Scribd Logo
Upload

Welcome to Scribd!

  • Aws VPC

    Uploaded by

    W
    72 views24 pages
    The document provides an overview of setting up a Virtual Private Cloud (VPC) on Amazon Web Services (AWS) for the University of Colorado Colorado Springs (UCCS). It discusses: - The objectives of the UCCS VPC which are to provide a safe learning environment, flexible environment for research projects, and improve UCCS' standing in cybersecurity competitions. - Options for configuring the VPC including using single/multiple subnets, public/private subnets, and a VPN connection. - Configuring routing and security for the VPC including using an existing security infrastructure, isolating the VPC, and controlling access. - Details on setting up a customer gateway on CentOS using IPSec and

    Original Description:

    Aws VPC.......

    Original Title

    AWS VPC

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides an overview of setting up a Virtual Private Cloud (VPC) on Amazon Web Services (AWS) for the University of Colorado Colorado Springs (UCCS). It discusses: - The objectives of the UCCS VPC which are to provide a safe learning environment, flexible environment for research projects, and improve UCCS' standing in cybersecurity competitions. - Options for configuring the VPC including using single/multiple subnets, public/private subnets, and a VPN connection. - Configuring routing and security for the VPC including using an existing security infrastructure, isolating the VPC, and controlling access. - Details on setting up a customer gateway on CentOS using IPSec and

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    72 views24 pages

    Aws VPC

    Uploaded by

    W
    The document provides an overview of setting up a Virtual Private Cloud (VPC) on Amazon Web Services (AWS) for the University of Colorado Colorado Springs (UCCS). It discusses: - The objectives of the UCCS VPC which are to provide a safe learning environment, flexible environment for research projects, and improve UCCS' standing in cybersecurity competitions. - Options for configuring the VPC including using single/multiple subnets, public/private subnets, and a VPN connection. - Configuring routing and security for the VPC including using an existing security infrastructure, isolating the VPC, and controlling access. - Details on setting up a customer gateway on CentOS using IPSec and

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 24

    By Daniel Ruiz

    Index
    • Introduction
    • UCCS VPC Objective
    • Why VPC
    • VPC Options
    – Slides 6-10
    • Routing
    • Security
    – Slides 13-20
    • Summary
    2
    Introduction
    • Amazon Web Services (AWS)
    – EC2, VPC, MapReduce, SimpleDB,
    CloudFront, Simple Storage Service(S3),
    CloudFormation….and more
    • Amazon VPC
    – Cloud Isolation
    – Extension of existing infrastructure
    • Added Security
    • IP Assigning

    3
    UCCS VPC Objective

    Offer a safe
    Learning environment to gain
    hands on experience

    Provide a flexible
    environment for a Research
    wide array of
    research projects.

    Improve UCCS
    Recognition
    standing in cyber
    security competitions
    such as ICTF

    4
    Why VPC
    • Use a minimal amount of UCCS
    computer resources
    Affordable
    • Require no additional equipment
    • Practical operating cost
    • Ability to handle various user population
    sizes
    Flexible
    • Ability to handle various project
    requirements
    • Isolated from public environment
    Safe
    • Restricted to UCCS internal environment
    • Documented
    Simple • Automated “baseline” setup/teardown
    • Easy to expand outside of “baseline” 5
    VPC Options

    6
    Single Subnet Only

    7
    Public and Private Subnets

    8
    Public, Private and VPN

    9
    Private Subnet Only

    10
    VPC Subnet Routing

    11
    Cost

    12
    Safe
    • Use existing security infrastructure
    – Only available from within UCCS network
    • Isolated
    – No outside connection from within VPC
    – Encrypted VPN connection
    • Controlled operating time
    – Automated baseline setup
    – Automated complete teardown

    13
    Security Overview

    14
    Simple
    • Amazon Web Service (AWS) Management
    Console
    – Point-and-click web interface
    – Monitor services
    – Simplified setup
    • AWS SDK for .NET
    – Automation using .NET framework
    • Lots of documentation

