Example AWS architecture with practical security.

Security of VMs and Applications located at AWS.  Example architecture with practical security. Conforms to NIST and Cloud Security Best Practices.  Perimeter, Applications, Network, and Data Access are secured.

 

 

Network security
          Port filters
  • Only specific IP ports are allowed for external access from Global Network.
  • These are SSH (22), HTTPS (443), HTTP (80).
  • SSH is secure encrypted protocol that is used only for system administrators access.
  • HTTPS is secure encrypted protocol that is used for user application communication.
  • HTTP is not secure, not encrypted protocol that is immediately switched to HTTPS as soon as user’s browser tries to reach HTTP. HTTP is open only for user convenience.
  • FTP (20,21,47304) is open only for access from Corporate IP 216.aa.bbb.55.
  • All other ports are closed, including ICMP (ping, traceroute).
  • There are two levels of port filtering:
  • AWS network policies
  • System Firewall

 

          Application Server certificate and traffic encryption
  • Domain name http://ipjornal.com/author/vs/page/ yyyy.com is secured by certificate registered at trusted certificate authority.
  • All browsers have certificate verification capabilities. The site with correct certificate will have “Green Lock” icon near URL, that indicates the site is verified and trusted.
  • All user’s traffic goes via HTTPS only and is encrypted.
  • Browsers use HTTPS. When they try to enter via HTTP, they are automatically switched to HTTPS by the web application.
  • Application uses HTTPS and certificate verification as well.
  • It is safe to access web applications from public networks.

 

          User application access
  • Users access the application portal using browsers via HTTPS.
  • Users are authenticated by usernames and passwords. It is important for users to use strong passwords.
  • We are planning to implement passwords complexity policy in next versions of the application.

 

          FTP application access

 

          System administration access
  • System administrators access systems only via SSH using RSA keys and strong passwords.

 

Attack detection and prevention
          System attack detection
  • Special system software monitors unsuccessful attempts to login to SSH protocol and blocks an attacker IP for couple of hours after several unsuccessful attempts.

 

          Application attack detection
  • Special system software monitors unsuccessful attempts to login to the application and blocks an attacker IP for couple of hours after several unsuccessful attempts.
  • Corporate IP will be never blocked because that would cause blocking of all other users working from office.

 

           Rootkit/virus detection
  • Special system software monitors possible rootkits/virus’s installations and alerts system administrators if this is detected.

 

Leave a Reply

Your email address will not be published. Required fields are marked *