outbound) c1.xlarge: 200 Mbps total (inbound + outbound) Page 8 9. Auto Scaling Parameters The Cloud Formation template that creates the Web Security Manager stack allows for defining Auto Scaling Parameters. Setting Scale up CPU utilization threshold80%Scale up when CPU is above threshold for more than120 secondsScale down CPU utilization threshold50%Scale down when CPU is below threshold for more thanDefault600 secondsThe difference in thresholds for scaling up and down is to mitigate the risk of removing capacity too quickly, or incorrectly reducing capacity.Page 9 10. Auto Scaling Web Security Manager at re:Invent10 11. 12. Try Web Security Manager Contact Alert Logic: Installation steps: Set up an Alert Logic account Gather information from your web application stack Create internal ELB for backend web servers Run Cloud Formation template that creates the Web Security Manager stack Move inbound traffic to Web Security Manager external ELB Configure additional web sites (if required) Page 12 13. Thank You! Q& 14. AWS Services Used to Deploy Web Security Manager Amazon Machine Image (AMI) - An encrypted machine image stored in Amazon Elastic Block Store or Amazon Simple Storage Service. AMIs are like a template of a computer's root drive. They contain the operating system and can also include software and layers of your application, such as database servers, middleware, web servers, and so on.Amazon Virtual Private Cloud (VPC) - A web service that enables you to create a virtual network for your AWS resources.Auto Scaling - A web service designed to launch or terminate instances automatically based on user-defined policies, schedules, and health checks.Auto Scaling group - A representation of multiple Amazon Elastic Compute Cloud instances that share similar characteristics, and that are treated as a logical grouping for the purposes of instance scaling and management.Availability Zone (AZ) - A distinct location within a region that is insulated from failures in other Availability Zones, and provides inexpensive, low-latency network connectivity to other Availability Zones in the same region.AWS CloudFormation - A service for writing or changing templates that create and delete related AWS resources together as a unit.Elastic Load Balancing - Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances. Customers can enable Elastic Load Balancing within a single Availability Zone or across multiple zones for even more consistent application performance. Elastic Load Balancing can also be used in an Amazon Virtual Private Cloud (VPC) to distribute traffic between application tiers.14