Scribd
Upload
182 views24 pages

Aws VPC

The document provides an overview of setting up a Virtual Private Cloud (VPC) on Amazon Web Services (AWS) for the University of Colorado Colorado Springs (UCCS). It discusses: - The objectives of the UCCS VPC which are to provide a safe learning environment, flexible environment for research projects, and improve UCCS' standing in cybersecurity competitions. - Options for configuring the VPC including using single/multiple subnets, public/private subnets, and a VPN connection. - Configuring routing and security for the VPC including using an existing security infrastructure, isolating the VPC, and controlling access. - Details on setting up a customer gateway on CentOS using IPSec and

Uploaded by

W
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
182 views24 pages

Aws VPC

The document provides an overview of setting up a Virtual Private Cloud (VPC) on Amazon Web Services (AWS) for the University of Colorado Colorado Springs (UCCS). It discusses: - The objectives of the UCCS VPC which are to provide a safe learning environment, flexible environment for research projects, and improve UCCS' standing in cybersecurity competitions. - Options for configuring the VPC including using single/multiple subnets, public/private subnets, and a VPN connection. - Configuring routing and security for the VPC including using an existing security infrastructure, isolating the VPC, and controlling access. - Details on setting up a customer gateway on CentOS using IPSec and

Uploaded by

W
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

By Daniel Ruiz

Index
• Introduction
• UCCS VPC Objective
• Why VPC
• VPC Options
– Slides 6-10
• Routing
• Security
– Slides 13-20
• Summary
2
Introduction
• Amazon Web Services (AWS)
– EC2, VPC, MapReduce, SimpleDB,
CloudFront, Simple Storage Service(S3),
CloudFormation….and more
• Amazon VPC
– Cloud Isolation
– Extension of existing infrastructure
• Added Security
• IP Assigning

3
UCCS VPC Objective

Offer a safe
Learning environment to gain
hands on experience

Provide a flexible
environment for a Research
wide array of
research projects.

Improve UCCS
Recognition
standing in cyber
security competitions
such as ICTF

4
Why VPC
• Use a minimal amount of UCCS
computer resources
Affordable
• Require no additional equipment
• Practical operating cost
• Ability to handle various user population
sizes
Flexible
• Ability to handle various project
requirements
• Isolated from public environment
Safe
• Restricted to UCCS internal environment
• Documented
Simple • Automated “baseline” setup/teardown
• Easy to expand outside of “baseline” 5
VPC Options

6
Single Subnet Only

7
Public and Private Subnets

8
Public, Private and VPN

9
Private Subnet Only

10
VPC Subnet Routing

11
Cost

12
Safe
• Use existing security infrastructure
– Only available from within UCCS network
• Isolated
– No outside connection from within VPC
– Encrypted VPN connection
• Controlled operating time
– Automated baseline setup
– Automated complete teardown

13
Security Overview

14
Simple
• Amazon Web Service (AWS) Management
Console
– Point-and-click web interface
– Monitor services
– Simplified setup
• AWS SDK for .NET
– Automation using .NET framework
• Lots of documentation

15
AWS Management Console

16
Connecting to VPC

Create a
Create a Deploy
Customer Integrate
VPC AMIs
Gateway

17
Gateway Requirements

IKE
Establish IKE Security IPSec
Association using Pre-
Shared Keys Establish IPSec Tunnel
Security Association in
Tunnel mode Bind tunnel to logical BGP
AES 128-bit encryption interface
Diffie-Helman Perfect Establish Border
Forward Secrecy Gateway Protocol (BGP)
(“Group 2” mode)
IPSec Dead Peer
Detection

18
CentOS Custom Gateway
• Install ipsec-tools
– Racoon
– Setkey
• Install quagga
– Zebra
– Bgpd
• Bind tunnels to a logical interface
• Create point-to-point connection

19
CentOS Gateway Cont…

20
Summary
• Using Amazon’s VPC all three goals can
be reached
– Learning
• Help solidify concepts through “hands on”
experience
– Research
• Flexible environment with a vast support matrix to
meet a wide array of research needs
– Recognition
• Through learning and research UCCS will be
better equipped to compete on the world stage
21
Questions

22
IPSec
path include "/etc/racoon"; #!/sbin/setkey -f
path pre_shared_key "/etc/racoon/psk.txt"; flush;
spdflush;
remote 72.21.209.225 {
exchange_mode main; spdadd 169.254.255.2/30 169.254.255.1/30 any -P out ipsec
lifetime time 28800 seconds; esp/tunnel/a.b.c.d-72.21.209.225/require;
dpd_delay 10;
dpd_retry 3;
proposal { spdadd 169.254.255.1/30 169.254.255.2/30 any -P in ipsec
encryption_algorithm aes128; esp/tunnel/72.21.209.225-a.b.c.d/require;
hash_algorithm sha1;
authentication_method pre_shared_key; spdadd 169.254.255.6/30 169.254.255.5/30 any -P out ipsec
dh_group 2;
} esp/tunnel/a.b.c.d-72.21.209.193/require;
generate_policy off;
} spdadd 169.254.255.5/30 169.254.255.6/30 any -P in ipsec
remote 72.21.209.193 { esp/tunnel/72.21.209.193-a.b.c.d/require;
exchange_mode main;
lifetime time 28800 seconds; spdadd 169.254.255.2/30 192.168.0.0/24 any -P out ipsec
dpd_delay 10; esp/tunnel/a.b.c.d-72.21.209.225/require;
dpd_retry 3;
proposal {
encryption_algorithm aes128; spdadd 192.168.0.0/24 169.254.255.2/30 any -P in ipsec
hash_algorithm sha1; esp/tunnel/72.21.209.225-a.b.c.d/require;
authentication_method pre_shared_key;
dh_group 2; spdadd 169.254.255.6/30 192.168.0.0/24 any -P out ipsec
}
generate_policy off; esp/tunnel/a.b.c.d-72.21.209.193/require;
}
spdadd 192.168.0.0/24 169.254.255.6/30 any -P in ipsec
esp/tunnel/72.21.209.193-a.b.c.d/require;

spdadd 0.0.0.0/0 192.168.0.0/24 any -P out ipsec


esp/tunnel/a.b.c.d-72.21.209.193/require;

spdadd 192.168.0.0/24 0.0.0.0/0 any -P in ipsec


esp/tunnel/72.21.209.193-a.b.c.d/require;

23
Quagga
hostname cgw-2493774d
password testPassword
enable password testPassword
!
log file /var/log/quagga/bgpd
!debug bgp events
!debug bgp zebra
debug bgp updates
!
router bgp 65000
bgp router-id a.b.c.d
network 169.254.255.2/30
network 169.254.255.6/30
network 0.0.0.0/0
!
! aws tunnel #1 neighbor
neighbor 169.254.255.1 remote-as 7224
!
! aws tunnel #2 neighbor
neighbor 169.254.255.5 remote-as 7224
!
line vty

24

You might also like