Deploy network security partner solutions to a secure CIS landing zone on Oracle Cloud

To run your workloads in Oracle Cloud Infrastructure (OCI), you need a secure environment that you can operate efficiently. The CIS Oracle Cloud Infrastructure Foundations Benchmark provides a secure landing zone within your OCI tenancy.

This reference architecture provides a Terraform-based landing zone template for different network security partners that you can use to deploy the solution on a secure CIS landing zone.

Architecture

The following diagram illustrates this reference architecture.

Description of the illustration deploy-security-arch.png

deploy-security-arch-oracle.zip

The architecture has the following components:

• Tenancy

  A tenancy is a secure and isolated partition that Oracle sets up within OCI when you sign up. You can create, organize, and administer your resources in OCI within your tenancy.

• Policies

  An OCI Identity and Access Management (IAM) policy specifies who can access which resources and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment or to the tenancy.

• Compartments
  Compartments are cross-region logical partitions within an OCI tenancy. Use compartments to organize your resources, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform. The resources in this landing zone template are provisioned in the following compartments:

  • A network compartment for all the networking resources, including the required network gateways.
  • A security compartment for the logging, key management, and notifications resources.
  • An app developer compartment for the application-related services, including Compute, storage, functions, streams, Kubernetes nodes, API gateway, and so on.
  • A database compartment for all database resources.

  The gray icons in the diagram indicate services that aren't provisioned by the template.

  This compartment design reflects a basic functional structure observed across different organizations, where IT responsibilities are typically separated among networking, security, application development, and database administrators.

• Virtual cloud network (VCN) and subnets

  A VCN is a customizable, software-defined network that you set up in an OCI region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  All the resources in this architecture are deployed in a hub and spoke architecture. The demilitarized zone (DNZ) VCN (hub) has resources for firewall deployment and subnets. Management, indoor, outdoor, high availability, and diagonal subnets are created based on which network security partner's firewall you're trying to deploy. Spoke VCNs (VCN1 and VCN2) have three tier applications subnets: Web, app, and database.

• Firewall

  A firewall is a product solution available by network security partners. This case uses a virtual machine (VM) that you can deploy within DMZ VCN to secure your workloads running on your OCI tenancy. You can deploy firewall VMs in either in active-passive or active-active high availability modes.

• Internet gateway

  The internet gateway allows traffic between the public subnets in a VCN and the public internet.

• Dynamic routing gateway (DRG)

  The DRG is a virtual router that provides a path for private network traffic between on-premises networks and VCNs and can also be used to route traffic between VCNs in the same region or across regions.

• NAT gateway

  The NAT gateway enables private resources in a VCN to access hosts on the internet without exposing those resources to incoming internet connections.

• Service gateway

  The service gateway provides access from a VCN to other services, such as OCI Object Storage. The traffic from the VCN travels to the Oracle service over the Oracle network fabric and never traverses the internet.

• Oracle Services Network

  The Oracle Services Network (OSN) is a conceptual network in OCI that's reserved for Oracle services. These services have public IP addresses that you can reach over the internet. Hosts outside OCI can access OSN privately by using OCI FastConnect or VPN Connect. Hosts in your VCNs can access OSN privately through a service gateway.

• Network security groups (NSGs)

  NSGs act as virtual firewalls for your cloud resources. With the zero-trust security model of OCI, all traffic is denied, and you can control the network traffic inside a VCN. An NSG consists of a set of ingress and egress security rules that apply to only a specified set of VNICs in a single VCN.

• Events

  OCI services emit events, which are structured messages that describe the changes in resources. Events are emitted for create, read, update, or delete (CRUD) operations, resource lifecycle state changes, and system events that affect cloud resources.

• Notifications

  The Oracle Cloud Infrastructure Notifications service broadcasts messages to distributed components through a publish-subscribe pattern, delivering secure, highly reliable, low latency, and durable messages for applications hosted on OCI.

• Vault

  OCI Vault enables you to centrally manage the encryption keys that protect your data and the secret credentials that you use to secure access to your resources in the cloud.

• Logs
  Logging is a highly scalable and fully managed service that provides access to the following types of logs from your resources in the cloud:

  • Audit logs: Logs related to events emitted by the Audit service
  • Service logs: Logs emitted by individual services, such as API Gateway, Events, Functions, Load Balancing, Object Storage, and VCN flow logs
  • Custom logs: Logs that contain diagnostic information from custom applications, other cloud providers, or an on-premises environment.
• Service connectors

  OCI Service Connector Hub is a cloud message bus platform. You can use it to move data between services in OCI. Data moves using service connectors. A service connector specifies the source service that contains the data to be moved, the tasks to perform on the data, and the target service to which the data is delivered when the specified tasks are completed. You can use OCI Service Connector Hub to quickly build a logging aggregation framework for SIEM systems.

• Cloud Guard

  Oracle Cloud Guard helps you achieve and maintain a strong security posture in OCI by monitoring the tenancy for configuration settings and actions on resources that could pose a security problem.

  You can use Oracle Cloud Guard to monitor and maintain the security of your resources in OCI. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with those actions, based on responder recipes that you can define.

• Vulnerability Scanning service

  Oracle Cloud Infrastructure Vulnerability Scanning service helps improve the security posture in OCI by routinely checking ports and hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities.

• Object Storage

  OCI Object Storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for hot storage that you must access quickly, immediately, and frequently. Use archive storage for cold storage that you retain for long periods of time and seldom or rarely access.

Recommendations

Use the following recommendations as a starting point when implementing this reference architecture Your requirements might differ from the architecture described here.

