Extending Security of your AWS

Infrastructure with OpenSource Tools

Applicable to Azure and mostly other clouds.

Swiss Army Knife

About pfSense Appliance

●pfSense® - World's Most Trusted Open Source Firewall

●Available as Virtual Appliance in AWS & Azure.

●Get it from Marketplace.

Single Entry Point for Administration with

SSH or Control over SSH

Access

PfSense As JumpBox

●Another ready-made solution.●NAT + Firewall Capabilities●Support Inbound NAT with Port

Forward.

Responsibilities●NAT Gateway+ Port NAT

Monthly Price Advantage : $25

Yearly Price Advantage: $300

●Bastion Host

Typical Aws ELB Infra

Limitations with ELB● No HTTP ACLs ● No HTTPS redirect from ELB ● No SSL Client Auth● No SSL SNI Support.

(Got introduced in ALB)

Elastic LB or HA Proxy●ELB is a great product. still with limitations.

ELB replaced with HAProxy

IF we use HAProxy.●ACL with various regular expressions, Black listing.●More Frontend and Backend Options.●Better Monitoring Options.●Re-Configurability./Customisations.● HTTPS redirection from HAProxy itself.●SSL Termination with SNI.( Multiple SSLs and Multiple IPs)

● SSL Client Authentication.

Responsibilities●NAT GW + Port NAT + Network FW

+ Bastion Host + Load Balancer + Web Application Firewall

Price Advantage Monthly : $50/-Price Advantage Yearly : $600/-

Remote Access VPN●In AWS, No Ready Solution.●Marketplace has many options

●PfSense works as the most Cost effective.

WoW ! It is worth the money

Cisco Cloud Router $2233/year + AWS Instance Charges

Fortinet Firewall with VPN $1992/year + AWS Instance Charges

PaloAlto Firewall with VPN $4500/year + AWS Instance Charges.

Sophos UTM $788/year + AWS Instance Charges.

Netgate pfSense Firewall with VPN $600/year

You can run a t2.nano pfSense for $75/year

Responsibilities●NAT GW + Network FW●Bastion Host●Load Balancer + Web Application

●Remote Access VPNPrice Advantage Monthly : $50 +$116 = $166Price Advantage Yearly : $600+ $1392 = $1992

Site-Site VPN●Extends your Office network securely.

●No need to have endpoint client softwares.

Options.●AWS Managed VPN Gateways.

●pfSense VPN Gateway for Site-Site Access.

AWS VPN Gateway

Replace with pfSense

Advantages of pfSense over AWS Managed

Solution.●AWS is restricted with only ipSec option.

●PfSense has more options like ipSec, OpenVPN, Tinc, etc.

●No Added price for additional Tunnel.

Responsibilities● NAT GW + Network FW●Bastion Host●Load Balancer + Web Application ●Remote Access VPN●Site-Site VPN ( OpenvVPN / ipSec)

Price Advantage Monthly: $166 +$73 = $239

Price Advantage Yearly: $1992 + $876= $2868

IPS Solutions● No Ready Made Solutions.● Market place has options like

Alert Logic / McAfee

PfSense Options.● Snort IDS / IPS● Suricata IDS/ IPS

Can use it as Host/Network IDS

Rule Sets are available for HTTP/SMTP/POP3S/IMAPS/ Apache etc.

Responsibilities●NAT Gateway●Bastion Host●Load Balancer + Web Application ●Remote Access VPN●IDS/ IPS Functionalities

Price Advantage Monthly: $239 +$198 = $437

Price Advantage Yearly: $2868 +$2376 = $5244

Redundancy and Failover

Possible to Setup Failover of pfSense Instance With Carp.

Round-robin DNS Records

Now your AWS Infra is more Secure and fit more to your Pocketwith Single Device.

contactus@fcoos.netTeam FCOOS

Questions. ?

Thank You

Other OpenSource Tools

●Fail2ban:

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc

●Scout2:

Scout2 is an open source tool that helps assessing the security posture of AWS environments. Using the AWS API, the Scout2 Python scripts fetch CloudTrail, EC2, IAM, RDS, and S3, configuration data