AWS Network Firewall Proxyを触ってみた

+"846(ಢ໦ΦϑϥΠϯप೥ײँࡇ "84/FUXPSL'JSFXBMM1SPYZ Λ৮ͬͯΈͨ ޒຯͳ͗͞ʢ9ɿ!OBHJTB@ʣɹ

ࣗݾ঺հ w ໊લɿޒຯͳ͗͞ w ࢓ࣄɿ4*FSΠϯϑϥ෦໳Ϋϥ΢υؔ࿈άϧʔϓϚωʔδϟʔ w झຯɿΩοΫϘΫγϯά ɺεΩϡʔόμΠϏϯά w ޷͖ͳ"84αʔϏεɿ/8ܥαʔϏεશൠ
"84$PNNVOJUZ#VJMEFSTʢ/FUXPSLJOHBOE$POUFOU%FMJWFSZʣ "84"NCBTTBEPSTʢʣ "84+BQBO5PQ&OHJOFFSTʢʣ +BQBO"MM"84$FSUJGJDBUJPOT&OHJOFFSTʢʣ +"846(Ϋϥ΢υঁࢠձ࠼ͷࠃ࡛ۄࢧ෦ӡӦ +"84%":4࣮ߦҕһʢӶҙ४උதʂʣ

"84/FUXPSL'JSFXBMM1SPYZ 1SFWJFX w "84Ϛωʔδυͳ'PSXBSE1SPYZ w ʹ1SFWJFX൛ͱͯ͠ొ৔ w ͜Ε·Ͱ͸Ϛωʔδυͳ'PSXBSE1SPYZ͕ͳ͘ɺ '2%/Ͱͷ੍ޚΛݫີʹߦ͍͍ͨ৔߹ɺ 4RVJE౳ͷQSPYZαʔόΛϢʔβʔଆͰཱͯΔඞཁ͕͋ͬͨɻ
ˠɹ͍ͭʹ"84ϚωʔδυͰར༻Ͱ͖Δ1SPYZ͕ʂ

ैདྷͷ"/'ʹ͓͚ΔѼઌ੍ޚͷ՝୊ ANF ಁաతɻ HTTPS௨৴ͷ৔߹ɺ ʢTLS InterceptionΛར༻͍ͯ͠ͳ͍ݶΓʣ ௨৴ͷத਎͸ݟΕͳ͍ͨΊ SSL/TLSϋϯυγΣΠΫͷClient Helloʹؚ·ΕΔ SNIͷ஋Λݩʹ੍ޚɻ
※HTTPͷ৔߹͸Host Headerͷ஋ SNIͷ஋͸࣮ࡍͷѼઌFQDNͱҟͳΔ஋ʹِ૷Մೳ ڐՄ͍ͯ͠Δϗετ໊ΛSNIʹೖΕͯ͠·͑͹௨৴Ͱ͖ͯ͠·͏ ΫϥΠΞϯτͱͯ͠͸ Ѽઌʹͦͷ··઀ଓ Ѽઌɿ https://example.com

ैདྷͷ"/'ʹ͓͚ΔѼઌ੍ޚͷ՝୊ Proxy Ѽઌ΁ͷ௨৴ΛProxyαʔό͕தܧ͢ΔܗʹͳΔɻ HTTPS௨৴ͷத਎͸ݟΕͳ͍͕ɺΫϥΠΞϯτ͸ HTTP CONNECTϝιουͰProxyαʔόʹ઀ଓͨ͠ͷͪ ʹProxyαʔόʹͯѼઌͷ໊લղܾΛߦ͏ͨΊɺ ࣮ࡍͷѼઌͱͳΔFQDNΛݩʹ੍ͨ͠ޚ͕Մೳ ProxyΛ໌ࣔతʹࢦఆ Ѽઌɿ
https://example.com

/FUXPSL'JSFXBMM1SPYZͷߏ੒ Ҿ༻ݩɿhttps://aws.amazon.com/jp/blogs/networking-and-content-delivery/securing-egress-architectures-with-network-firewall-proxy/ NAT GatewayͱηοτͰར༻ Proxy Endpoint͕࡞ΒΕɺ ΫϥΠΞϯτଆ͸Proxy EndpointΛ ϓϩΩγαʔόͱͯ͠ࢦఆ ैདྷͷNetwork
Firewallͷ Endpoint͸ෆཁ

