topic Re: Amazon AWS VPN (VPC) in General Topics

Amazon AWS VPN (VPC)

peterpan13888 — Wed, 07 May 2014 20:36:53 GMT

Hi all,

We are working on moving some of our servers to AWS and they require 2 VPN redundant tunnels to be configured with our network. Amazon suggested to terminate the VPN on Internet edge router because the VPN redundancy requires BGP. Between the Internet edge router and the Palo Alto firewall, it is unprotected (but it will be on our physical premises).

I have suggested to project team to terminate the VPN on Palo Alto instead. However, in this case, the PA3020 has to run BGP which is supported. My questions are:

- whether running BGP will have a significant impact on performance?

- As the existing firewall traffic does not run BGP, my plan is to run this AWS VPN on a different virtual router with 2 separate external and internal interfaces totally segregated from existing firewall traffic but still performs traffic inspection. Does this work?

Do you have any best practice and recommendations for this VPN connectivity?

Thanks!

FYI:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html

vs.

NIST 800-77 (http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf) a standard for all US federal agencies to follow:

3 - Traffic Not Protected by IPsec. Organizations should consider carefully the threats against network traffic after it has been processed by the receiving IPsec gateway and sent without IPsec protection across additional network segments. For example, an organization that wants to place its VPN gateway outside its Internet firewalls should ensure that the traffic passing between the IPsec gateway and the Internet firewalls has sufficient protection against breaches of confidentiality and integrity.

Re: Amazon AWS VPN (VPC)

HULK — Wed, 07 May 2014 21:16:00 GMT

Hello Peterpan,

- whether running BGP will have a significant impact on performance?

Ans: It depends upon how many routes you are having into your PAN routing table. Generally speaking, if you configure BGP on a PAN firewall and having route-filter to import and export limited routes from PAN firewall, in that situation it would not take large CPU cycles from the PAN management plane.

--As the existing firewall traffic does not run BGP, my plan is to run this AWS VPN on a different virtual router with 2 separate external and internal interfaces totally segregated from existing firewall traffic but still performs traffic inspection. Does this work?

Ans: Yes, it will work perfectly. As, creating an another virtual-router means, the PAN firewall will create an another routing table ( segregation of routing table)

--Do you have any best practice and recommendations for this VPN connectivity?

Ans: VPN traffic will be encrypted by ESP/AH header. Hence an extra layer will be added on the top of the packet. Hence adjust the TCP MSS or reduce it to 1420 will be a good practice. Secondly, using a higher length encryption key ( AES-256, 3 DES ) might bring latency during traffic flow, because it will take more CPU cycles to encrypt/decrypt traffic on PAN firewall. I would recommend you to use AES-128 on both VPN gateways.

Hope this helps.

Thanks

Re: Amazon AWS VPN (VPC)

peterpan13888 — Thu, 08 May 2014 03:32:48 GMT

Thanks for the great answer. By BGP filtering, do you mean implementing BGP filtering on the Edge router or on the PAN itself (an available feature?)?

Another question is whether I should insist VPN termination on the firewall and not the Internet edge router as the latter is Amazon's authoritative recommendation but NIST has some caution against it. I look like an idiot to our team because Amazon is God to them.

Re: Amazon AWS VPN (VPC)

HULK — Thu, 08 May 2014 05:37:09 GMT

Hello Peterpan,

1) I am talking about route filter implementation on PAN firewall itself. PAN is having capability to filter routes ( advartize by BGP peers) and accordingly install into it's rib/routing-table ( routing information base).

These docs might help you to implement BGP:

How to Configure BGP Route Filtering

BGP Traffic Engineering

How to Perform Route Filtering with BGP

2) How many VPN tunnels you are planning to terminate into the PAN firewall..?

Thanks

Re: Amazon AWS VPN (VPC)

peterpan13888 — Thu, 08 May 2014 12:34:21 GMT

Amazon requires 2 VPN tunnels per firewall (and we have 2 firewalls). We have around a dozen of tunnels but they are quite low traffic.

Thanks a lot for your great reply!!