Cloud Asset Management and Protection: Network Assets

In this final article of our 3-part series on Cloud Asset Management and Protection, we explore cloud asset management for network assets.

It’s important to manage and protect cloud network assets because they enable communications between all other cloud assets, and between these assets and the outside world.

Network assets also perform some security functions. For instance, a Virtual Private Cloud enables organizations to keep their entire application private from other customers on the cloud, and ensure that it’s only accessible via a VPN (Virtual Private Network) or other private link. Another asset – TLS certificates – encrypt data to help secure Internet browser connections and transactions. Similarly, a reverse proxy protects applications by inspecting requests for malicious content. It compares such requests to a database containing both allowed and disallowed content, and drops requests found to be malicious.

Types of Cloud Network Assets

Cloud networking assets act as “gatekeepers” to applications and data. But to create reliable, resilient and available cloud networks, it’s vital to configure, manage and protect these assets including:

• Virtual Private Clouds (VPCs) and subnets
• Content Delivery Networks (CDNs)
• DNS records
• TLS certificates
• Load balancers
• Reverse proxies
• Web application firewalls

It’s also important to maintain an asset inventory, monitor locations and dependencies, and keep track of changes.

1- Virtual Private Clouds

A VPC is a secure, isolated private cloud that’s hosted within a public cloud. The key technologies that support this isolation are:

• Subnets: A range of “reserved” or “private” IP addresses within a network that divide it for private use
• Virtual LAN (VLAN): A group of devices connected to each other without the use of the Internet like a subnet, a VLAN is a way to partition the cloud network
• Virtual Private Networks (VPNs)

1. 1. A private network created on top of a public network with encryption
   2. Traffic passes through the publicly-shared infrastructure but is not visible to anyone outside the organization

A VPC provides the cost savings, scalability and convenience of a public cloud, with the data isolation capabilities of private clouds. It enables organizations to create separate virtual networks to isolate their applications from other customers using the same cloud.

To protect VPC assets, regular network scanning is crucial. This enables organizations to understand how these assets are performing, and identify and address vulnerabilities. But for scans to be effective, network scanners need good inputs – and this can only happen if a good inventory of all VPC assets is maintained.

2- Content Delivery Networks (CDNs)

A CDN is a network of linked hosting servers that distribute and route content globally to reduce access latency, and ensure fast and secure content delivery.

When deployed on the cloud network’s edge, a CDN works as a virtual “fence” to prevent attacks on assets or applications. However, an attacker with access to the CDN can introduce malware into the content, or even launch Distributed Denial-of-Service (DDoS) attacks. Domain fronting is another risk. This attack enables hackers to “mirror” the reputable traffic flowing through the CDN, and get back-door access to the network.

To minimize such risks, it’s important to track and monitor the CDN, and protect it with strong authentication, access control, and SSL/TLS encryption.

3- DNS Records

Domain Name System (DNS) records provide information about a domain, including what IP address is associated with it, and how to handle requests for it.

It’s important to track DNS records and registrars. One key reason is that the DNS is susceptible to many kinds of attacks, including:

• Domain hijacking: Attackers make changes in DNS servers to direct traffic away from the original servers to a new destination
• DDoS attack: Overloads the server with traffic so it cannot continue to serve DNS requests from authorized users
• DNS spoofing: Attackers inject malicious code into the DNS resolvers’ cache to redirect users to another server
• DNS hijack: Attackers infect the DNS with malware to alter the TCP/IP configurations and redirect traffic to a phishing website

Transport Layer Security (TLS) connections offer protection against DNS spoofing. However, not all browsers support TLS, so those users remain unprotected from such attacks. In addition to redirecting them to a malicious server, the attacker may also steal their data (e.g. credentials), or read, manipulate or steal the data going to the legitimate site.

Another reason for tracking DNS records (e.g. domains) is to ensure that domains are renewed on time. Not doing so can lead to service outages and affect business continuity.

With a robust policy enforcement and compliance engine, organizations have a seamless and reliable way to secure all their cloud network assets.

4- TLS Certificates

A TLS certificate (X.509 certificate) is a digital certificate issued by a Certificate Authority (CA). It verifies that a particular domain name belongs to the entity the certificate has been issued to.

When a user tries to connect to a server, the server sends them the TLS certificate for the domain, to help establish a secure connection. This verification process relies on cryptographic keys such as RSA or ECC. These keys protect the domain from spoofing attacks.

It’s important to track TLS certificates to understand who has access to the private keys. If these keys fall into the wrong hands, they may be able to impersonate the legitimate site. Tracking also makes it easy to reissue an entire class of certificates, say because the cryptographic algorithm was weak. Finally, a missed TLS certificate renewal can lead to service outages. Tracking certificates can prevent this from happening

5- Load Balancers, Reverse Proxies, Web Application Firewalls

A load balancer distributes traffic across multiple application instances to improve performance and reduce access latency. A reverse proxy server sits in front of web servers to protect them from DDoS attacks. It also provides load balancing, performance, and reliability benefits. A Web Application Firewall (WAF) helps protect web applications from attacks like cross-site-scripting (XSS), cross-site forgery, and SQL injection.

All these assets can see and modify the network traffic flowing to and from applications. That’s why robust access control is critical. And for this, proper inventory management is invaluable.

Conclusion

This brings us to the end of our 3-part series on Cloud Asset Management and Protection. Do take a look at our other two articles here Part 1 and Part 2

Magalix enables companies to enforce security-as-code across their entire cloud networking infrastructure. The Magalix platform is robust, scalable and extensible – ideal for securing your cloud network infrastructure. The engine supports a “build once, enforce everywhere” approach with 100s of built-in policies and templates that can be easily customized and implemented.

Protect your cloud network assets with Magalix and Security-as-Code.