Amazon VPC 내의 주요 자원을 보호하거나 규정 준수를 위해 사용되어야 하는 보안 어플라이언스의 효율적인 구성을 돕는 AWS Gateway Load Balancer의 사용 방법과 동작 원리를 알려 드립니다. Amazon VPC 내부에서 인터넷 사이트의 접근을 제한하거나 외부로부터의 침입 탐지 및 차단 기능을 사용할 수 있는 IPS 기능을 포함하는 AWS 의 관리형 방화벽인 AWS Network Firewall 의 사용 방법과 구성 가능한 다양한 레퍼런스 케이스에 대해서도 설명해 드립니다.

1. K O R E A | M A Y 1 1 - 1 2 , 2 0 2 1

2. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
더욱 진화하는 AWS 네트워크 보안
신은수
시큐리티 스페셜리스트 솔루션즈 아키텍트
AWS
Gateway Load Balancer & AWS Network Firewall

3. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway Load Balancer
- 네트워크 보안 요구 사항
- 3rd Party 보안 솔루션 구성
- Gateway Load Balancer 사용
AWS Network Firewall
- AWS Network Firewall 소개
- AWS Network Firewall 규칙의 사용
- AWS Network Firewall 구성안
주요 내용

4. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
개인정보보호나 규정 준수를 위해 침입차단솔루션
(IPS)을 구축하여야 하는데
AWS 환경에서는 어떻게 해야 하나요?

5. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway Load Balancer

6. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS 환경에서의 네트워크 보안 요구 사항
보안

7. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Active – Passive 구성
3rd Party 보안 솔루션 구성
EC2
Private IP
Public IP
보안 솔루션 Fail Over 시나리오, 확장의 어려움, Single Point of Failure.
Challenge

8. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3rd Party 보안 솔루션 구성
EC2
Private IP
Public IP
Client IP Address 로깅
Elastic Load Balancer 구성
Challenge

9. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3rd Party 보안 솔루션 구성
Elastic IP Gateway Load Balancer Endpoint
Private IP
Gateway Load Balancer 구성
EC2
EC2
Private Link
GENEVE 터널

10. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
트래픽 흐름
GWLB Endpoint
Source IP Destination IP
214.13.213.11 Public IP
Source IP Destination IP
214.13.213.11 Private EC2 IP
Inner Source IP Inner Destination IP
214.13.213.11 Private EC2 IP
Outer Source IP Outer Destination IP
GWLB IP Private Firewall IP
Inner Source IP Inner Destination IP
214.13.213.11 Private EC2 IP
Outer Source IP Outer Destination IP
Private Firewall IP GWLB IP
Source IP Destination IP
214.13.213.11 Private EC2 IP
GWLB
EC2
GENEVE 터널
Gateway Load Balancer 구성

11. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
GWLB 구성을 위한 라우팅 설정
GWLBE1
Availability Zone Availability Zone
GWLBE2
Destination Target
10.0.0.0/16 Local
Public Subnet1 GWLBe1
Public Subnet2 GWLBe2
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 GWLBE1
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 NGW
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 GWLBE2
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 NGW

12. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway Load Balancer
구성요소
장점
구축

13. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall

14. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall

15. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall
Firewall Subnet
Customer VPC
Availability Zone Availability Zone
Firewall Subnet
Public subnet Public subnet
Private subnet Private subnet

16. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
기존 네트워크 보안 기능과의 차이점
Network Access
Control List
흐름 처리 : Stateless
규칙 검사 : Order
규칙 액션 : Allow,Deny
적용 대상 : Subnet
Security
Group
흐름 처리 : Stateful
규칙 검사 : 모두 검사
규칙 액션 : Allow
적용 대상 : EC2orENI
Stateless
Engine
흐름 처리 : Stateless
규칙 검사 : Order
규칙 액션 : Pass,Drop,
Forward
적용 대상: Routing 기준
Stateful
Engine
흐름 처리 : Stateful
규칙 검사 : 모두 검사
규칙 액션 : Pass,Drop,Alert
적용 대상: StatelessForward
규칙 기준
AWS Network
Firewall

17. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall 기본 구조
• 사용자 트래픽은 Gateway Load Balancer Endpoint 를
이용해서 Network Firewall 로 전달
• Ingress Routing을 이용하여 Internet Gateway 의
라우팅 조정 Firewall Subnet
Customer VPC
Availability Zone Availability Zone
Firewall Subnet
Public subnet Public subnet
Private subnet Private subnet
AWS Managed VPC
AWS Network Firewall
Availability Zone Availability Zone
@AWS Network Firewall 은 사용중인 가용 영역에 모두 활성화하는 것을 권고합니다.

18. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall 라우팅 흐름
Firewall Subnet A
Customer VPC
Availability Zone A Availability Zone B
Firewall Subnet B
Public subnet A Public subnet B
Private subnet A Private subnet B
GWLBE-A GWLBe-B
NGW-A NGW-B
10.0.0.0/16
10.0.1.0/24 10.0.2.0/24
10.0.11.0/24 10.0.12.0/24
10.0.21.0/24 10.0.22.0/24
Firewall Subnet A
Public Subnet A
Private Subnet A
Firewall Subnet B
Public Subnet B
Private Subnet B
Internet Gateway
Route Destination
10.0.0.0/16 Local
10.0.11.0/24 GWLBE-A
10.0.12.0/24 GWLBE-B
Route Destination
10.0.0.0/16 Local
0.0.0.0/0 IGW
GWLBE-A <-> Network Firewall
Route Destination
10.0.0.0/16 Local
0.0.0.0/0 IGW
GWLBE-B <-> Network Firewall
Route Destination
10.0.0.0/16 Local
0.0.0.0/0 GWLBE-A
Route Destination
10.0.0.0/16 Local
0.0.0.0/0 GWLBE-B
Route Destination
10.0.0.0/16 Local
0.0.0.0/0 NGW-A
Route Destination
10.0.0.0/16 Local
0.0.0.0/0 NGW-B

19. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Stateless 규칙의 적용 예시
"RuleDefinition": {
"MatchAttributes": {
"Sources": [
{
"AddressDefinition": "10.1.0.0/16"
}
],
"Destinations": [
{
"AddressDefinition": "214.21.233.12/32"
},
{
"AddressDefinition": "213.32.11.91/32"
}
], "SourcePorts": [
{
"FromPort": 0,
"ToPort": 65535
}
],
"DestinationPorts": [
{
"FromPort": 80,
"ToPort": 80
}
],
"Protocols": [
6
"TCPFlags": [
{
"Flags": [
"SYN"
],
"Masks": [
"SYN",
"ACK"
]
}
]
},
"Actions": [
"aws:pass"
]
},
"Priority": 1
}
리스트 지정
가중치 적용
TCP Flag 검사
범위 지정

20. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Stateful Rule Group 의 종류
5-Tuple Domain List
Suricata compatible
IPS rules
Protocol, IP, Port 정보를
기준으로 허용/차단
Host Header 나 SNI 정보를
기준으로 허용/차단
사용자 정의 Signature 를
기반으로 허용/차단
172.31.193.25

21. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Stateful 규칙의 적용 예시
"StatefulRules": [
{
"Action": "DROP",
"Header": {
"Protocol": "ICMP",
"Source": "Any",
"SourcePort": "Any",
"Direction": "FORWARD",
"Destination": "10.0.0.0/16",
"DestinationPort": "Any"
},
"RuleOptions": [
{
"Keyword": "sid:1"
}
]
"RulesSource": {
"RulesSourceList": {
"Targets": [
".google.com"
],
"TargetTypes": [
"HTTP_HOST",
"TLS_SNI"
],
"GeneratedRulesType": "ALLOWLIST"
}
}
"RuleGroup": {
"RulesSource": {
"RulesString": "drop tcp any any -> any any (msg:"Drop TCP Traffic"; flow:from_client, established;
sid:1000;)"
}
}
Domain 검사
Signature 검사
IP 검사

22. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rule Group Capacity 의 이해
Priority Protocol Source IP Destination IP Source Port
Destination
Port
Action Capacity
1
TCP
UDP
10.1.0.0/24
10.1.1.0/24
10.1.3.0/24
Any Any
80
443
Pass 12
2 All
10.1.0.0/24
10.1.1.0/24
10.1.3.0/24
Black List 1,000개 Any
80
443
Drop 6,000
3 All Any Any Any Any Drop 1
Protocol Source IP Destination IP Source Port Destination Port Action Capacity
Any 10.0.1.0/24 Any Any Any Pass 1
Any Any Any Any Any Drop 1
규칙 별 정보의 조합을 기준으로 Capacity 계산
규칙 하나당 1 Capacity
Stateless Rule Group = 최대 10,000
Stateful Rule Group = 최대 30,000

23. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall 엔진의 규칙 검사
Pass Drop Forward
규칙 Priority
Pass규칙
Drop규칙
Alert규칙
Custom Action
Default Action
Network Firewall
Customer VPC
Inbound
Firewall Subnet Public Subnet
Pass
Outbound
Pass
Default Pass
수정 불가
Pass Drop Forward
Log
Metric
@Stateful Rule Group 규칙은 액션 처리 순서를 따름
Stateless
Engine
Stateful
Engine

24. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Black List IP 통신 차단
정책 요건 – VPC 내의 Public Subnet 에 대해서만 HTTP/HTTPS 접근을 허용하고 그 이외에는 차단하며 Black List IP
와의 통신 차단
IP Stateless Rule Group – 아래와 같이 Stateless Rule Group 생성
Priority Protocol Source IP Destination IP Source Port Destination Port Action
1 All Black List Any Any Any Drop
2 All Any Black List Any Any Drop
3 TCP VPC CIDR Any
80
443
Any Pass
4 TCP Any VPC CIDR Any
80
443
Pass
100 All Any Any Any Any Drop
Tip. Domain Filtering 이나 IPS 정책 등의 적용이 필요 없는 경우에는 Stateless Rule Group 을 적극적으로 활용
주의. Stateless Rule Group 의 경우 Logging 기능을 지원하지 않음

25. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Outbound Domain White List 정책
정책 요건 – Public Subnet에서 White List Domain 에 대해서만 허용 HTTP/HTTPS 접속을 허용하고 나머지는 모두 차단
Domain Rule Group – 접근을 허용하고자 하는 Domain 에 대해 “Allow” 액션 규칙 등록. (예, AWS 서비스 관련 도메인 )
Pass Drop Alert Default Pass
White List Domain 접속
비업무사이트 접속 규칙 검사 순서
Hit
Hit
EC2
Miss
Traffic To Inspect Domain List Action
HTTP, HTTPS White List Domain Allow
Priority Protocol Source IP Destination IP Source Port Destination Port Action
1 TCP Public Subnet Any
80
443
Any Forward
2 TCP Any Public Subnet Any
80
443
Forward
100 All Any Any Any Any Drop
IP Stateless Rule Group – 아래와 같이 Stateless Rule Group 생성

26. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Suricata Compatible 규칙 사용의 예
VPC
AWS Services
데이터센터
EC2
요건 1. VPC 내부에서 AWS Public Endpoint 로
접근 허용
요건 2. 지정된 데이터센터 네트워크에서 EC2
로 SSH 접근 허용
요건 3. 위 요건을 제외한 모든 TCP 트래픽 차단

27. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Suricata Compatible 규칙 사용의 예
pass tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:”AWS Service SNI”; tls_sni;
content:”.amazonaws.com”; sid:1001; rev:1;)
AWS Public Endpoint 에 대한 접근 허용
pass tcp $OFFICE_NET any -> $HOME_NET 22 (msg:"Allow SSH traffic"; sid:1002; rev:1;)
오피스 및 데이터센터 네트워크에서 VPC 로의 SSH 접근 허용
drop tcp any any -> any any (msg:"Drop tcp traffic"; flow:from_client, established; sid:1003; rev:1;)
모든 Ingress/Egress 에 대한 TCP 접속 차단

28. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
변수를 이용한 IPS 규칙 생성
{
"RuleVariables": {
"IPSets": {
"HTTP_SERVERS": {
"Definition": [
"10.0.2.0/24",
"10.0.1.19"
]
}
},
"PortSets": {
"HTTP_PORTS": {
"Definition": ["80", "8080"]
}
}
},
"RulesSource": {
"RulesString": "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:".htpasswd access attempt";
flow:to_server,established; content:".htpasswd"; nocase; sid:210503;
rev:1;)"
}
}
AWS CLI = aws network-firewall create-rule-group --rule-group-name
"RuleVariable-Group" --type STATEFUL --rule-group file://rulefile.json --
capacity 1000
정책 요건 – 지정된 IP Group 과 Port Group 을
이용하여 IPS 규칙을 생성한 후 적용
규칙 생성 – Rule Variable 을 이용한 규칙은 AWS
CLI 를 이용하여 생성할 수 있음
참고! Rule Variable 을 이용한 규칙은 생성 이후
Rule Variable 값을 Management Console 에서는
확인할 수 없으며 AWS CLI 를 이용하여 확인 가능

29. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall – 분산형 방화벽 구조
• 각 AZ 별로 Firewall 을 활성화 – Endpoint 자동 생성
• Ingress, Egress 에 대한 트래픽 제어
Firewall Subnet
Customer VPC
Availability Zone Availability Zone
Firewall Subnet
Public subnet Public subnet
Private subnet Private subnet
AWS Managed VPC
AWS Network Firewall
Availability Zone Availability Zone

30. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network Firewall – 중앙집중식 방화벽 구조
https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html
AWS Managed VPC
AWS Network Firewall
Availability Zone Availability Zone Firewall Subnet
Customer VPC
Availability Zone Availability Zone
Firewall Subnet
Firewall Subnet Firewall Subnet
To-FW To-FW
Internal VPC
Availability Zone Availability Zone
TWG subnet TWG subnet
To-FW To-FW
Private Subnet Private Subnet
Internal VPC
Availability Zone Availability Zone
TWG subnet TWG subnet
To-FW To-FW
Private Subnet Private Subnet
Internal VPC
Availability Zone Availability Zone
TWG subnet TWG subnet
To-FW To-FW
Private Subnet Private Subnet

31. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
여러분의 소중한 피드백을 기다립니다.
강연 종료 후, 강연 평가에 참여해 주세요!
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.

32. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
감사합니다
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.