Cavirin Blog

Control Your Cloud

AWS Network Security Policies

As a follow-up to our blog on how Cavirin can help combat WannaCry and other ransomware, this blog provides additional detail on our Network Policy Pack.

As a customer, you have seen several use cases that Cavirin helps you address in your hybrid cloud environment. This ranges from several CIS benchmarks to regulatory requirement such as PCI.

Today, we are pleased to announce the availability of Network Security Policies specifically designed for your AWS environment. These network policies are around the best practice that:


“Ensure no security group allows ingress from 0.0.0.0 or from the world on any port”


This policy pack contains all IANA registered ports and protocols.

Basically, you can use this policy pack to address below security requirements:

  1. Ensure that SSH connections are not open to the world
  2. Ensure that DB ports are not open to the world
  3. Ensure that any other random critical ports are not open to the world

Stopping port scans / blocking access are very important for upkeep of your infrastructure. If you have ports opened for world access, any known vulnerabilities in particular services could potentially be exploited to gain control. Additionally, removing unfettered connectivity to remote console services, such as RDP/SSH, reduces a server's exposure to risk and further reduces the overall attack surface area.

Scanning your security groups is pretty straight forward in Cavirin’s platform. Just select the region(s) that you want to scan and it automatically sweeps through your entire list of security groups.

Currently, by default, the policy pack contains *6221 ports*. These are the ports which are currently allocated by IANA. The only exceptions are port 80 and port 443 to allow web server traffic.

Managed Security for Amazon Web Services (AWS)

Figure 1: AWS Network Policy Pack

Once you choose particular region(s), you quickly get a security assessment report with respect to your port traffic configuration.

AWS Network Security

Figure 2: Security Groups without any ports opened to the world for ingress traffic

Figure 3: Security Groups containing critical ports opened to the world for ingress traffic

Not only this, you can potentially add your own custom ports that you would want to assess continuously. Policy Packs are open to customization and tailoring. 

Security agility is important when you embrace your cloud journey. Increasingly, you are finding it hard to spend time on security issues that requires hours and hours of analysis and reporting. Agile security practices automate your efforts and help you spend time on security areas that demand your immediate attention.

Cavirin's continuous cloud security takes security assessment and risk mitigation to the next level of scale, automation, and interoperability, performing security compliance over large, complex IT infrastructures.  Cloud-agnostic, multi-tenant, physical or virtual, Cavirin supports real-time security monitoring and offers continuous risk assessments of infrastructure hosted on AWS, Microsoft Azure, and Google Cloud. It also supports private clouds running on VMware and other forms of virtualization such as KVM and OpenStack, as well as containers.  Since it is agentless, Cavirin can run trusted, deep security scans across distributed infrastructures regardless of the topology.

Cavirin can continuously monitor your infrastructure for technical policies that bolster your insider protection. You can rely on its next generation and cloud aware technology that encompasses your entire workload and data and provides deep visibility on what is going on. Sign up for a test drive today and see it yourself!

 

 

 

 

 

 

 

 

0
0
0
s2sdefault

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.