Security of VMs and Applications located at AWS. Example architecture with practical security. Conforms to NIST and Cloud Security Best Practices. Perimeter, Applications, Network, and Data Access are secured.
- Only specific IP ports are allowed for external access from Global Network.
- These are SSH (22), HTTPS (443), HTTP (80).
- SSH is secure encrypted protocol that is used only for system administrators access.
- HTTPS is secure encrypted protocol that is used for user application communication.
- HTTP is not secure, not encrypted protocol that is immediately switched to HTTPS as soon as user’s browser tries to reach HTTP. HTTP is open only for user convenience.
- FTP (20,21,47304) is open only for access from Corporate IP 216.aa.bbb.55.
- All other ports are closed, including ICMP (ping, traceroute).
- There are two levels of port filtering:
- AWS network policies
- System Firewall
Application Server certificate and traffic encryption
- Domain name yyyy.com is secured by certificate registered at trusted certificate authority.
- All browsers have certificate verification capabilities. The site with correct certificate will have “Green Lock” icon near URL, that indicates the site is verified and trusted.
- All user’s traffic goes via HTTPS only and is encrypted.
- Browsers use HTTPS. When they try to enter via HTTP, they are automatically switched to HTTPS by the web application.
- Application uses HTTPS and certificate verification as well.
- It is safe to access web applications from public networks.
User application access
- Users access the application portal using browsers via HTTPS.
- Users are authenticated by usernames and passwords. It is important for users to use strong passwords.
- We are planning to implement passwords complexity policy in next versions of the application.
FTP application access
- Users synchronizes required data from AS400 database to app database via files transfers.
- There are some limitations of AS400 to use contemporary encrypted protocols (like SSH).
- Files are transferred via FTP protocol, that is not encrypted.
- To mitigate this vulnerability, access to FTP is allowed only from Corporate IP aa.bbb.55. This is set by AWS IP filter policy and system firewall.
System administration access
- System administrators access systems only via SSH using RSA keys and strong passwords.
Attack detection and prevention
System attack detection
- Special system software monitors unsuccessful attempts to login to SSH protocol and blocks an attacker IP for couple of hours after several unsuccessful attempts.
Application attack detection
- Special system software monitors unsuccessful attempts to login to the application and blocks an attacker IP for couple of hours after several unsuccessful attempts.
- Corporate IP will be never blocked because that would cause blocking of all other users working from office.
- Special system software monitors possible rootkits/virus’s installations and alerts system administrators if this is detected.