Firewall and Proxy Servers

Designing and Securing Workloads and Applications with Firewalls and Proxy Servers

In today’s cloud-centric environment, designing and securing workloads and applications is crucial to protecting sensitive data and ensuring service availability. Firewalls and proxy servers are fundamental components in this security architecture. This blog will cover these fundamentals, delve into AWS Shield Standard and Shield Advanced, and discuss how to choose the best AWS security services for specific use cases.

Fundamentals of Firewalls and Proxy Servers

Firewalls

Firewalls are security devices that monitor and control incoming and outgoing network traffic based on predetermined security rules. They act as a barrier between trusted and untrusted networks.

  • Types of Firewalls:

    • Network Firewalls: Protect an entire network by filtering traffic at the perimeter.
    • Host-based Firewalls: Protect individual servers or devices.
    • Next-Generation Firewalls (NGFWs): Combine traditional firewall functions with advanced features like intrusion prevention and deep packet inspection.
  • Key Functions:

    • Packet Filtering: Inspects packets and allows or blocks them based on source and destination IP addresses, ports, and protocols.
    • Stateful Inspection: Tracks the state of active connections and makes decisions based on the context of the traffic.
    • Application Layer Filtering: Inspects traffic at the application layer to detect and block malicious activity.

Proxy Servers

Proxy Servers act as intermediaries between clients and servers, forwarding client requests to the server and returning the server’s response to the client. They can provide additional security, anonymity, and caching capabilities.

  • Types of Proxy Servers:

    • Forward Proxy: Positioned at the client side, it forwards client requests to the internet.
    • Reverse Proxy: Positioned at the server side, it forwards client requests to the backend servers.
  • Key Functions:

    • Anonymity: Hides the client’s IP address.
    • Caching: Stores copies of frequently accessed resources to improve load times and reduce bandwidth usage.
    • Access Control: Restricts access to certain websites or resources.
    • Load Balancing: Distributes incoming requests across multiple servers.

AWS Shield Standard vs. Shield Advanced

AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. There are two tiers: Shield Standard and Shield Advanced.

AWS Shield Standard

  • Protection: Automatically included with AWS services at no extra cost.
  • Features:
    • DDoS Protection: Protects against common, most frequently occurring network and transport layer DDoS attacks.
    • Global Threat Environment Dashboard: Provides visibility into DDoS attacks.

AWS Shield Advanced

  • Protection: Provides additional detection and mitigation capabilities beyond what Shield Standard offers.
  • Features:
    • Enhanced DDoS Protection: Protects against larger and more sophisticated DDoS attacks.
    • 24/7 DDoS Response Team (DRT): Access to AWS DDoS experts for attack mitigation.
    • Cost Protection: Financial protections to cover scaling costs resulting from DDoS attacks.
    • Detailed Attack Diagnostics: Real-time metrics and reports on ongoing attacks.
    • WAF Integration: Advanced rules and threat intelligence integration with AWS WAF.

Choosing the Right Security Service

Preventing External DDoS Attacks

  • Use Case: Protecting an application from volumetric, state-exhaustion, and application-layer DDoS attacks.
  • Recommendation: Use AWS Shield Advanced for enhanced protection, real-time attack diagnostics, and expert support. For basic protection against common DDoS attacks, AWS Shield Standard is sufficient.

Preventing SQL Injection Attacks

  • Use Case: Protecting a web application from SQL injection and other application-layer attacks.
  • Recommendation: Use AWS WAF (Web Application Firewall) to create custom rules that block SQL injection attempts. Deploy AWS WAF on services such as:
    • Application Load Balancers
    • Amazon API Gateway
    • Amazon CloudFront

High Volume Access with Automatic Credential Rotation

AWS Secrets Manager vs. AWS Systems Manager Parameter Store

  • AWS Secrets Manager:

    • Designed for: Storing and managing secrets (API keys, database credentials, etc.).
    • Features: Automatic secret rotation, cross-account access, and detailed auditing capabilities.
    • Use Case: Ideal for applications requiring frequent access to secrets with automatic rotation.
  • AWS Systems Manager Parameter Store:

    • Designed for: Storing configuration data and secrets.
    • Features: Supports parameter versioning and encryption with AWS KMS.
    • Use Case: Suitable for less dynamic secrets and configuration values with less frequent rotation needs.

Recommendation: Choose AWS Secrets Manager for high volume access to secrets with the need for automatic credential rotation.

Example Scenario: Secure Access to an Application in AWS

  1. Application in a Private Subnet:

    • Deploy your application servers in a private subnet to ensure they are not directly accessible from the internet.
  2. Secure Connectivity:

    • Use AWS Site-to-Site VPN or AWS Direct Connect for secure connectivity between your on-premises network and AWS.
    • Implement VPC Endpoints for secure access to AWS services without using the internet.
  3. Protecting Against DDoS and Application-Layer Attacks:

    • Enable AWS Shield Advanced for comprehensive DDoS protection.
    • Deploy AWS WAF on your Application Load Balancer or Amazon CloudFront distribution to protect against SQL injection and other web exploits.
  4. Managing Secrets:

    • Store and manage application secrets using AWS Secrets Manager for automatic rotation and secure access.

Conclusion

Designing and securing workloads and applications in AWS requires a solid understanding of networking fundamentals, firewalls, proxy servers, and AWS security services. AWS Shield, AWS WAF, AWS Secrets Manager, and AWS Systems Manager Parameter Store are powerful tools that provide various levels of protection and management capabilities. By carefully selecting and deploying these services, you can ensure robust security for your applications and sensitive data in the cloud.