Cloud Foundry Boundary Protection Cloud Foundry implements network traffic rules using Linux iptables on the component VMs. Operators can configure rules to prevent system access from external networks and between internal components, and to restrict applications from establishing connections over the DEA network interface. Spoofing- If an IP, MAC, or ARP spoofing attack bypasses the physical firewall for the deployment, Cloud Foundry network traffic rules help prevent the attack from accessing application containers. Cloud Foundry uses application isolation, operating system restrictions, and encrypted connections to further mitigate risk.
The AWS network provides significant protection against traditional network security issues, and 18F can implement further protection. The following are a few examples: Distributed Denial Of Service (DDoS) Attacks. AWS API endpoints are hosted on large, Internet-scale, infrastructure. Proprietary DDoS mitigation techniques are used. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity. Man in the Middle (MITM) Attacks. All of the AWS APIs are available via SSL-protected endpoints which provide server authentication. Amazon EC2 AMIs automatically generate new SSH host certificates on first boot and log them to the instance’s console. 18F can then use the secure APIs to call the console and access the host certificates before logging into the instance for the first time. 18F uses SSL for all interactions with AWS. IP Spoofing. Amazon EC2 instances cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
Amazon EC2 provides a complete firewall solution; this mandatory inbound firewall is configured in a default deny-all mode and Amazon EC2 customers must explicitly open the ports needed to allow inbound traffic. The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block). The firewall is configured in groups permitting different groups of instances to have different rules.
Application Security Groups
Cloud Foundry recommends that the use of Cloud Foundry ASGs to specify egress access rules for your applications. This functionality enables secure restricted application outbound traffic to predefined routes.
System and Communications Protection Policy for cloud.gov
18F monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
18F implements subnetworks for publicly accessible system components that are logically separated from internal organizational networks by using a well-formed Virtual Private Cloud. VPC is a virtual network dedicated to your AWS account which is logically isolated from other virtual networks in the AWS cloud. cloud.gov VPC has selected its IP address range, created subnets, and configured route tables, network gateways, and security settings logically separated from any other internal organization networks.
18F staff connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture.
Amazon Virtual Private Cloud
AWS Boundary Protection - Secure Network Architecture 18F utilizes the AWS provided virtual network devices, including firewall and other boundary devices, in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic. Designated privileged users(PU) connects to an AWS access point via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery. PU utilizes the AWS Virtual Private Cloud (VPC), which provides a private subnet within the AWS cloud. Each VPC is configured to utilize Routing Rules, Subnet Rules, and Security Group Rules. Each of these controls must have appropriate rules and routes in-place before any external service is able to reach a host within AWS.
Each VPC is configured to utilize Routing Tables, and Security Groups. Each of these controls must have appropriate rules and routes in-place before any external service is able to reach the host within the information system boundry.
The information system is internal to the defined VPC and does not connect to external networks or information systems outside the VPC.