Amazon Web Services and Palo Alto VM-Series

Amazon Web Services and Palo Alto VM-Series

In today’s world security, compliance and data durability while maintaining usability, has moved to the forefront of every organization’s thought processes.

In a fast-growing startup, large enterprise, healthcare or government agency protecting data in a compliant fashion while maintaining up time and accessibility is paramount to success. Building, deploying and configuring such an environment can be very challenging, time-consuming and costly. Tego worked with a regional client to deliver an public cloud hosted environment that is HIPAA compliant and enables its user community, primarily Developers and Administrators, to work from anywhere at any time.

Our client needed industry expertise and architectural guidance in migrating their on-premises infrastructure to a public cloud offering hosted in Amazon Web Services (AWS). Their data requires full inspection while passing in and out of the AWS public cloud as well as it traverses between the different AWS objects within their “data center” in the cloud. Based on Tego’s experience with public cloud and the various security related services available we proposed using Palo Alto Networks VM-series Next-Generation Firewalls coupled with AWS native security objects to stand up an environment that meets their stringent security and usability requirements cost effectively.

The AWS cloud platform offers 175 full featured services from data centers globally and a deep set of cloud security tools comprising 230 security, compliance, and governance services and features. AWS supports 90 security standards and compliance certifications and all 117 AWS services that store client data offer the ability to encrypt that data.

We used the following core AWS components to deploy the solution in our client’s environment:

  • AWS Virtual Private Cloud (VPC): The VPC service is a principal in any AWS solution and it allowed Tego to provision a private, logically isolated section of AWS cloud where we launched all the necessary services to implement our clients secure, compliant environment.
  • AWS Elastic Cloud Compute (EC2): The EC2 service allowed Tego to launch all the requisite virtual machines running the appropriate operating systems our client required to proceed with the migration of their on-prem servers to the new cloud solution.
  • AWS Elastic Block Store (EBS): EC2 instances require backing storage and the EBS service provides persistent block-level storage volumes. EBS is automatically replicated within the Availability Zone each EC2 instance is deployed in to protect our client from component failure while maintaining high availability and durability. AWS Elastic Load Balancing (ELB) – There are several different load balancing services available from AWS. To maintain proper weighting at the transport layer, we deployed AWS Network Load Balancers (NLB) which functions as the fourth layer of the Open Systems Interconnection (OSI) model.
  • AWS CloudTrail: To complement the security, compliance and auditing capabilities of Palo Alto VM-Series firewalls we configured CloudTrail. CloudTrail records our clients AWS API calls and delivers log files that include caller identity, time, source IP address, request parameters and response elements enabling security analysis, resource change tracking and compliance auditing. AWS CloudWatch – CloudWatch is a performance monitoring service for critical resources and applications. Balancing security, compliance and performance was key and CloudWatch lent it’s capabilities perfectly.
  • AWS Config: Config is a fully managed service providing our client with an AWS resource inventory in their environment. We enabled it in our client’s environment to maintain visibility of changes in their environment providing crucial information if and when the Auditors come asking.
AWS Transit Gateway

Critical consideration was given to protecting and inspecting data as it traversed the client’s data center in the cloud. The Palo Alto VM-Series next-generation firewall allows clients to embed inline threat and data loss prevention into their environments. Native AWS services combined with VM-Series automation features deliver deployment and configuration at the speed of the cloud. Environments are protected with whitelisting and segmentation policies, allowing our client to reduce the attack surface area, achieve compliance and stop both known and unknown attacks.

The Palo Alto VM-Series and additional tools utilized in the full solution include:

  • Palo Alto VM-300P: We deployed the VM-300 models in internet-facing VPC’s providing IPsec tunneling in and out of our client’s AWS environment. As ingress data traffic comes into the environment it passes through AWS Network Load Balancers then flows to the VM-300’s. The data then travels through IPsec tunnels which then pass the traffic through an AWS Transit Gateway configured to route the traffic to the respective secure, non-public facing VPCs which encompass the core of the development, monitoring and administration activities.
  • Palo Alto Global Protect: We also took advantage of the extended security capabilities of the GlobalProtect functionality allowing for deployment and administration of consistent security policies to all users, devices and applications while eliminating access blind spots resulting in a stronger more secure environment.
  • Palo Alto Panorama: To make this highly complex, secure and performant environment easier to manage for our client, we deployed and configured Palo Alto’s Panorama functionality. With Panorama we are able to provide our client with centralized network security management for their VM-300 firewalls as well as a “single-pane of glass” to manage and monitor the myriad of different objects making up their environment. Panorama will also simplify configuring new policies, updating existing ones, and troubleshooting events in the environment easier which saves time and money.
PAv3 Transit Gateway

Palo Alto Networks is a registered trademark of Palo Alto Networks Amazon Web Services, the “Powered by AWS” logo, [and name any other AWS Marks used in such materials] are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.

Research
About the author
Mike Worthen is a solutions-driven, detail-oriented Senior Information Technology professional with significant industry experience. Throughout Mike’s career he has acquired deep-level experience in technologies such as AWS, NetApp, EMC, Hitachi, Linux, VMware and various scripting and programming languages.
Accept

By using this website you agree to our updated Conditions of Use and consent to the collection and use of your personal information as described in our updated Privacy Notice, which includes the categories of data we collect and information about your preferences and rights.