X

Move your VMware and KVM applications to the cloud without making any changes

  • January 15, 2016

Five benefits of penetration testing on AWS using Ravello

Enterprises are looking to secure their network, web and applications against vulnerabilities – they are hiring ethical hackers to penetrate their infrastructure to discover holes. Public cloud (e.g. AWS or Google) is an excellent candidate to build pentesting environments to scale, but lacks some key functionality. Ravello's Security Smart Lab on AWS and Google overcome these drawbacks, and enable creation of high fidelity production environment replicas that can be used for effective penetration testing.

Security – a priority, but execution is challenging

With many enterprise breaches fresh in the memory, CISOs are focusing to coordinate incident detection and response in areas of networks, hosts, threat intelligence, and user behavior monitoring. They want their enterprise environments to be breach-proof and workforce fully trained and capable of thwarting any security incidents. Penetration testing or ethical hacking their network, web and application environments to discover ‘holes’ before a malicious hacker does, is their top priority.

While the goal is clear, the execution presents a challenge. Enterprises are wary of penetration testing on their production infrastructure, worried that it may impact their business. To avoid this risk, they try to recreate a mock setup that mimics their production infrastructure in-house in their datacenters, and use it for penetration testing. However, amount of resources needed to have a realistic representation of the production environment to scale, typically prevents this mock setup to be effective for network, web or application penetration testing.

Public cloud enables scale, but has some short-comings

Cloud presents an interesting alternative, when it comes to building to scale. Using public clouds such as AWS, Google, Azure one can build replicas of enterprise environments that mimic the real world scale – but they are still far from being realistic representation of the DC based enterprise. AWS penetration testing enthusiasts typically run into the following challenges:

  • Data-center networking is different from Cloud networking. Public cloud inherently blocks broadcast and multicast packets and provides access to only Layer 3 and above. Most (if not all) enterprise deployments rely on some Layer 2 protocol or the other for advanced functionality that their setup depends on (e.g. VRRP is typically needed for High Availability).
  • Different networking & storage configuration. The environment setup such as networking and storage configuration e.g. IP addressing, netmask, VLANs is different between the production and the cloud environment

Despite these drawbacks, if one were to proceed with penetration testing on public cloud, they would still not be able to perform an integrated scan of compute instances for vulnerabilities, compliance violations, and advanced threats. Public cloud providers typically block such a scan as it can put other compute instances used by different customers at risk. Further, AWS requires one to request for permission for vulnerability and penetration testing ahead of time.

Public cloud + nested virtualization + networking overlay = On-demand Penetration Testing

Ravello’s security smart lab on AWS & Google cloud overcomes these limitations. It enables organizations to create effective environments for their application or web pentesting on AWS & Google cloud. Here’s how Ravello’s Security Smart Lab overcomes the challenges –

  1. Isolated security sandbox capsules – Using Ravello’s isolated self-contained security sandbox capsules it is possible block any traffic from going out of the capsule – opening up doors to run extensive vulnerability scans even while running on public cloud. Running scans inside the capsule doesn’t pose any risk to other compute instances.
  2. High fidelity copy of enterprise environment – Ravello’s nested virtualization technology enables one to create an exact copy of the enterprise environment with the same virtual appliances and VMs that are being used in datacenter environments. This enables ethical hackers to pentest on exactly the same setup as their production enterprise environment – helping uncover real vulnerabilities in advance.
  3. Datacenter networking on public cloud – Ravello’s networking overlay enables clean Layer 2 networking on public cloud, enabling all the features that require access to broadcast, multicast frames amongst others. Further, this networking overlay enables one to keep the same networking configuration (right down to same IPs, netmasks and VLAN tags for each of the networks and NICs)
  4. Advanced tools: Port Mirroring – For effective pen testing, one needs advanced tools such as port mirroring to tap into packets traversing through a switch. Ravello’s security labs comes built-in with such tools.
  5. Accelerated penetration testing – Ravello’s ability to take a ‘blueprint’ snapshot of a setup and instantiate multiple copies of the same enables ethical hackers and pen-testers to parallelize their effort at finding more security holes in web or application penetration testing in a short amount of time

These capabilities make Ravello Security Smart Lab an ideal environment for ethical hacking and penetration testing without risking their business. Using Ravello, AWS pentesting enthusiasts can get best of both datacenter capabilities and public cloud benefits (scale, cost-economics, on-demand capacity) in one unique service.

Interested in trying out Ravello? Just open a Ravello trial account, and drop us a line. We will help you get started with your penetration testing environment in no time.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.