Network security aims to prevent unauthorized access to resources, detect and prevent attacks, and provide authorized users with secure access to your cloud infrastructure.
Network security is implemented both at the perimeter and inside the infrastructure. At the perimeter, security measures are designed to intercept and deny cyber threats before they can breach the network's defenses. Securing your traffic provides additional protection if an attacker manages to infiltrate the network despite perimeter security.
Today’s article will focus on security at the perimeter of your infrastructure.
In short, you should set up HTTPS and DNSSEC to secure traffic to your cloud infrastructure. You should also protect your entry and exit points by minimizing the attack surface and filtering ongoing and outgoing traffic.
Our Recommendation: Data transmission must be encrypted while in transit to ensure network security between your organization and the cloud service provider. To do so, you should enforce HTTPS protocol for your traffic. This will create a secure channel between the client and server.
Cloud providers provide services to handle the creation, storage, and renewal of certificates: for example, AWS offers AWS Certificate Manager (ACM).
We recommend enabling HSTS (HTTP Strict Transport Security) to ensure that all communication between the user's browser and your website is secured with HTTPS. You need to add this HTTP security header at the application level (on a CloudFront, an API Gateway, …).
Warning: We recommend using HSTS on the Cloud because there are services that simplify certificate management. On-premises use is not without risks: if, for any reason, your certificates are no longer valid, as HSTS enforces the use of HTTPS, your websites will become inaccessible.
Risks addressed by the recommendation: It enables to protect against the infamous man-in-the-middle attacks. This is an attack where an attacker will listen on the network to try to get the data exchanged.
Suppose there is a misconfiguration in your security network. In that case, it will be readable, and the attacker could capture sensitive information, such as login credentials, personal data, or intellectual property, leading to data breaches and potential misuse.
Our Recommendation: To improve your network security, you should activate DNSSEC (DNS Security Extensions) for your domains. DNSSEC authenticates responses to your network's domain name lookups, guaranteeing the prevention of malicious redirections at any stage of the process. You can find how to enable it in the documentation of your cloud providers.
Risks addressed by the recommendation: DNSSEC prevents the risk of DNS spoofing. DNS spoofing, also known as DNS cache poisoning or DNS hijacking, is a cyberattack technique where an attacker manipulates the DNS to redirect users to malicious websites or intercept their network traffic.
DNSSEC prevents DNS spoofing by making it extremely difficult for attackers to forge or tamper with DNS responses.
While using the HTTPS protocol alone is sufficient to protect against DNS spoofing, implementing DNSSEC is quick and provides an additional layer of security in the defense context in depth.
Our Recommendation: For enhanced network security, configure any endpoint of your cloud infrastructure that can be private or accessed only through a whitelist.
To enhance the visibility of the attack surface, include the list of public entry points in the infrastructure documentation. It is essential to explicitly mark the location of each public entry point on the network architectural diagram.
Risks addressed by the recommendation: Reducing the attack surface to a minimum helps minimize the risk of unauthorized access. By configuring endpoints to be private or accessible only through whitelists, you reduce the risk of unauthorized parties gaining access to your internal network.
Our Recommendation: To strengthen your network security, you should secure your public entry points by filtering your traffic. To do so, you can use several strategies:
To minimize the attack surface, consider defining rules allowing only necessary traffic. For instance, if all your customers are in Europe, you can block incoming IP addresses from other countries. While this measure can be easily circumvented, it still provides an initial layer of security.
Risks addressed by the recommendation: By configuring firewall rules, the recommendations reduce the risk of unauthorized access to your network resources.
Our Recommendation: You should monitor the traffic that leaves your network to detect suspicious behaviors. We also recommend having a single exit point for your infrastructure as it simplifies monitoring outgoing traffic.
At a minimum, storing logs of outgoing traffic is essential to enable forensics in case of data exfiltration.
Ideally, you should define and implement a security network policy for your outgoing traffic through an IDS (Intrusion Detection System) or an IPS (Intrusion Prevention System).
The main difference between the two is that an IDS is a monitoring system, while an IPS is a control system. IDS do not modify network packets in any way; they analyze and monitor network traffic to detect signs indicating a cyber threat. IPS rejects network packets based on a security profile if they represent a known threat.
In cloud providers, you can implement IDS/IPS using Azure Firewall on Azure or Cloud IDS on GCP.
Risks addressed by the recommendation: Tracking outgoing traffic is important to enhance your network security to prevent data exfiltration and malicious requests sent to untrusted domains.
By following the best practices presented in this article, you can significantly increase your network security, reduce the risk of unauthorized access to your network and data breaches, and improve the overall security of your infrastructure.