The document provides an overview of setting up a Virtual Private Cloud (VPC) on Amazon Web Services (AWS) for the University of Colorado Colorado Springs (UCCS). It discusses:
- The objectives of the UCCS VPC which are to provide a safe learning environment, flexible environment for research projects, and improve UCCS' standing in cybersecurity competitions.
- Options for configuring the VPC including using single/multiple subnets, public/private subnets, and a VPN connection.
- Configuring routing and security for the VPC including using an existing security infrastructure, isolating the VPC, and controlling access.
- Details on setting up a customer gateway on CentOS using IPSec and
The document provides an overview of setting up a Virtual Private Cloud (VPC) on Amazon Web Services (AWS) for the University of Colorado Colorado Springs (UCCS). It discusses:
- The objectives of the UCCS VPC which are to provide a safe learning environment, flexible environment for research projects, and improve UCCS' standing in cybersecurity competitions.
- Options for configuring the VPC including using single/multiple subnets, public/private subnets, and a VPN connection.
- Configuring routing and security for the VPC including using an existing security infrastructure, isolating the VPC, and controlling access.
- Details on setting up a customer gateway on CentOS using IPSec and
The document provides an overview of setting up a Virtual Private Cloud (VPC) on Amazon Web Services (AWS) for the University of Colorado Colorado Springs (UCCS). It discusses:
- The objectives of the UCCS VPC which are to provide a safe learning environment, flexible environment for research projects, and improve UCCS' standing in cybersecurity competitions.
- Options for configuring the VPC including using single/multiple subnets, public/private subnets, and a VPN connection.
- Configuring routing and security for the VPC including using an existing security infrastructure, isolating the VPC, and controlling access.
- Details on setting up a customer gateway on CentOS using IPSec and
The document provides an overview of setting up a Virtual Private Cloud (VPC) on Amazon Web Services (AWS) for the University of Colorado Colorado Springs (UCCS). It discusses:
- The objectives of the UCCS VPC which are to provide a safe learning environment, flexible environment for research projects, and improve UCCS' standing in cybersecurity competitions.
- Options for configuring the VPC including using single/multiple subnets, public/private subnets, and a VPN connection.
- Configuring routing and security for the VPC including using an existing security infrastructure, isolating the VPC, and controlling access.
- Details on setting up a customer gateway on CentOS using IPSec and
Offer a safe Learning environment to gain hands on experience
Provide a flexible environment for a Research wide array of research projects.
Improve UCCS Recognition standing in cyber security competitions such as ICTF
4 Why VPC • Use a minimal amount of UCCS computer resources Affordable • Require no additional equipment • Practical operating cost • Ability to handle various user population sizes Flexible • Ability to handle various project requirements • Isolated from public environment Safe • Restricted to UCCS internal environment • Documented Simple • Automated “baseline” setup/teardown • Easy to expand outside of “baseline” 5 VPC Options
6 Single Subnet Only
7 Public and Private Subnets
8 Public, Private and VPN
9 Private Subnet Only
10 VPC Subnet Routing
11 Cost
12 Safe • Use existing security infrastructure – Only available from within UCCS network • Isolated – No outside connection from within VPC – Encrypted VPN connection • Controlled operating time – Automated baseline setup – Automated complete teardown
13 Security Overview
14 Simple • Amazon Web Service (AWS) Management Console – Point-and-click web interface – Monitor services – Simplified setup • AWS SDK for .NET – Automation using .NET framework • Lots of documentation
15 AWS Management Console
16 Connecting to VPC
Create a Create a Deploy Customer Integrate VPC AMIs Gateway
17 Gateway Requirements
IKE Establish IKE Security IPSec Association using Pre- Shared Keys Establish IPSec Tunnel Security Association in Tunnel mode Bind tunnel to logical BGP AES 128-bit encryption interface Diffie-Helman Perfect Establish Border Forward Secrecy Gateway Protocol (BGP) (“Group 2” mode) IPSec Dead Peer Detection
20 Summary • Using Amazon’s VPC all three goals can be reached – Learning • Help solidify concepts through “hands on” experience – Research • Flexible environment with a vast support matrix to meet a wide array of research needs – Recognition • Through learning and research UCCS will be better equipped to compete on the world stage 21 Questions
22 IPSec path include "/etc/racoon"; #!/sbin/setkey -f path pre_shared_key "/etc/racoon/psk.txt"; flush; spdflush; remote 72.21.209.225 { exchange_mode main; spdadd 169.254.255.2/30 169.254.255.1/30 any -P out ipsec lifetime time 28800 seconds; esp/tunnel/a.b.c.d-72.21.209.225/require; dpd_delay 10; dpd_retry 3; proposal { spdadd 169.254.255.1/30 169.254.255.2/30 any -P in ipsec encryption_algorithm aes128; esp/tunnel/72.21.209.225-a.b.c.d/require; hash_algorithm sha1; authentication_method pre_shared_key; spdadd 169.254.255.6/30 169.254.255.5/30 any -P out ipsec dh_group 2; } esp/tunnel/a.b.c.d-72.21.209.193/require; generate_policy off; } spdadd 169.254.255.5/30 169.254.255.6/30 any -P in ipsec remote 72.21.209.193 { esp/tunnel/72.21.209.193-a.b.c.d/require; exchange_mode main; lifetime time 28800 seconds; spdadd 169.254.255.2/30 192.168.0.0/24 any -P out ipsec dpd_delay 10; esp/tunnel/a.b.c.d-72.21.209.225/require; dpd_retry 3; proposal { encryption_algorithm aes128; spdadd 192.168.0.0/24 169.254.255.2/30 any -P in ipsec hash_algorithm sha1; esp/tunnel/72.21.209.225-a.b.c.d/require; authentication_method pre_shared_key; dh_group 2; spdadd 169.254.255.6/30 192.168.0.0/24 any -P out ipsec } generate_policy off; esp/tunnel/a.b.c.d-72.21.209.193/require; } spdadd 192.168.0.0/24 169.254.255.6/30 any -P in ipsec esp/tunnel/72.21.209.193-a.b.c.d/require;