࣮ࡍʹ΍ͬͯΈͨ w ҎԼͭΛॱʹઃఆ w ϓϩΩγάϧʔϓ w ϓϩΩγઃఆ w ϓϩΩγʢຊମʣ

ϓϩΩγάϧʔϓ w ϧʔϧͷϑΣʔζͱ৚݅ɺΞΫγϣϯʢڐՄڋ൱ʣΛઃఆ w ϑΣʔζ w QSF%/4 w υϝΠϯ໊ղܾલʹධՁ͞ΕΔ w
1SF3FRVFTU w %/4ղܾޙɺ)551TϦΫΤετΛૹ৴͢ΔલʹධՁ͞ΕΔ w 1PTU3FTQPOTF w )551TϨεϙϯεΛड৴ͨ͠ޙʹධՁ͞ΕΔ ˞1SF3FRVFTUͱ1PTU3FTQPOTF͸ཁ5-4*OUFSDFQUJPO

ิ଍ 5-4*OUFSDFQUJPO ΫϥΠΞϯτͱProxyؒͰTLS SessionΛཱ֬͠ɺҰ౓Proxy্Ͱ҉߸ԽΛղ͍ͯ த਎Λ֬ೝͷ্ɺProxyͱຊདྷͷѼઌؒͰTLS SessionΛཱ֬͢Δɻ ͜ͷ৔߹ɺΫϥΠΞϯτͱͷTLS Sessionͷཱ֬ͷͨΊʹඞཁͳূ໌ॻͷProxy ΁ͷηοτ΍ɺΫϥΠΞϯτଆʹ֘౰ͷূ໌ॻͷϧʔτূ໌ॻΛImport͢Δ ͳͲͷରԠ͕ඞཁɻ
Ҿ༻ݩɿhttps://aws.amazon.com/jp/blogs/networking-and-content-delivery/securing-egress-architectures-with-network-firewall-proxy/

ϓϩΩγάϧʔϓ w ৚݅ ϑΣʔζʹΑͬͯ ࢖͑Δ৚݅͸ҟͳΔ

ϓϩΩγάϧʔϓ ࠓճ͸QSF%/4ϑΣʔζͰಛఆ'2%/ΛڐՄ͢ΔϓϩΩγάϧʔϓΛ࡞੒

ϓϩΩγઃఆ w σϑΥϧτͷΞΫγϣϯͱඥ෇͚Δϧʔϧάϧʔϓͷઃఆ PreRequest/PostResponseͷσϑΥϧτΞΫγϣϯΛʮڋ൱ʯʹ͍ͯ͠ΔͱHTTPϦΫΤετ/Ϩεϙϯεͷத ਎ΛݟΑ͏ͱ͢Δಈ࡞ʹͳΔͷ͔ɺʮTLS interceptionʯΛར༻͠ͳ͍ঢ়ଶͰ͸ɺ͜ͷޙߦͬͨಈ࡞֬ೝͷ ࡍʹTLS Connection Error͕ൃੜͨ͠ͷͰཁ஫ҙɻ PreDNSͷϧʔϧ͔͠࢖Θͳ͍৔߹͸ɺPreDNSͷΈʮڋ൱ʯͱ͍ͯ͠Ε͹ظ଴͢Δ੍ޚ͕Մೳɻ
ࠓճ͸ϓϩΩγάϧʔϓ ͰڐՄͨ͠FQDNҎ֎͸ڋ ൱͍ͨ͠ͷͰɺσϑΥϧ τΛʮڋ൱ʯͰઃఆɻ ͕ɺҎԼ՝୊ɻ

ϓϩΩγʢຊମʣ w ඥ෇͚Δ/"5(BUFXBZ΍5-4JOUFSDFQUJPOɺ ϙʔτ൪߸ͳͲͷઃఆΛߦ͏ ݱ࣌఺Ͱ Resional NAT Gateway͸ ࢦఆෆՄ

ૄ௨֬ೝ w ڐՄͨ͠'2%/ˠૄ௨0, w ૄ௨0,ڐՄ͍ͯ͠ͳ͍Ѽઌ΁1SPYZܦ༝Ͱ$VSM ˠ$0//&$5ʹର͠1SPYZ͔Β͕ฦ͓ͬͯΓૄ௨/(

ऴΘΓʹ w ࣮ࡍʹ࢖ͬͯΈ͕ͨҰൠతͳ1SPYZ༻్ͱͯ͠ඞཁͳػೳΛඋ͍͑ͯͦ͏ w ৄ͘͠͸ҎԼΛݟ͍ͯͩ͘͞ "84ͷ&HSFTT௨৴पΓͷΞοϓσʔτʹ৮ΕͯΈͨ3FHJPOBM/"5(BUFXBZ /FUXPSL'JSFXBMM1SPYZ w Ұൠఏڙ։࢝ͨ͠ޙͷ͓஋ஈ͸ؾʹͳΔͱ͜Ζɻɻɻ
ˠैདྷͷ/FUXPSL'JSFXBMMͷ&OEQPJOUΛར༻͢ΔܗͰ͸ͳ͍ͷͰ ผྉۚମܥʹͳΔͷͰ͸ͱظ଴ ૣ͘དྷͯ΄͍͠

