Firewall Options in AWS

Discussion in 'Business & Enterprise Computing' started by gav1ski, May 28, 2019.

  1. OP
    OP
    gav1ski

    gav1ski Member

    Joined:
    Aug 9, 2001
    Messages:
    94
    Location:
    Sydney
    Cost vs Benefit, we actually have 6 servers behind the firewall with different roles and our single server loss recovery time is about 15 mins and a full availability zone loss recovery is under 2 hours (though a bit longer to get back to full performance on the main RDS server). In order to give us a fully redundant environment would have doubled our hosting costs and we were happy with the recovery time.
     
  2. Luke212

    Luke212 Member

    Joined:
    Feb 26, 2003
    Messages:
    9,608
    Location:
    Sydney
    cool. another thing to consider, generally if you go behind the LB you can do two servers with half the cpu each, for the same price.
     
  3. Alationever

    Alationever Member

    Joined:
    Jun 10, 2014
    Messages:
    56
  4. Render

    Render Member

    Joined:
    Jun 27, 2001
    Messages:
    411
    Location:
    Canberra, ACT, Australia
    Huge fan of Paloalto. Bundle1 would be good enough for this use case, though its still about 3k/yr.
    You could also go Fortinet for 1.5k/yr which will also work.

    Im not sure what Sophos' WAF capabilities are like, but the Forti and Palo arent WAFs, like Imperva or F5 ASM. But Connection brute force is not WAF protection, but IPS.
     
  5. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,593
    Location:
    Canberra
  6. albeeny

    albeeny Member

    Joined:
    Feb 25, 2002
    Messages:
    121
    Location:
    Syd
  7. OP
    OP
    gav1ski

    gav1ski Member

    Joined:
    Aug 9, 2001
    Messages:
    94
    Location:
    Sydney
    I have not had a look at this one, but it's almost 3x what we are paying now so I don't think I can get that past the boss.
     
  8. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    1,861
    https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/capabilities.html

    Scanners and probes: Malicious sources scan and probe Internet-facing web applications for vulnerabilities. They send a series of requests that generate HTTP 4xx error codes, and you can use this history to help identify and block malicious source IP addresses. This solution creates an AWS Lambda function or an Amazon Athena query that automatically parses Amazon CloudFront or Application Load Balancer access logs, counts the number of bad requests from unique source IP addresses per minute, and updates AWS WAF to block further scans from addresses with high error rate – the ones that reached the defined-error threshold.

    PANs are wonderful but pricey and I would question their value if the only thing you're after (that your Sophos doesn't do) is single IP DOS protection.
    Any non-native AWS service (i.e. custom instance you have to macguyver into the network path) is pants for inbound/DMZ. Scaling/HA (NAT targets...) becomes either impossible or an exercise in the world's most complicated rube goldberg machine complete with DNATs and inside/outside load balancers. Has anyone read the PAN reference arch for DMZ firewalling in AWS lolololol its HILARIOUS (TLDR: do not want).
     
    Last edited: Jun 4, 2019

Share This Page

Advertisement: