Latest Posts

Security Groups and Its Importance

Posted on by Rishan Solutions

Loading

Security Groups Definition:

A security group as a virtual firewall that allows to control all inbound and outbound traffic to a particular entity. Specifically use the word entity here because security groups not only standard EC2 machines, but other things like load balancers, databases in RDS, and Docker based services hosted in ECS (Elastic Container Service). There are many more but this gives you the idea.

What is Security Groups:

  • Security groups gets associated with network interfaces and changes are reflected immediately to change the configuration. For security groups, the user do not have the ability to restrict traffic by specific IP addresses
  • A variety of different entities can all belong to the same security group, and in it, user can define Rules that specify the inbound and outbound traffic that can flow to any entity or instance that belongs to the security group.
  • Many other types of protocols are also supported, during the ‘Create Rule’ process.
  • Its important to realize that Security Groups work off a pessimistic principle. That by default DENY all traffic unless a Rule exists that explicitly allows it. This is why using a security group is such an attractive option for developers; it forces them to explicitly define who what ports/protocols/sources are allowed to communicate, instead of the opposite.
  • One limitation of security groups is that they can only be applied to one VPC at a time, so pick your members wisely.

why are Security Groups Important:

  • The thing with security groups is that by playing with ‘Source’ ips and port/protocols, it becomes much easier to lock down your instances in a predictable way.
  • While Route Tables define the overall rules of traffic flow throughout your VPC, Security groups lock down your entities even further by allowing you to define explicit protocols to and from your resources.
  • Security Groups are part of the Security Layering strategy employed by AWS.
  • There are many layers of security that as a sum, allow folks to introduce an element of redundancy that act to thwart attackers.

What are Active Directory security groups:

  1. The concept of a security group has been with us for nearly as long as the multi-user computer.
  2. Fundamentally, the purpose of a security group is to collect user accounts into a single object in order to simplify permissions management:
    • Instead of having to maintain a separate set of rights for each individual user,
    • IT admins grant a certain set of rights to a single object — the security group — and those rights flow through to all the users who are members of the security group.
    • As a result, provisioning of new users is much easier; simply add the user to the appropriate security groups and they are well on their way to productivity.
    • Similarly, users who change roles can be reprovisioned quickly and accurately simply by adjusting their group memberships.

How security groups are used to improve security:

  • A user’s security token is used for all security evaluations. When a user makes an authentication request, that user’s membership in security groups and nested security groups (but not distribution groups) is calculated, and those values at that time are written to the user’s Kerberos security token.
  • Then, when a user attempts to access a secured resource (a folder in a file system), the operating system checks the security token against the Access Control List (ACL) that is written on the folder.
  • If the user has an entry in their token that corresponds to the ACL, they get whatever level of access is defined in the ACL. If they do not, they are denied access.
  • Notice that at no time during this process does the file server query the group itself.
  • It does not need to the group was queried by the user’s authentication process.
  • This is why it simply is not possible to see whether a group is being “used” to provide access to anything from the perspective of Active Directory.
  • If the group has members, it is being “used” every time that member logs on to the network. Whether any resource is looking for that group’s security identifier in the user’s token is something Active Directory has no visibility into.
  • The enumeration of security groups happens during user authentication.
  • This is why it is not uncommon for users to be able to access resources after they have been removed from a group, at least for a while — the user still has a valid ticket that says they are a member of that group, and unless their authentication is revisited, they can continue to use the group’s security token.
  • The default lifetime for a Kerberos ticket in Active Directory is 10 hours.

Leave a Reply

Your email address will not be published. Required fields are marked *