- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
When it comes to protecting your workloads in AWS, security teams augment native AWS network security capabilities with next-generation threat protection that prevents exploits, malware, previously unknown threats, and data exfiltration. As security teams are increasingly adopting DevOps principles, they are also looking for a cloud-native experience that handles the delivery of next-generation security and its underlying infrastructure in a fully automated manner.
We just announced the general availability of Cloud NGFW for AWS, a Palo Alto Networks managed Next-Generation Firewall (NGFW) service that simplifies and strengthens the security of deployments in AWS. Built-in partnership with AWS, Cloud NGFW for AWS provides both best-in-class security and an easy, cloud-native experience. Cloud NGFW offers the following benefits for network security and DevOps teams alike:
Setup and deployment is a simple process as shown below and demonstrated in this video walkthrough.
Cloud NGFW supports a variety of deployment scenarios. You can use AWS gateways such as Internet Gateway, NAT gateway, and Transit gateway in conjunction with NGFW endpoint(s) and VPC routing to support distributed and centralized deployment architectures. Cloud NGFW acts as a bump-in-the-wire in outbound, east-west, and inbound traffic paths in these architectures. The traffic packet headers and payload remain intact, providing complete visibility to the destination (no SNAT/DNAT).
Inbound traffic originates outside the AWS region and is destined to resources within your VPC. An attacker generally starts gaining an initial foothold in your AWS network by using your Ingress traffic path to constantly scan for new and unknown vulnerabilities to exploit. As soon as a new path for a breach hits the media, such as the recent Log4j vulnerability, attackers start weaponizing exploits to go after those vulnerabilities and can inject malware into your environment in just a few minutes. However, the speed of vulnerability patch management across all workloads in your environment may be on the order of days.
To meet these challenges, Cloud NGFW provides an additional layer of defense by inspecting all ingress traffic to your VPCs. The Cloud NGFW service blocks the delivery of malware payloads that can otherwise exploit unpatched or unknown vulnerabilities in your workloads. Additionally, Cloud NGFW traffic logs provide deep visibility and context of VPC traffic (such as country, URL category, App-ID, application functions, filename, and file type) to your SIEM, CSPM, and CWP tools. This added visibility further helps identify, isolate and remediate compromised or unpatched workloads.
After gaining an initial foothold, the attacker’s objectives may require East-West lateral movement within your AWS environment. East-West traffic includes VPC-to-VPC traffic, such as traffic between source and destination workloads in two different VPCs. The same goes for inter-subnet traffic (traffic between workloads in two different subnets within the same VPC) and the traffic between the VPC and your on-prem environments. With Cloud NGFW, you can secure the east-west traffic and prevent lateral propagation of the attacks. For example, an attacker could use the compromised workload(s) permissions or use stolen API credentials to escalate privileges in your AWS environment. However, if your workload, subnet, or VPC has limited application access defined in Cloud NGFW, the attacker’s ability to propagate is significantly reduced.
Cloud NGFW enforces zero-trust principles by restricting east-west traffic to only an allowed set of applications. For example, you can just allow SQL calls between application tier VPC/subnets and database tier VPC/subnets in your environment. If the permitted applications in your East-West environment are transferring files, Cloud NGFW further reduces the attack surface by allowing you to limit the file types allowed. Cloud NGFW also blocks threats and malware on the allowed East-West connections by using its threat prevention profiles. Cloud NGFW even provides internal reconnaissance protection to defend against port scans and host sweeps.
The attacker may then act on the objectives by installing ransomware or performing data exfiltration using your VPC outbound traffic. That’s why safeguarding outbound traffic is critical. Cloud NGFW protects VPC outbound traffic by ensuring workloads in application VPCs only connect to permitted services and allowed URL categories. This prevents data exfiltration of sensitive information and enforces command-and-control (C2) protections. Additionally, Cloud NGFW security profiles prevent malware and vulnerabilities from entering the VPC in the return traffic.
For example, you can use Cloud NGFW to protect your VPC workloads accessing the Internet for Linux updates. Cloud NGFW ensures traffic is only sent to restricted destinations like canonical.com or ubuntu.com and uses specific applications like apt-get or yum-update. The service also ensures there are no threats hidden in these transactions. Suppose the workloads in your VPC are using GitHub for software updates. Cloud NGFW provides granular controls to reduce your attack surface by allowing your development environment to perform GitHub uploads and downloads but restricts your production environment just to perform GitHub downloads. Cloud NGFW further reduces the attack surface by allowing you to limit the file types you can upload or download from these environments and block any threats in the content.
Cloud NGFW for AWS is a regional service. Currently, it is available in US East (N. Virginia) and US West (California) regions. To learn more, visit the documentation and FAQ pages. To get hands-on experience with this, please subscribe via the AWS Marketplace page. Do also consider attending our April 21 event: Cloud NGFW: Best-in-Class Security Made Easy on AWS. In this event, you will learn how we’re addressing the current challenges of cloud-native security and get insights from leaders at AWS and Palo Alto Networks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
5 Likes | |
3 Likes | |
3 Likes | |
3 Likes | |
2 Likes |
User | Likes Count |
---|---|
12 | |
4 | |
3 | |
3 | |
2 |