From the course: CompTIA Security+ (SY0-701) Cert Prep: 3 Security Architecture
Cloud firewall considerations
From the course: CompTIA Security+ (SY0-701) Cert Prep: 3 Security Architecture
Cloud firewall considerations
In an infrastructure as a service environment, network security groups take the place of firewalls to segment networks as far as customers are concerned. Network security groups work at the network session and transport layers of the OSI model, just like traditional firewalls. The cloud service provider definitely implements and maintains firewalls as part of their network security plan, but they can't expose those firewalls directly to customers. If they did, isolation would be jeopardized because users might write firewall rules that affect systems belonging to other users or undermine the security of the entire environment. Instead, cloud service providers offer users the ability to create network security groups. These groups are similar to firewall rules, and they allow you to control the traffic that's passed from the Internet to your virtualized systems and even between systems operating in the virtualized environment. Here I am in the Amazon Web Services console. I have an EC2 instance running here that's set up as a web server. There's nothing fancy on it. It simply has the default page for IIS. When I look at this console, I can see that the public IP address assigned to my server right now is 52.53.221.137. I'm going to go ahead and copy that IP address and try to access it in my web browser. And eventually, we get an error page telling us that Safari couldn't open the page because the server isn't responding. Now, I do have Internet information services set up on that server, so it is configured as a web server, but the reason this didn't work is that Amazon Web Services follows the default deny principle that's common to all firewalls. I didn't explicitly tell AWS to allow web traffic from the Internet to my server, so AWS denied the request. Let's go ahead and correct that. I'm going to go back to the AWS console, and I'm going to look at the security group for my web server. When I look at the rules associated with this group, I can see that currently there's only a rule allowing RDP on TCP Port 3389. I'm going to edit the inbound rules and add a new rule for HTTP, which then automatically fills in TCP Port 80, and I'm going to set it to the network address range of all zeros. This is basically saying access from anywhere. Then I'm going to save this network security group and go back to the other tab where it's attempting to access my web server and reload it. And now I see the demo page for Internet information services. That's how we go ahead and create a network security group similar to a firewall rule that allows access to a web server. Maintaining network security groups is a customer responsibility, but these security groups are generally offered at no added cost. As you work through the shared responsibility model, you should ensure that you're building and maintaining appropriate access to your cloud server instances.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.