New! How to Manage Dynamic Objects in Cloud Environments

Prof Wool: Best Practices for Amazon Web Services Security | New! How to Manage Dynamic Objects in Cloud Environments Subscribe

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

hello I'm professor wool and today we'll discuss how to manage dynamic objects in cloud environments so to give us context many cloud infrastructure providers whether public cloud or private cloud provide integration capabilities with firewalls protecting their environment in the sense of dynamic objects specifically if you have servers or instances in your cloud environment you can tag them with a logical name let's say for X assuming these three systems are foreign exchange feeds and then once you tag them you can use the logical name inside the firewall rules to allow or deny traffic from or to all the servers that are currently tagged so here you can see a rule rule number 24 that refers to this object called for X allowing traffic from it to the trading system using HTTPS ok so we have this in terms of background and now let's see what this means to network security policy management systems or NS PMS so one of the functions of an NS PM is to be able to answer traffic simulation queries accurately and correctly in particular let's say you want to find out where the traffic is allowed from 10.1.1.10 idea dress which is a trading system a lot we using HTTP in order to answer this query the NS PM needs to know the current definition of the Forex object so that it can realize that the IP address listed is actually not one of the three covered by the tag forex right now and therefore the answer to this query at the moment is no but perhaps later on today you're going to power up a new forex server and tag it with the same tag then the definition would change inside the firewall rule and the NS p.m. should be able to answer at that time that the traffic is now allowed which means that the NS p.m. has to really track the content of this dynamic object and have the latest definition recognized at all times next step is that an SPM usually also issues audit alerts whenever anything changes in the security policy in the firewalls typically providing us with an audit trail for human actions that add or remove functionality from the filtering policy if nothing special is done changes in the definitions of the dynamic objects may well trigger audit alerts because after all the firewall policy is changing any time an IP address is added or removed from the tag and this may be redundant because after all one of the big advantages of a cloud environment is that it's elastic and you might want to add or remove functionalities and add or remove servers from the estate based on demand and current needs and so you might have many changes to the dynamic objects being reflected in the firewall rules and as a consequence you may have superfluous audit to occur and notifications from the NSP on which a good ns p.m. would let you suppress so that you will not see all these changes to the content of the Forex object because you know it's supposed to be dynamic the next step in sophistication is dealing with change requests so imagine the owners of the business application for the trading system are adding new functionality to their system which requires all the forex feeds to connect to the trading system using another port a good and SPM would look at this change request and identify that the IP addresses listed by the application owners exactly matches the current content of the tag forex and suggest to create a rule on the firewall that uses name of the dynamic object rather than the raw IP addresses of that appear in the current change request and this is of course much better because it future proofs the rule anticipating that next week even more Forex feeds will be added and you don't want to require a change to the firewall rules due to those future changes and even better NS p.m. would in fact realize that there is already a rule in the firewall rules rule 24 in this example that almost does what is required the only thing that needs to happen is to modify that existing rule and just add the new port number to it to the existing service and after doing that the combined rule will provide the functionality that was required before in addition to the new change request that is currently being handled so to conclude we can see that a good NS PM system should be able to understand and track the dynamics of these tagged objects and to react in an intelligent way to their specific functionalities when object content changes whether added or remove the IP addresses from the tag thank you for your attention

Videos

Prof Wool: Best Practices for Amazon Web Services Security | New! How to Manage Dynamic Objects in Cloud Environments Subscribe

Related videos

How to Intelligently Select the Security Groups to Modify...

Change Management, Auditing and Compliance in an AWS...

The Right Way to Audit AWS Policies

Combining Security Groups and Network ACLs to Bypass AWS...