• Access permissions

  The landing zone template can provision resources as the tenancy administrator (any member of the Administrators group) or as a user with narrower permissions. The landing zone includes policies to allow separate administrator groups to manage each compartment after the initial provisioning. The preconfigured policies are not exhaustive. When you add resources to the Terraform template, you must define the required other policy statements.

• Network configuration

  You can deploy the landing zone network in different ways: With one or multiple standalone VCNs or in a hub and spoke architecture with OCI DRG V2 service. You can also configure the network with no internet connectivity. Although the landing zone allows for switching back and forth between standalone and hub and spoke, it's important to plan for a specific design, because you might need manual actions when switching.

• Customizing the landing zone template

  The Terraform configuration has a single root module and individual modules to provision the resources. This modular pattern enables efficient and consistent code reuse. To add resources to the Terraform configuration, such as compartments or VCNs, reuse the existing modules, and add the necessary module calls, similar to the existing ones in the root module. Most modules accept a map of resource objects, which are usually keyed by the resource name. To add objects to an existing container object, such as a subnet to a VCN, add the subnet resources to the existing subnets map.

• Firewall configuration

  You can deploy the firewalls in different high-availability modes, depending on the network security partner capabilities. We recommend using the firewall manager of each partner to manage configuration. Also follow the official documentation of each partner for required ports and security policies configuration.

Considerations

When implementing this reference architecture, consider the following factors:

• Access permissions

  The landing zone template can provision resources as the tenancy administrator (any member of the Administrators group) or as a user with narrower permissions. The landing zone includes policies to allow separate administrator groups to manage each compartment after the initial provisioning. The preconfigured policies are not exhaustive. When you add resources to the Terraform template, you must define the required extra policy statements.

• Network configuration

  You can deploy the landing zone network in different ways: With one or multiple standalone VCNs or in a hub and spoke architecture with OCI DRG V2 service. You can also configure the network with no internet connectivity. Although the landing zone allows for switching back and forth between standalone and hub and spoke, it's important to plan for a specific design, because you might need manual actions when switching.

• Customizing the landing zone template

  The Terraform configuration has a single root module and individual modules to provision the resources. This modular pattern enables efficient and consistent code reuse. To add resources to the Terraform configuration, such as compartments or VCNs, reuse the existing modules, and add the necessary module calls, similar to the existing ones in the root module. Most modules accept a map of resource objects, which are usually keyed by the resource name. To add objects to an existing container object, such as a subnet to a VCN, add the subnet resources to the existing subnets map.

• Firewall configuration
  When securing your cloud workloads on OCI using network security partners, consider the following factors:

  • Performance
    • Selecting the proper instance size, which is determined by the Compute shape, determines the maximum available throughput, CPU, RAM, and number of interfaces.
    • Organizations need to know what types of traffic traverses the environment, determine the appropriate risk levels, and apply proper security controls as needed. Different combinations of enabled security controls impact performance.
    • Consider adding dedicated interfaces for FastConnect or VPN services. Consider using large Compute shapes for higher throughput and access to more network interfaces.
    • Run performance tests to validate the design can sustain the required performance and throughput.
  • Security

    Deploying a firewall manager in OCI allows for centralized security policy configuration and monitoring of all physical and virtual firewalls.

  • Availability

    Deploy your architecture to distinct geographic regions for greatest redundancy. Configure site-to-site VPNs with relevant organizational networks for redundant connectivity with on-premises networks.

  • Cost

    Network security partners solutions are available in Oracle Cloud Marketplace and can be deployed as Pay As You Go (PAYG) or bring-your-own-license (BYOL).

Deploy

The Terraform code for deploying this reference architecture is available in GitHub.

Note:

If you already have a secure landing zone deployed in your environment that supports firewall use cases, you can skip the first step.

1. Deploy your secure landing zone first using GitHub:
   1. Clone or download the repository to your local computer.
   2. Deploy the infrastructure using Terraform, as described in Terraform.md.
2. Clone or download the network security partners stacks to your local computer:

   Check Point	Use the Terraform stack to deploy Cloud Guard firewall in active-passive mode.
   Cisco	Use the Terraform stack to deploy the Secure Firewall Threat Defense solution in active-active mode.
   Fortinet	Use the Terraform stack to deploy FortiGate firewall solution in active-passive mode.
   Palo Alto Networks	Use the Terraform stack to deploy VM-Series firewall solution in active-passive mode.

3. Deploy partner solution by using Oracle Resource Manager or Terraform CLI to your secure CIS landing zone. Deploy the infrastructure by using Terraform, as described in README.MD file of each partner's stack.

Explore More

Learn more about deploying network security partner solutions to a secure CIS landing zone on Oracle Cloud.

Learn more about setting up and operating a secure environment in Oracle Cloud Infrastructure.

• Best practices framework for Oracle Cloud Infrastructure
• Security checklist for Oracle Cloud Infrastructure
• CIS Oracle Cloud Infrastructure Foundations Benchmark
• Deploy a secure Landing zone that meets the CIS Foundations Benchmark for Oracle Cloud

See the following blog posts about secure landing zones:

• CIS OCI Landing Zone Quick Start Template Version 2
• Adding our security partners to a CIS secure landing zone
• Deployment Modes for CIS OCI Landing Zone

See the network security partners deployment on OCI:

• Secure cloud workloads with Check Point CloudGuard
• Secure workloads with Cisco Threat Defense using Flexible Network Load Balancer
• Secure your workloads running on Oracle Cloud Infrastructure with FortiGate
• Secure application workloads with Palo Alto Networks VM-Series Firewall