AWS Network Firewall Proxyを触ってみた

AWS Network Firewall Proxyを触ってみた

nagisa_53

More Decks by nagisa_53

Other Decks in Technology

Featured

Transcript

+"846(ಢ໦ΦϑϥΠϯप೥ײँࡇ "84/FUXPSL'JSFXBMM1SPYZ Λ৮ͬͯΈͨ ޒຯͳ͗͞ʢ9ɿ!OBHJTB@ʣɹ

ࣗݾ঺հ w ໊લɿޒຯͳ͗͞ w ࢓ࣄɿ4*FSΠϯϑϥ෦໳Ϋϥ΢υؔ࿈άϧʔϓϚωʔδϟʔ w झຯɿΩοΫϘΫγϯά ɺεΩϡʔόμΠϏϯά w ޷͖ͳ"84αʔϏεɿ/8ܥαʔϏεશൠ

"84/FUXPSL'JSFXBMM1SPYZ 1SFWJFX w "84Ϛωʔδυͳ'PSXBSE1SPYZ w ʹ1SFWJFX൛ͱͯ͠ొ৔ w ͜Ε·Ͱ͸Ϛωʔδυͳ'PSXBSE1SPYZ͕ͳ͘ɺ '2%/Ͱͷ੍ޚΛݫີʹߦ͍͍ͨ৔߹ɺ 4RVJE౳ͷQSPYZαʔόΛϢʔβʔଆͰཱͯΔඞཁ͕͋ͬͨɻ

ैདྷͷ"/'ʹ͓͚ΔѼઌ੍ޚͷ՝୊ ANF ಁաతɻ HTTPS௨৴ͷ৔߹ɺ ʢTLS InterceptionΛར༻͍ͯ͠ͳ͍ݶΓʣ ௨৴ͷத਎͸ݟΕͳ͍ͨΊ SSL/TLSϋϯυγΣΠΫͷClient Helloʹؚ·ΕΔ SNIͷ஋Λݩʹ੍ޚɻ

/FUXPSL'JSFXBMM1SPYZͷߏ੒ Ҿ༻ݩɿhttps://aws.amazon.com/jp/blogs/networking-and-content-delivery/securing-egress-architectures-with-network-firewall-proxy/ NAT GatewayͱηοτͰར༻ Proxy Endpoint͕࡞ΒΕɺ ΫϥΠΞϯτଆ͸Proxy EndpointΛ ϓϩΩγαʔόͱͯ͠ࢦఆ ैདྷͷNetwork

࣮ࡍʹ΍ͬͯΈͨ w ҎԼͭΛॱʹઃఆ w ϓϩΩγάϧʔϓ w ϓϩΩγઃఆ w ϓϩΩγʢຊମʣ

ϓϩΩγάϧʔϓ w ϧʔϧͷϑΣʔζͱ৚݅ɺΞΫγϣϯʢڐՄڋ൱ʣΛઃఆ w ϑΣʔζ w QSF%/4 w υϝΠϯ໊ղܾલʹධՁ͞ΕΔ w

ϓϩΩγάϧʔϓ w ৚݅ ϑΣʔζʹΑͬͯ ࢖͑Δ৚݅͸ҟͳΔ

ϓϩΩγάϧʔϓ ࠓճ͸QSF%/4ϑΣʔζͰಛఆ'2%/ΛڐՄ͢ΔϓϩΩγάϧʔϓΛ࡞੒

ϓϩΩγʢຊମʣ w ඥ෇͚Δ/"5(BUFXBZ΍5-4JOUFSDFQUJPOɺ ϙʔτ൪߸ͳͲͷઃఆΛߦ͏ ݱ࣌఺Ͱ Resional NAT Gateway͸ ࢦఆෆՄ

ૄ௨֬ೝ w ڐՄͨ͠'2%/ˠૄ௨0, w ૄ௨0,ڐՄ͍ͯ͠ͳ͍Ѽઌ΁1SPYZܦ༝Ͱ$VSM ˠ$0//&$5ʹର͠1SPYZ͔Β͕ฦ͓ͬͯΓૄ௨/(

ऴΘΓʹ w ࣮ࡍʹ࢖ͬͯΈ͕ͨҰൠతͳ1SPYZ༻్ͱͯ͠ඞཁͳػೳΛඋ͍͑ͯͦ͏ w ৄ͘͠͸ҎԼΛݟ͍ͯͩ͘͞ "84ͷ&HSFTT௨৴पΓͷΞοϓσʔτʹ৮ΕͯΈͨ3FHJPOBM/"5(BUFXBZ /FUXPSL'JSFXBMM1SPYZ w Ұൠఏڙ։࢝ͨ͠ޙͷ͓஋ஈ͸ؾʹͳΔͱ͜Ζɻɻɻ