    15
    AWS Management Console

    16
    Connecting to VPC

    Create a
    Create a Deploy
    Customer Integrate
    VPC AMIs
    Gateway

    17
    Gateway Requirements

    IKE
    Establish IKE Security IPSec
    Association using Pre-
    Shared Keys Establish IPSec Tunnel
    Security Association in
    Tunnel mode Bind tunnel to logical BGP
    AES 128-bit encryption interface
    Diffie-Helman Perfect Establish Border
    Forward Secrecy Gateway Protocol (BGP)
    (“Group 2” mode)
    IPSec Dead Peer
    Detection

    18
    CentOS Custom Gateway
    • Install ipsec-tools
    – Racoon
    – Setkey
    • Install quagga
    – Zebra
    – Bgpd
    • Bind tunnels to a logical interface
    • Create point-to-point connection

    19
    CentOS Gateway Cont…

    20
    Summary
    • Using Amazon’s VPC all three goals can
    be reached
    – Learning
    • Help solidify concepts through “hands on”
    experience
    – Research
    • Flexible environment with a vast support matrix to
    meet a wide array of research needs
    – Recognition
    • Through learning and research UCCS will be
    better equipped to compete on the world stage
    21
    Questions

    22
    IPSec
    path include "/etc/racoon"; #!/sbin/setkey -f
    path pre_shared_key "/etc/racoon/psk.txt"; flush;
    spdflush;
    remote 72.21.209.225 {
    exchange_mode main; spdadd 169.254.255.2/30 169.254.255.1/30 any -P out ipsec
    lifetime time 28800 seconds; esp/tunnel/a.b.c.d-72.21.209.225/require;
    dpd_delay 10;
    dpd_retry 3;
    proposal { spdadd 169.254.255.1/30 169.254.255.2/30 any -P in ipsec
    encryption_algorithm aes128; esp/tunnel/72.21.209.225-a.b.c.d/require;
    hash_algorithm sha1;
    authentication_method pre_shared_key; spdadd 169.254.255.6/30 169.254.255.5/30 any -P out ipsec
    dh_group 2;
    } esp/tunnel/a.b.c.d-72.21.209.193/require;
    generate_policy off;
    } spdadd 169.254.255.5/30 169.254.255.6/30 any -P in ipsec
    remote 72.21.209.193 { esp/tunnel/72.21.209.193-a.b.c.d/require;
    exchange_mode main;
    lifetime time 28800 seconds; spdadd 169.254.255.2/30 192.168.0.0/24 any -P out ipsec
    dpd_delay 10; esp/tunnel/a.b.c.d-72.21.209.225/require;
    dpd_retry 3;
    proposal {
    encryption_algorithm aes128; spdadd 192.168.0.0/24 169.254.255.2/30 any -P in ipsec
    hash_algorithm sha1; esp/tunnel/72.21.209.225-a.b.c.d/require;
    authentication_method pre_shared_key;
    dh_group 2; spdadd 169.254.255.6/30 192.168.0.0/24 any -P out ipsec
    }
    generate_policy off; esp/tunnel/a.b.c.d-72.21.209.193/require;
    }
    spdadd 192.168.0.0/24 169.254.255.6/30 any -P in ipsec
    esp/tunnel/72.21.209.193-a.b.c.d/require;

    spdadd 0.0.0.0/0 192.168.0.0/24 any -P out ipsec


    esp/tunnel/a.b.c.d-72.21.209.193/require;

    spdadd 192.168.0.0/24 0.0.0.0/0 any -P in ipsec


    esp/tunnel/72.21.209.193-a.b.c.d/require;

    23
    Quagga
    hostname cgw-2493774d
    password testPassword
    enable password testPassword
    !
    log file /var/log/quagga/bgpd
    !debug bgp events
    !debug bgp zebra
    debug bgp updates
    !
    router bgp 65000
    bgp router-id a.b.c.d
    network 169.254.255.2/30
    network 169.254.255.6/30
    network 0.0.0.0/0
    !
    ! aws tunnel #1 neighbor
    neighbor 169.254.255.1 remote-as 7224
    !
    ! aws tunnel #2 neighbor
    neighbor 169.254.255.5 remote-as 7224
    !
    line vty

    24

    You might also like