Cloud Network Security
Cloud Network Security Framework
In-depth Security Techniques & AWS Implementation
Network security in the cloud is defined by the Shared Responsibility Model. While AWS secures the physical infrastructure, you are responsible for securing the virtual network layers through multi-layered traffic control and isolation.
1. Core Network Security Techniques & AWS Tools
VPC Isolation
Divide your VPC into Public Subnets for internet-facing resources and Private Subnets for internal logic and databases.
Stateful Inspection
Security Groups act as virtual firewalls for instances, allowing specific ports like 443 (HTTPS) while blocking all unauthorized traffic.
Edge Protection
AWS Shield and AWS WAF mitigate DDoS attacks and common web exploits at the entry point of your global network.
2. Network Access Control Lists (NACL)
A Network ACL is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
The Importance of NACLs
- Defense in Depth: Provides a secondary security gate at the subnet boundary to catch traffic missed by instance-level security.
- Explicit Deny (Blacklisting): Allows you to explicitly block specific malicious IP addresses.
- Stateless Filtering: Provides granular control by requiring rules for both inbound and outbound traffic paths.
3. Steps to Secure a Network Using NACLs
Create custom NACLs for Public and Private subnets rather than using the default "Allow All" NACL.
Use increments (e.g., 100, 110) to allow for future rule insertion. Rules are processed from the lowest number upward.
Explicitly allow only required ports (e.g., Port 443 for Web subnets) from trusted CIDR ranges.
Because NACLs are stateless, add outbound rules for ports 1024-65535 to allow server responses to reach clients.
Ensure the final rule (*) is set to Deny, ensuring any traffic not explicitly permitted is dropped.
Securing SSH Connections to AWS EC2
Understanding Key Pairs, Handshakes, and Encryption Strategies
Securing an SSH connection to an EC2 instance involves a sophisticated handshake that combines asymmetric encryption for identity verification and symmetric encryption for the actual data transfer.
1. The Foundation: Asymmetric Encryption
AWS utilizes RSA or ED25519 algorithms to manage access via Key Pairs:
- Public Key: Stored by AWS on the EC2 instance in
~/.ssh/authorized_keys. - Private Key: The
.pemor.ppkfile downloaded by the user. Note: AWS does not store this; it is the user's sole responsibility.
2. The Verification Process (The Handshake)
Step A: Host Verification
The instance sends its Host Public Key to the client. The client checks its known_hosts file to prevent Man-in-the-Middle (MITM) attacks.
Step B: User Authentication (The Challenge)
The server generates a random challenge, encrypts it with the Public Key, and sends it to the client. Only the holder of the Private Key can decrypt this challenge and send the correct result back to prove their identity.
3. Encryption and Integrity Strategies
| Layer | Algorithm | Purpose |
|---|---|---|
| Authentication | RSA / ED25519 | Verifies identities of client and server. |
| Bulk Encryption | AES-256 | Encrypts the actual data stream (Symmetric). |
| Data Integrity | HMAC-SHA256 | Ensures packets are not altered in transit. |
4. AWS Enhancement: EC2 Instance Connect
Modern SSH access on AWS often uses EC2 Instance Connect, which offers several advantages:
- IAM-Based Access: Permission to SSH is managed via IAM policies rather than static keys.
- Temporary Keys: AWS generates a one-time key pair and injects the public key into the instance for 60 seconds.